Upload File

cryptography dec 29. this lecture in this last lecture for number theory, we will see probably the...

  • Home
  • Documents
  • Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer
53
Cryptography Dec 29

Upload: roy-warner

Post on 30-Dec-2015

214 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Cryptography

Dec 29

This Lecture

In this last lecture for number theory we will see probably the

most important application of number theory in computer science ndash

the design of cryptosystem

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Cryptography

Alice Bob

Cryptography is the study of methods for

sending and receiving secret messages

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message

Cryptography

Alice Bob

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message -gt f(message)

f(message)

encrypt the message decrypt the message

f(message) -gt message

But the adversary has no clue how to obtain message from f(message)

A difficult goal

Key

Alice Bob

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Use number theory

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Turingrsquos Code (Version 10)

The first step is to translate a message into a number

ldquov i c t o r yrdquo

-gt 22 09 03 20 15 18 25

Beforehand The sender and receiver agree on a secret

key which is a large number k

Encryption The sender encrypts the message m by

computing

m = m middot k

Decryption The receiver decrypts m by computing

mk = m middot kk = m

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

Why the adversary cannot figure out m

mk = received message k = keydecrypted message = mkk=m

The adversary doesnrsquot have the key k

and so can only factor mk to figure out m

but factoring is a difficult task to do

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

mk = received message k = keydecrypted message = mkk=m

So why donrsquot we use this Turingrsquos code today

Major flaw if you use the same key to send two messages m and mrsquo

then from mk and mrsquok

we can use gcd(mkmrsquok) to figure out k

and then decrypt every message

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 2: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

This Lecture

In this last lecture for number theory we will see probably the

most important application of number theory in computer science ndash

the design of cryptosystem

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Cryptography

Alice Bob

Cryptography is the study of methods for

sending and receiving secret messages

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message

Cryptography

Alice Bob

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message -gt f(message)

f(message)

encrypt the message decrypt the message

f(message) -gt message

But the adversary has no clue how to obtain message from f(message)

A difficult goal

Key

Alice Bob

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Use number theory

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Turingrsquos Code (Version 10)

The first step is to translate a message into a number

ldquov i c t o r yrdquo

-gt 22 09 03 20 15 18 25

Beforehand The sender and receiver agree on a secret

key which is a large number k

Encryption The sender encrypts the message m by

computing

m = m middot k

Decryption The receiver decrypts m by computing

mk = m middot kk = m

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

Why the adversary cannot figure out m

mk = received message k = keydecrypted message = mkk=m

The adversary doesnrsquot have the key k

and so can only factor mk to figure out m

but factoring is a difficult task to do

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

mk = received message k = keydecrypted message = mkk=m

So why donrsquot we use this Turingrsquos code today

Major flaw if you use the same key to send two messages m and mrsquo

then from mk and mrsquok

we can use gcd(mkmrsquok) to figure out k

and then decrypt every message

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 3: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Cryptography

Alice Bob

Cryptography is the study of methods for

sending and receiving secret messages

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message

Cryptography

Alice Bob

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message -gt f(message)

f(message)

encrypt the message decrypt the message

f(message) -gt message

But the adversary has no clue how to obtain message from f(message)

A difficult goal

Key

Alice Bob

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Use number theory

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Turingrsquos Code (Version 10)

The first step is to translate a message into a number

ldquov i c t o r yrdquo

-gt 22 09 03 20 15 18 25

Beforehand The sender and receiver agree on a secret

key which is a large number k

Encryption The sender encrypts the message m by

computing

m = m middot k

Decryption The receiver decrypts m by computing

mk = m middot kk = m

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

Why the adversary cannot figure out m

mk = received message k = keydecrypted message = mkk=m

The adversary doesnrsquot have the key k

and so can only factor mk to figure out m

but factoring is a difficult task to do

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

mk = received message k = keydecrypted message = mkk=m

So why donrsquot we use this Turingrsquos code today

Major flaw if you use the same key to send two messages m and mrsquo

then from mk and mrsquok

we can use gcd(mkmrsquok) to figure out k

and then decrypt every message

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 4: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Cryptography

Alice Bob

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message -gt f(message)

f(message)

encrypt the message decrypt the message

f(message) -gt message

But the adversary has no clue how to obtain message from f(message)

A difficult goal

Key

Alice Bob

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Use number theory

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Turingrsquos Code (Version 10)

The first step is to translate a message into a number

ldquov i c t o r yrdquo

-gt 22 09 03 20 15 18 25

Beforehand The sender and receiver agree on a secret

key which is a large number k

Encryption The sender encrypts the message m by

computing

m = m middot k

Decryption The receiver decrypts m by computing

mk = m middot kk = m

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

Why the adversary cannot figure out m

mk = received message k = keydecrypted message = mkk=m

The adversary doesnrsquot have the key k

and so can only factor mk to figure out m

but factoring is a difficult task to do

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

mk = received message k = keydecrypted message = mkk=m

So why donrsquot we use this Turingrsquos code today

Major flaw if you use the same key to send two messages m and mrsquo

then from mk and mrsquok

we can use gcd(mkmrsquok) to figure out k

and then decrypt every message

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 5: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Key

Alice Bob

adversary

Goal Even though an adversary can listen to your conversation

the adversary can not learn what the message was

message -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Use number theory

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Turingrsquos Code (Version 10)

The first step is to translate a message into a number

ldquov i c t o r yrdquo

-gt 22 09 03 20 15 18 25

Beforehand The sender and receiver agree on a secret

key which is a large number k

Encryption The sender encrypts the message m by

computing

m = m middot k

Decryption The receiver decrypts m by computing

mk = m middot kk = m

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

Why the adversary cannot figure out m

mk = received message k = keydecrypted message = mkk=m

The adversary doesnrsquot have the key k

and so can only factor mk to figure out m

but factoring is a difficult task to do

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

mk = received message k = keydecrypted message = mkk=m

So why donrsquot we use this Turingrsquos code today

Major flaw if you use the same key to send two messages m and mrsquo

then from mk and mrsquok

we can use gcd(mkmrsquok) to figure out k

and then decrypt every message

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 6: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Turingrsquos Code (Version 10)

The first step is to translate a message into a number

ldquov i c t o r yrdquo

-gt 22 09 03 20 15 18 25

Beforehand The sender and receiver agree on a secret

key which is a large number k

Encryption The sender encrypts the message m by

computing

m = m middot k

Decryption The receiver decrypts m by computing

mk = m middot kk = m

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

Why the adversary cannot figure out m

mk = received message k = keydecrypted message = mkk=m

The adversary doesnrsquot have the key k

and so can only factor mk to figure out m

but factoring is a difficult task to do

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

mk = received message k = keydecrypted message = mkk=m

So why donrsquot we use this Turingrsquos code today

Major flaw if you use the same key to send two messages m and mrsquo

then from mk and mrsquok

we can use gcd(mkmrsquok) to figure out k

and then decrypt every message

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 7: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Turingrsquos Code (Version 10)

The first step is to translate a message into a number

ldquov i c t o r yrdquo

-gt 22 09 03 20 15 18 25

Beforehand The sender and receiver agree on a secret

key which is a large number k

Encryption The sender encrypts the message m by

computing

m = m middot k

Decryption The receiver decrypts m by computing

mk = m middot kk = m

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

Why the adversary cannot figure out m

mk = received message k = keydecrypted message = mkk=m

The adversary doesnrsquot have the key k

and so can only factor mk to figure out m

but factoring is a difficult task to do

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

mk = received message k = keydecrypted message = mkk=m

So why donrsquot we use this Turingrsquos code today

Major flaw if you use the same key to send two messages m and mrsquo

then from mk and mrsquok

we can use gcd(mkmrsquok) to figure out k

and then decrypt every message

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 8: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

Why the adversary cannot figure out m

mk = received message k = keydecrypted message = mkk=m

The adversary doesnrsquot have the key k

and so can only factor mk to figure out m

but factoring is a difficult task to do

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

mk = received message k = keydecrypted message = mkk=m

So why donrsquot we use this Turingrsquos code today

Major flaw if you use the same key to send two messages m and mrsquo

then from mk and mrsquok

we can use gcd(mkmrsquok) to figure out k

and then decrypt every message

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 9: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Turingrsquos Code (Version 10)

Alice Bob

adversary

mk

m = message k = keyencrypted message = mk

mk = received message k = keydecrypted message = mkk=m

So why donrsquot we use this Turingrsquos code today

Major flaw if you use the same key to send two messages m and mrsquo

then from mk and mrsquok

we can use gcd(mkmrsquok) to figure out k

and then decrypt every message

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 10: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Turingrsquos Code (Version 20)

Beforehand The sender and receiver agree on a large prime p which

may be made public (This will be the modulus for all our arithmetic)

They also agree on a secret key k in 1 2 p minus 1

Encryption The message m can be any integer in the set 0 1 2

p minus 1 The sender encrypts the message m to produce m by

computing

m = mk mod p

Decryption Let krsquo be the multiplicative inverse of k under modulo p

m mk (mod p)

mkrsquo m (mod p)

mkrsquo = m

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 11: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

Why the adversary cannot figure out m

m = received message k = keydecrypted message = mkrsquo =m

Many m and k can produce m as output

just impossible to determine m without k

Public information p

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 12: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Turingrsquos Code (Version 20)

Alice Bob

adversary

m = mk mod p

m = message k = keyencrypted message = mk mod p

m = received message k = keydecrypted message = mkrsquo =m

If the adversary somehow knows m then first compute mrsquo = multiplicative inverse of mm mk (mod p)mmrsquo k (mod p)So the adversary can figure out k

Public information p

So why donrsquot we use this Turingrsquos code today

plain-text attack

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 13: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 14: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Private Key Cryptosystem

Alice Bob

adversarymessage -gt f(messagekey)

f(message key)

encrypt the message using the key decrypt the message using the key

f(messagekey) -gt message

But the adversary can not decrypt f(messagekey) without the key

Two parties have to agree on a secret key which may be difficult in practice

If we buy books from Amazon we donrsquot need to exchange a secret code

Why is it secure

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 15: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Public Key Cryptosystem

Alice Bob

adversarymessage -gt f(messageBobrsquos key)

f(message Bobrsquos key)

encrypt the message using Bobrsquos key decrypt the message

f(messageBobrsquos key) -gt message

But the adversary can not decrypt f(message Bobrsquos key)

Public information Key for Alice Public information Key for Bob

Only Bob can decrypt the message sent to him

How is it possible

There is no need to have a secret key between Alice and Bob

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 16: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

RSA Cryptosystem

RSA are the initials of three ComputerScientists Ron Rivest Adi Shamir andLen Adleman who discovered their algorithm when they were working together at MIT in 1977

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 17: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 18: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Generating Public Key

Alice Bob

How Bob creates his public keys

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

gt 150 digits

Secret key only known to Bob

public key e and n

secret key d

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 19: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Encrypting Message

Alice Bob

bull Look at Bobrsquos homepage for e and n

bull Send y = xe mod n

How Alice sends a message to Bob

message x

Send y = xe mod n

Alice does not need to know Bobrsquos secret key to send the message

public key e and n

secret key d

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 20: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Alice Bob

bull Receive y = xe mod n

bull Compute z = yd mod n

How Bob recover Alicersquos message

public key e and n

secret key d

message x

Send y = xe mod n

Bob uses z is the original message that Alice sent

Decrypting Message

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 21: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

RSA Cryptosystem

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

Compute z = yd mod n

Key generation

Encrypting message

Decrypting message

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 22: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 23: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

RSA Cryptosystem

Alice Bob

For the RSA cryptosytem to work

we need to show

1) z = x

2) Without the secret key d

we can not compute the original message

before the sun burns out

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

with additional assumptionshellip

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 24: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

Therefore if Alice sends x lt n then Bob can recover correctly

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 25: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

Note that de = 1 + kT

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

= 1 + k(p-1)(q-1)

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 26: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Correctness

Alice Bob

Fermatrsquos little theorem If p | a then ap-1 1 mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

= x mod p

(a) x mod p = xed mod p1) z = x

a

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 27: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Correctness

Alice Bob

Hence xed mod p = x1+k(p-1)(q-1) mod p

= xxk(p-1)(q-1) mod p

= x(xk(q-1))(p-1) mod p

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p1) z = x

What if p | a

a

This means p | xk(q-1) implying p | x since p is prime

Since p | x we have xed mod p = x mod p = 0

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 28: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Correctness

Alice Bob

Note that z = yd mod n = xed mod n

Therefore we need to prove x = xed mod n p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

(a) x mod p = xed mod p

(b) x mod q = xed mod q

(c) x mod n = xed mod n

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

1) z = x

(c) can be proved directly also follows from Chinese Remainder theorem

The same proof

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 29: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 30: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Why is this Secure

Alice Bob

Method 1

From y=xe mod n donrsquot know how to compute x

Thus not possible to work backward

It is an example of an ldquoone-wayrdquo function

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 31: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Why is this Secure

Alice Bob

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

Method 2

Factor n = pq Compute secrete key d

Then decrypt everything

No one knows an efficient way to do factoring

2) Without the secret key d

we can not compute the original

message

before the sun burns out

adversary

The security is based on assumptions that some computational problems are hard

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 32: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

This Lecture

bull Introduction to cryptograph

bull ldquoTuring coderdquo

bull Public key cryptography

bull RSA cryptosystem

bull Key generation encryption decryption

bull Correctness

bull Secure

bull Computational issues

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 33: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

RSA Example

Alice Bob

p=5 q=11

n = 55

T = 40

e = 7

d = 23

x=33

How to compute it efficiently

public key e and n

secret key d

message x

Send y = xe mod n

Compute z = yd mod n

p q prime

n = pq

T = (p-1)(q-1)

e st gcd(eT)=1

de = 1 (mod T)

First Bob generated his keys

Then Alice sends the encrypted message

y = 3323 mod 55

y = 84298649517881922539738734663399137 mod 55

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 34: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Exponentiation

1444 mod 713

= 144 144 144 144 mod 713

= 20736 144 144 mod 713

= 59 144 144 mod 713

= 8496 144 mod 713

= 653 144 mod 713

= 94032 mod 713

= 629 mod 713

20736 20736 mod 713

= 59 59 mod 713

= 3481 mod 713

= 629 mod 713

To compute exponentiation mod n

This still takes too long when the exponent is large

This is much more efficient

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 35: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Repeated Squaring

14450 mod 713

= 14432 14416 1442 mod 713

= 64848559 mod 713

= 242

1442 mod 713 = 59

1444 mod 713 = 1442 1442 mod 713= 5959 mod 713= 629

1448 mod 713= 14441444 mod 713= 629629 mod 713= 639

14416 mod 713= 14481448 mod 713= 639639 mod 713= 485

14432 mod 713= 1441614416 mod 713= 485485 mod 713= 648

Note that 50 = 32 + 16 + 2

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 36: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Given a large number how to check whether it is prime efficiently

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 37: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Given a large integer n determine quickly whether n is prime

First test for i = 1hellipradicn check if i divides n

Need some number theory

We are talking about n with 150 digits

This simply takes too long (2150 steps sun will burn out)

We are looking for an exponential improvement

(instead of n we can only afford roughly log(n) steps)

like we did in the extended GCD algorithm

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 38: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

It doesnrsquot seem to help

since we donrsquot know how to compute (n-1) mod n quickly

(in roughly log(n) steps)

Theorem n is a prime if and only if

(n-1) -1 (mod n)

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 39: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

1 an-1 (mod n)

Theorem If n is prime amp a not a multiple of n

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1763 is composite (not a prime number)

Let a=2 n=1763

21762 (mod 1763) = 142 ne 1

Therefore it is composite by (the contrapositive of) Fermatrsquos little theorem

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 40: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Example Show that 1387 is composite (not a prime number)

Let a=2 n=1387

21386 (mod 1387) = 1 can not tell whether n is prime or not

Try a=3

31386 (mod 1387) = 1238 ne 1 this shows n is composite

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 41: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Each test takes about log(n) steps

It depends on how many a that we need to tryhellip

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 42: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Contrapositive If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

ldquoFermatrdquo test Given n choose a lt n

Compute an-1 (mod n)

If an-1 (mod n) ne 1

conclude that n is a composite number

If an-1 (mod n) = 1

try another a

Unfortunately there exists n which is composite

but an-1 (mod n) = 1 for every a

These are called Carmichael numbers (eg 561 1105 1729 etchellip)

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 43: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Lemma If n is a prime number

x2 1 (mod n) if and only if x 1 (mod n) or x -1 (mod n)

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

For n=1387 and a=2 Fermatrsquos test fails because 21386 1 (mod 1387)

Example Note that it is (2693)2

However 2693 512 (mod 1387) 1 (mod 1387)

By contrapositive 2 we can conclude that 1387 is a composite number

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 44: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Strong primality test

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

ne1

Composite by contrapositive 1

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 45: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Composite by contrapositive 2

ne1 amp ne-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 46: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

Continue to go backward and check

=1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 47: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =-1

Strong primality test

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 48: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Contrapositive 1 If 1 an-1 (mod n) and a is not a multiple of n

then n is not a prime number

Contrapositive 2 If x2 1 (mod n) but x 1 (mod n) and x -1 (mod n)

then n is a composite number

Let n-1 = 2kd Pick an a

Compute a2kd (mod n) a2k-1d (mod n) a2k-2d (mod n)hellip ad (mod n)

=1

End the test and say it is a ldquoprobablerdquo prime

=1 =1 =1 =1

Strong primality test

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 49: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Given n pick an a

Let nrsquo = n-1 (so nrsquo is an even number)

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

While nrsquo is an integer do

If anrsquo (mod n) = -1

then stop and say ldquon is a probable primerdquo

If anrsquo (mod n) ne 1

then stop and say ldquon is compositerdquo

nrsquo = nrsquo2

Stop and say ldquon is a probable primerdquo

Strong primality test

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 50: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Primality Testing

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

So given a composite n if we pick a random a

the strong primality test will be incorrect with probability lt= 12

Thus if we repeat the procedure for 10000 times

then the probability that the strong primality test is still incorrect

is very small (eg much smaller than our computer will suddenly crash)

For a particular a the strong primality test takes ldquoaboutrdquo log(n) steps

But again there exists n which is composite but pass the testhellip

This is the most efficient method used in practice

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 51: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Generating Public Key

bull Choose 2 large prime numbers p and q

bull Set n = pq and T = (p-1)(q-1)

bull Choose e ne1 so that gcd(eT)=1

bull Calculate d so that de = 1 (mod T)

bull Publish e and n as public keys

bull Keep d as secret key

How to choose large prime numbers efficiently

Prime number theorem From 1 to n there are roughly nlog(n) prime numbers

Pick a random large number

do the (randomized) strong primality tests

until we find a prime

Similar idea

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 52: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

Remarks

bull We have derived everything from basic principle

bull RSA cryptosystem is one of the most important achievements in compute science

(The researchers won the Turing award for their contribution)

bull Number theory is also very useful in coding theory (eg compression)

bull Mathematics is very important in computer science

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
Page 53: Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer

More Remarks

Theorem if n is composite for more than half of a lt n

the strong primality test will say n is composite

The proof uses Chinese Remainder theorem and some elementary

number theory (Introduction to Algorithms MIT press)

Theroem (Primes is in P 2004)

There is an efficient and deterministic primality test

Conjecture It is enough to try a to up to roughly log(n)

Major Open Problem

Is there an efficient algorithm to compute the prime factorization

  • Cryptography
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53

ELEMENTS OF NUMBER THEORY: LECTURE NOTESlazebnik/papers/ElementsThNum.pdfELEMENTS OF NUMBER THEORY: LECTURE NOTES 3 (iv) Before we start our proof, we want to point out that this statement

Number Theory, Lecture 5 - Linköping University · 2019. 3. 1. · Number Theory, Lecture 5 Jan Snellman Multiplicative order De nition Elementary properties Primitive roots De nition

Module :MA3036NI Cryptography and Number Theory Lecture Week 7

Number Theory, Lecture 8 - courses.mai.liu.secourses.mai.liu.se/GU/TATA54/Lectures/lecture8.pdf · Number Theory, Lecture 8 Jan Snellman Pythagorean triples De nition, primitive Classi

Lecture on Additive Number Theory - ERNETgm/gmhomefiles/talksvijyoshi... · Lecture on Additive Number Theory R. Balasubramanian The Institute of Mathematical Sciences, Chennai

INTRODUCTION TO NUMBER THEORY - Univerzita Karlovakam.mff.cuni.cz/~klazar/ln_utc.pdf · These lecture notes cover the one-semester course Introduction to Number Theory ... stated

Lecture Notes in Number Theory - FCAMPENA - Homefrancisjosephcampena.weebly.com/.../lecturenotes_number_theory.pdf · Lecture Notes in Number Theory. CONTENTS 1 Preliminary Concepts

Logic and Discrete Math Lecture notes Number Theory and ...zhang/teaching/cse240/Spring10/ProofT… · Logic and Discrete Math Lecture notes Number Theory and Proof Techniques. 2

Topics 2: Exact arithmetic. Number theory. Linear algebra Lecture 7

Lecture on Additive Number Theory - ERNET · Introduction In Additive Number Theory we study subsets of integers and their behavior under addition

Counting in number theory Lecture 1: Elementary number theorycarlp/rademacherlecture1.pdf · Counting in number theory Lecture 1: Elementary number theory Carl Pomerance, Dartmouth

Analytic Number Theory in Function Fields (Lecture 6)

Module :MA3036NI Number theory and Public key Encryption Lecture Week 6

Math 412: Number Theory Lecture 2: GCD and linear ...gyu.people.wm.edu/Fall2016/Math412/nt-lec2-note.pdfGexin Yu [email protected] Math 412: Number Theory Lecture 2: GCD and linear diophantine

MATH 195, SPRING 2015 TRANSCENDENTAL NUMBER THEORY LECTURE ... · MATH 195, SPRING 2015 TRANSCENDENTAL NUMBER THEORY LECTURE NOTES LENNY FUKSHANSKY Contents 1. Notation and sets 2

Module :MA3036NI Cryptography and Number Theory Lecture Week 3 Symmetric Encryption-2

Number Theory I - ocw.mit.edu · 18.785 Number theory I Lecture #1 Fall 2019 09/04/2019 1 Absolute values and discrete valuations 1.1 Introduction At its core, number theory is the

CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic

Lecture 7 Number Theory - AndroBenchcsl.skku.edu/uploads/SWE2004S13/Lecture7.pdfSWE2004: Principles in Programming | Spring 2013 | Euiseong Seo ([email protected]) 2 Number Theory

Lecture Notes on the Complexity of Some Problems in Number Theory

Number Theory - University of California, Berkeleyapaulin/NumberTheory.pdf · Number Theory Alexander Paulin October 25, 2010 Lecture 1 What is Number Theory Number Theory is one

1 Game Theory Lecture 3 Game Theory Lecture 3 Game Theory Lecture 3

Introduction to Number Theory Lecture Notes

Algebraic number theory - Lecture Notes · Algebraic number theory - Lecture Notes Nivedita 2009 Lecture 1 Introduction Arithmetic was done in the ring Z, which we know has several

Discrete Mathematics 4. NUMBER THEORY Lecture 7 Dr.-Ing. Erwin Sitompul

Math 412: Number Theory Lecture 12 Partitions

Introduction to Number Theory Lecture NotesIntroduction to Number Theory Lecture Notes Adam Boocher (2014-5), edited by Andrew Ranicki (2015-6) December 4, 2015 1 Introduction (21.9.2015)

Math 312, Lecture 1reichst/312lecture1.pdf · Number theory ourished in ancient Greece ... number theory continued to be advanced in China, ... music theory. Math 312, Lecture 1 September

Logic and Discrete Math Lecture notes Number Theory …zhang/teaching/cse240/Spring10/ProofTech.pdf · Logic and Discrete Math Lecture notes Number Theory and ... A theorem “Every

18.786 (Number Theory II) Lecture Notes - Evan Chen · 2018-07-31 · Evan Chen (Spring 2018) 18.786 (Number Theory II) Lecture Notes §6.5Group actions The space H, acted on by SL

Introduction to Analytic Number Theory Math 531 Lecture

Math 539: Analytic Number Theory Lecture Notes Lior Silberman

Introduction to Number Theory Lecture Notes - Mathboocher/writings/NumberTheoryNotes.pdf · Introduction to Number Theory Lecture Notes Adam Boocher (2014-5), edited by Andrew Ranicki

Elementary Number Theory Lecture Noteslior/teaching/0910/537_F09/537_notes.pdf · Elementary Number Theory Lecture Notes Lior Silberman. These are rough notes for the fall 2009 course

Number Theory Games - Lecture 10 · 10/12/2018  · Justin Stevens Number Theory Games (Lecture 10) 2 / 30. TAG 5 Rules Considerthetake-awaygameTAG 5 below: LettherebenchipsonthetableandA,B