7/28/2019 week_5.pdf

1/61

CENG 520Lecture Note V

7/28/2019 week_5.pdf

2/61

Prime Numbers

prime numbers only have divisors of 1 and self

they cannot be written as a product of other numbers

note: 1 is prime, but is generally not of interest

eg. 2,3,5,7 are prime, 4,6,8,9,10 are not

prime numbers are central to number theory

list of prime number less than 200 is:

2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 5961 67 71 73 79 83 89 97 101 103 107 109 113 127

131 137 139 149 151 157 163 167 173 179 181 191

193 197 199

Lecture slides by Lawrie Brown

7/28/2019 week_5.pdf

3/61

Prime Factorisation

to factor a number n is to write it as a product

of other numbers: n=a x b x c

note that factoring a number is relatively hard

compared to multiplying the factors together

to generate the number

the prime factorisation of a number n is when

its written as a product of primes

eg. 91=7x13 ; 3600=24x32x52

7/28/2019 week_5.pdf

4/61

Relatively Prime Numbers & GCD

two numbers a, b are relatively prime if have nocommon divisors apart from 1

eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8and of 15 are 1,3,5,15 and 1 is the only common factor

conversely can determine the greatest commondivisor by comparing their prime factorizations andusing least powers

eg. 300=21x31x52 18=21x32 henceGCD(18,300)=21x31x50=6

7/28/2019 week_5.pdf

5/61

Fermat's Theorem

ap-1 = 1 (mod p)

where p is prime and gcd(a,p)=1

also known as Fermats Little Theorem

also have: ap = a (mod p)

useful in public key and primality testing

7/28/2019 week_5.pdf

6/61

Euler Totient Function (n)

when doing arithmetic modulo n

complete set of residues is: 0..n-1

reduced set of residues is those numbers (residues)

which are relatively prime to n

eg for n=10,

complete set of residues is {0,1,2,3,4,5,6,7,8,9}

reduced set of residues is {1,3,7,9}

number of elements in reduced set of residues is

called the Euler Totient Function (n)

7/28/2019 week_5.pdf

7/61

Euler Totient Function (n)

to compute (n) need to count number ofresidues to be excluded

in general need prime factorization, but

for p (p prime) (p)=p-1

for p.q (p,q prime) (p.q)=(p-1)x(q-1)

eg.

(37) = 36(21) = (31)x(71) = 2x6 = 12

7/28/2019 week_5.pdf

8/61

Euler's Theorem

a generalisation of Fermat's Theorem

a(n) = 1 (mod n)

for any a,n where gcd(a,n)=1

eg.a=3;n=10; (10)=4;

hence 34 = 81 = 1 mod 10

a=2;n=11; (11)=10;

hence 210 = 1024 = 1 mod 11 also have: a(n)+1 = a (mod n)

7/28/2019 week_5.pdf

9/61

Primality Testing

often need to find large prime numbers

traditionally sieve using trial division ie. divide by all numbers (primes) in turn less than the

square root of the number

only works for small numbers alternatively can use statistical primality tests based

on properties of primes for which all primes numbers satisfy property

but some composite numbers, called pseudo-primes, alsosatisfy the property

can use a slower deterministic primality test

7/28/2019 week_5.pdf

10/61

Chinese Remainder Theorem

used to speed up modulo computations

if working modulo a product of numbers

eg. mod M = m1

m2

..mk

Chinese Remainder theorem lets us work in

each moduli mi separately

since computational cost is proportional tosize, this is faster than working in the full

modulus M

7/28/2019 week_5.pdf

11/61

Chinese Remainder Theorem

can implement CRT in several ways

to compute A(mod M)

first compute all ai = A mod mi separately

determine constants ci below, where Mi = M/mi

then combine results to get answer using:

7/28/2019 week_5.pdf

12/61

Example

43216*27modulosolutionuniqueahavewouldproblemexampleOur

16mod727mod13

x

x

3*27)5(161

12*511

51*1116

111*1627

?27mod16mod 11

ii mM

473)16*5(*13)27*3(*7 x

7/28/2019 week_5.pdf

13/61

Primitive Roots

from Eulers theorem have a(n)mod n=1

consider am=1 (mod n), GCD(a,n)=1

must exist for m = (n) but may be smaller

once powers reach m, cycle will repeat

if smallest is m = (n) then a is called a primitive

root

ifp is prime, then successive powers ofa "generate"the group mod p

these are useful but relatively hard to find

7/28/2019 week_5.pdf

14/61

Powers mod 19

7/28/2019 week_5.pdf

15/61

Discrete Logarithms

the inverse problem to exponentiation is to find thediscrete logarithm of a number modulo p

that is to find i such that b = ai (mod p)

this is written as i = dloga b (mod p) ifa is a primitive root then it always exists, otherwise

it may not, eg.

x = log3 4 mod 13 has no answer

x = log2 3 mod 13 = 4 by trying successive powers whilst exponentiation is relatively easy, finding

discrete logarithms is generally a hard problem

7/28/2019 week_5.pdf

16/61

Discrete Logarithms mod 19

7/28/2019 week_5.pdf

17/61

Private-Key Cryptography

traditional private/secret/single keycryptography uses one key

shared by both sender and receiver

if this key is disclosed communications arecompromised

also is symmetric, parties are equal

hence does not protect sender from receiverforging a message & claiming is sent by sender

7/28/2019 week_5.pdf

18/61

Public-Key Cryptography

probably most significant advance in the 3000

year history of cryptography

uses two keys a public & a private key

asymmetric since parties are not equal

uses clever application of number theoretic

concepts to function

complements rather than replaces private key

crypto

7/28/2019 week_5.pdf

19/61

Why Public-Key Cryptography?

developed to address two key issues:

key distribution how to have securecommunications in general without having to trust

a KDC with your key digital signatures how to verify a message

comes intact from the claimed sender

public invention due to Whitfield Diffie &Martin Hellman at Stanford Uni in 1976

known earlier in classified community

7/28/2019 week_5.pdf

20/61

Public-Key Cryptography

public-key/two-key/asymmetric cryptography involvesthe use oftwo keys:

a public-key, which may be known by anybody, and can beused to encrypt messages, and verify signatures

a related private-key, known only to the recipient, used todecrypt messages, and sign (create) signatures

infeasible to determine private key from public

is asymmetric because those who encrypt messages or verify signatures cannot

decrypt messages or create signatures

7/28/2019 week_5.pdf

21/61

Public-Key Cryptography

7/28/2019 week_5.pdf

22/61

Symmetric vs Public-Key

7/28/2019 week_5.pdf

23/61

Public-Key Cryptosystems

7/28/2019 week_5.pdf

24/61

Public-Key Applications

can classify uses into 3 categories:

encryption/decryption (provide secrecy)

digital signatures (provide authentication)

key exchange (of session keys)

some algorithms are suitable for all uses,

others are specific to one

7/28/2019 week_5.pdf

25/61

Public-Key Requirements

Public-Key algorithms rely on two keys where:

it is computationally infeasible to find decryption key

knowing only algorithm & encryption key

it is computationally easy to en/decrypt messages whenthe relevant (en/decrypt) key is known

either of the two related keys can be used for encryption,

with the other used for decryption (for some algorithms)

these are formidable requirements which onlya few algorithms have satisfied

7/28/2019 week_5.pdf

26/61

Public-Key Requirements

need a trapdoor one-way function one-way function has

Y = f(X) easy

X = f1

(Y) infeasible

a trap-door one-way function has

Y = fk(X) easy, if k and X are known

X = fk1(Y) easy, if k and Y are known

X = fk1(Y) infeasible, if Y known but k not known

a practical public-key scheme depends on a

suitable trap-door one-way function

7/28/2019 week_5.pdf

27/61

Security of Public Key Schemes

like private key schemes brute force exhaustivesearch attack is always theoretically possible

but keys used are too large (>512bits)

security relies on a large enough difference in

difficulty between easy (en/decrypt) and hard(cryptanalyse) problems

more generally the hard problem is known, but ismade hard enough to be impractical to break

requires the use ofvery large numbers

hence is slow compared to private key schemes

7/28/2019 week_5.pdf

28/61

RSA

by Rivest, Shamir & Adleman of MIT in 1977

best known & widely used public-key scheme

based on exponentiation in a finite (Galois) field over

integers modulo a prime

nb. exponentiation takes O((log n)3) operations (easy)

uses large integers (eg. 1024 bits)

security due to cost of factoring large numbers nb. factorization takes O(e log n log log n) operations (hard)

7/28/2019 week_5.pdf

29/61

RSA En/decryption

to encrypt a message M the sender:

obtains public key of recipient PU={e,n}

computes: C = Me mod n, where 0M

7/28/2019 week_5.pdf

30/61

RSA Key Setup

each user generates a public/private key pair by:

selecting two large primes at random: p, q

computing their system modulus n=p.q

note (n)=(p-1)(q-1)

selecting at random the encryption key e

where 1

7/28/2019 week_5.pdf

31/61

Why RSA Works

because of Euler's Theorem: a(n)mod n = 1 where gcd(a,n)=1

in RSA have: n=p.q

(n)=(p-1)(q-1) carefully chose e & d to be inverses mod (n)

hence e.d=1+k.(n) for some k

hence :

Cd

= Me.d

= M1+k.(n)

= M1

.(M(n)

)k

= M1.(1)k = M1 = M mod n

7/28/2019 week_5.pdf

32/61

RSA Example - Key Setup

1. Select primes:p=17 & q=11

2. Calculate n =pq=17 x 11=187

3. Calculate (n)=(p1)(q-1)=16x10=160

4. Select e: gcd(e,160)=1; choose e=75. Determine d: de=1 mod 160 and d< 160

Value is d=23 since 23x7=161= 10x160+1

6. Publish public key PU={7,187}

7. Keep secret private key PR={23,187}

7/28/2019 week_5.pdf

33/61

RSA Example - En/Decryption

sample RSA encryption/decryption is:

given message M = 88 (nb. 88

7/28/2019 week_5.pdf

34/61

Exponentiation

can use the Square and Multiply Algorithm

a fast, efficient algorithm for exponentiation

concept is based on repeatedly squaring base

and multiplying in the ones that are needed to

compute the result

look at binary representation of exponent

only takes O(log2 n) multiples for number n eg. 75 = 74.71 = 3.7 = 10 mod 11

eg. 3129 = 3128.31 = 5.3 = 4 mod 11

7/28/2019 week_5.pdf

35/61

Exponentiation

c = 0; f = 1

for i = k downto 0

do c = 2 x c

f = (f x f) mod n

if b i == 1 then

c = c + 1

f = (f x a) mod n

return f

7/28/2019 week_5.pdf

36/61

Efficient Encryption

encryption uses exponentiation to power e

hence if e small, this will be faster

often choose e=65537 (216-1)

also see choices of e=3 or e=17

but if e too small (eg e=3) can attack

using Chinese remainder theorem & 3 messages

with different modulii if e fixed must ensure gcd(e,(n))=1

ie reject any p or q not relatively prime to e

7/28/2019 week_5.pdf

37/61

Efficient Decryption

decryption uses exponentiation to power d

this is likely large, insecure if not

can use the Chinese Remainder Theorem

(CRT) to compute mod p & q separately. thencombine to get desired answer

approx 4 times faster than doing directly

only owner of private key who knows valuesof p & q can use this technique

7/28/2019 week_5.pdf

38/61

RSA Key Generation

users of RSA must:

determine two primes at random - p, q

select either e or d and compute the other

primes p,q must not be easily derived frommodulus n=p.q

means must be sufficiently large

typically guess and use probabilistic test exponents e, d are inverses, so use Inverse

algorithm to compute the other

7/28/2019 week_5.pdf

39/61

RSA Security

possible approaches to attacking RSA are:

brute force key search - infeasible given size of

numbers

mathematical attacks - based on difficulty ofcomputing (n), by factoring modulus n

timing attacks - on running of decryption

chosen ciphertext attacks - given properties of RSA

7/28/2019 week_5.pdf

40/61

Factoring Problem

mathematical approach takes 3 forms: factor n=p.q, hence compute (n) and then d

determine (n) directly and compute d

find d directly

currently believe all equivalent to factoring have seen slow improvements over the years

as of May-05 best is 200 decimal digits (663) bit with LS (LatticeSieve)

biggest improvement comes from improved algorithm cf QS(Quadratic Sieve) to GHFS(Generalized Number Field Sieve) to

LS

currently assume 1024-2048 bit RSA is secure ensure p, q of similar size and matching other constraints

7/28/2019 week_5.pdf

41/61

Progress in Factoring

7/28/2019 week_5.pdf

42/61

Progress inFactoring

7/28/2019 week_5.pdf

43/61

Diffie-Hellman Key Exchange

first public-key type scheme proposed

by Diffie & Hellman in 1976 along with the

exposition of public key concepts

note: now know that Williamson (UK CESG)

secretly proposed the concept in 1970

is a practical method for public exchange of a

secret key

used in a number of commercial products

7/28/2019 week_5.pdf

44/61

Diffie-Hellman Key Exchange

a public-key distribution scheme

cannot be used to exchange an arbitrary message

rather it can establish a common key

known only to the two participants

value of key depends on the participants (and theirprivate and public key information)

based on exponentiation in a finite (Galois) field

(modulo a prime or a polynomial) - easy security relies on the difficulty of computing discrete

logarithms (similar to factoring) hard

7/28/2019 week_5.pdf

45/61

Diffie-Hellman Setup

all users agree on global parameters:

large prime integer or polynomial q

a being a primitive root mod q

each user (eg. A) generates their key

chooses a secret key (number): xA < q

compute their public key: yA = axA mod q

each user makes public that key yA

7/28/2019 week_5.pdf

46/61

Diffie-Hellman Key Exchange

shared session key for users A & B is KAB:KAB = a

xA.xB mod q

= yAxB mod q (which B can compute)

= yBxA mod q (which A can compute)

KAB is used as session key in private-key encryptionscheme between Alice and Bob

if Alice and Bob subsequently communicate, they will

have the same key as before, unless they choosenew public-keys

attacker needs an x, must solve discrete log

7/28/2019 week_5.pdf

47/61

Diffie-Hellman Example

users Alice & Bob who wish to swap keys:

agree on prime q=353 and a=3

select random secret keys:

A chooses xA=97, B chooses xB=233 compute respective public keys:

yA=397

mod 353 = 40 (Alice)

yB=3233

mod 353 = 248 (Bob)

compute shared session key as: KAB= yB

xA mod 353 = 24897

= 160 (Alice)

KAB= yAxB mod 353 = 40

233= 160 (Bob)

7/28/2019 week_5.pdf

48/61

Key Exchange Protocols

users could create random private/public D-Hkeys each time they communicate

users could create a known private/public D-H

key and publish in a directory, then consultedand used to securely communicate with them

both of these are vulnerable to a meet-in-the-Middle Attack

authentication of the keys is needed

7/28/2019 week_5.pdf

49/61

Man-in-the-Middle Attack

1. Darth prepares by creating two private / public keys2. Alice transmits her public key to Bob

3. Darth intercepts this and transmits his first public key to Bob.Darth also calculates a shared key with Alice

4. Bob receives the public key and calculates the shared key (withDarth instead of Alice)

5. Bob transmits his public key to Alice

6. Darth intercepts this and transmits his second public key toAlice. Darth calculates a shared key with Bob

7. Alice receives the key and calculates the shared key (with Darthinstead of Bob)

Darth can then intercept, decrypt, re-encrypt, forward allmessages between Alice & Bob

7/28/2019 week_5.pdf

50/61

ElGamal Cryptography

public-key cryptosystem related to D-H

so uses exponentiation in a finite (Galois)

with security based difficulty of computing

discrete logarithms, as in D-H

each user (eg. A) generates their key

chooses a secret key (number): 1 < xA < q-1

compute their public key: yA = axA mod q

7/28/2019 week_5.pdf

51/61

ElGamal Message Exchange

Bob encrypt a message to send to A computing

represent message M in range 0

7/28/2019 week_5.pdf

52/61

ElGamal Example

use field GF(19) q=19 and a=10 Alice computes her key:

A chooses xA=5 & computes yA=105mod 19 = 3

Bob send message m=17 as (11,5) by

chosing random k=6

computing K = yAkmod q = 3

6mod 19 = 7

computing C1 = akmod q = 10

6mod 19 = 11;

C2 = KM mod q = 7.17 mod 19 = 5

Alice recovers original message by computing: recover K = C1

xA mod q = 115mod 19 = 7

compute inverse K-1 = 7-1 = 11

recover M = C2 K-1 mod q = 5.11 mod 19 = 17

7/28/2019 week_5.pdf

53/61

Elliptic Curve Cryptography

majority of public-key crypto (RSA, D-H) use

either integer or polynomial arithmetic with

very large numbers/polynomials

imposes a significant load in storing and

processing keys and messages

an alternative is to use elliptic curves

offers same security with smaller bit sizes

newer, but not as well analysed

7/28/2019 week_5.pdf

54/61

Real Elliptic Curves

an elliptic curve is defined by an equation intwo variables x & y, with coefficients

consider a cubic elliptic curve of form

y2 =x3 + ax+ b

where x,y,a,b are all real numbers

also define zero point O

consider set of points E(a,b) that satisfy

have addition operation for elliptic curve

geometrically sum of P+Q is reflection of theintersection R

7/28/2019 week_5.pdf

55/61

Real Elliptic Curve Example

7/28/2019 week_5.pdf

56/61

Finite Elliptic Curves

Elliptic curve cryptography uses curves whose

variables & coefficients are finite

have two families commonly used:

prime curves Ep(a,b) defined over Zp use integers modulo a prime

best in software

binary curves E2m(a,b) defined over GF(2n) use polynomials with binary coefficients

best in hardware

7/28/2019 week_5.pdf

57/61

Elliptic Curve Cryptography

ECC addition is analog of modulo multiply

ECC repeated addition is analog of moduloexponentiation

need hard problem equiv to discrete log Q=kP, where Q,P belong to a prime curve

is easy to compute Q given k,P

but hard to find k given Q,P known as the elliptic curve logarithm problem

Certicom example: E23(9,17)

7/28/2019 week_5.pdf

58/61

ECC Diffie-Hellman

can do key exchange analogous to D-H

users select a suitable curve Eq(a,b)

select base point G=(x1,y1)

with large order n s.t. nG=O

A & B select private keys nA

7/28/2019 week_5.pdf

59/61

ECC Encryption/Decryption

several alternatives, will consider simplest

must first encode any message M as a point on the

elliptic curve Pm

select suitable curve & point G as in D-H

each user chooses private key nA

7/28/2019 week_5.pdf

60/61

ECC Security

relies on elliptic curve logarithm problem

fastest method is Pollard rho method

compared to factoring, can use much smaller

key sizes than with RSA etc

for equivalent key lengths computations are

roughly equivalent

hence for similar security ECC offers significant

computational advantages

Comparable Key Sizes for Equivalent

7/28/2019 week_5.pdf

61/61

Comparable Key Sizes for Equivalent

Security

Symmetric

scheme

(key size in bits)

ECC-based

scheme

(size ofn in bits)

RSA/DSA

(modulus size in

bits)

56 112 512

80 160 1024

112 224 2048

128 256 3072

192 384 7680

256 512 15360