Introduction to Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016
2/38 Contents 4. Crash course in Number Theory 5. Running time of algorithms
Crash course in Number Theory Properties of | Let ℤ denote the integers ….., -2, -1, 0, 1, 2, ….. If a, b ℤ, we say a divides b if b=na for some n ℤ and write a|b 3/38
Crash course in Number Theory Properties of | If a, b, c ℤ and a|b then a|bc If a|b and b|c then a|c If a|b and b|c then a|b c If a|b and b ∤ c (not divide) then a ∤ b c 4/38
Crash course in Number Theory Prime numbers A natural number greater than 1 that has no positive divisors other than 1 and itself The primes are 2, 3, 5, 7, 11, 13, … 5/38 21 32 5121 32 51
Crash course in Number Theory Greatest Common Divisors (GCD) 6/ We say that two numbers with GCD equal to 1 are relatively prime ℤ ≥ 0 Given a, b ℤ ≥ 0, not both 0, the greatest common divisor of a and b is the largest integer d dividing both a and b
Crash course in Number Theory The Euclidean Algorithm 7/38 The number above the 0 is the GCD. So GCD(329,119) = 7 GCD(a, b) = b if a mod b = 0, GCD(a, b) = b if a mod b = 0, and GCD(a, b) = GCD(b, a mod b) otherwise and GCD(a, b) = GCD(b, a mod b) otherwise The Euclidean algorithm for GCDing is very fast with large numbers GCD(329, 119), 329 = 2 GCD(119, 91), 119 = 1 GCD(91, 28), 91 = 3 28+7 GCD(28, 7), 28 = 4 7+0 7
Crash course in Number Theory 8/38 So we have 7 = 4 329 – 11 119 where n=4 and m=-11 At each step, replace the smaller colored number 7 = 91 – 3 28 replace smaller = 91 – 3(119 – 1 91) simplify = 4 91 – 3 119 replace smaller = 4 (329 – 2 119) – 3 119 simplify 7 = 4 329 – 11 119
Crash course in Number Theory 9/38 Number theorists a ≡ b (mod m) if m | a - b In words: a and b differ by a multiple of m In general working mod m breaks the integers into m subsets Each subset contains exactly one representative in the range [0, m – 1] ℤℤ ℤ m The set of subsets is denoted ℤ / m ℤ or ℤ m
Crash course in Number Theory 10/38 Computer scientists b (mod m) = r is the remainder you get 0 ≤ r < m So, 12 (mod 5) is 2 and 7 (mod 5) is 2 Clock arithmetic is mod 12 If it’s 7 hours after 11 then it’s 6 o’clock because = 18 ≡ 6 (mod 12) Even numbers are those numbers that are ≡ 0 (mod 2) Odd numbers are those that are ≡ 1 (mod 2)
Crash course in Number Theory 11/ a ≡ a (mod m) If a ≡ b (mod m) then b ≡ a (mod m) If a ≡ b (mod m) and b ≡ c (mod m) then a ≡ c (mod m) If a ≡ b (mod m) and c ≡ d (mod m) then a c ≡ b d (mod m) and a c ≡ b d (mod m) 5. ℤℤ ℤℤ 5. An element x of ℤ / m ℤ has a multiplicative inverse 1/x or x -1 in ℤ / m ℤ when GCD(x, m)=1 ℤℤ ℤℤ * The elements of ℤ /m ℤ with inverses are denoted ℤ /m ℤ * Note 1/2 = 2 -1 ≡ 3 (mod 5) since 2 3 ≡ 1 (mod 5) ℤℤ Work in ℤ /9 ℤ = {0, 1, …, 8} we can use +, -, ℤℤ * Work in ℤ /9 ℤ * ={1, 2, 4, 5, 7, 8} we can use ,
Crash course in Number Theory 12/38 Find the inverse of 7 mod 9 9 = 1 = 3 = 2 So 1 = 7 – 3 2 1 = 7 – 3 (9 – 7) 1 = 4 9 We have 1 = 4 9 ≡ 4 0 ≡ 4 7 (mod 9). So 1 ≡ 4 7 (mod 9). So 7 -1 ≡ 4 (mod 9) Can 6 have an inverse of (mod 9)?
Crash course in Number Theory 13/38 function inverse(a, m) { t = 0; t new = 1; r = m; r new = a; while r new ≠ 0 quotient = r div r new ; (t, t new ) = (t new, t - quotient * t new ); (r, r new ) = (r new, r - quotient * r new ); if r > 1 then return "a is not invertible"; if t < 0 then t = t + m; return t; }
Crash course in Number Theory 14/ If a ≡ b (mod m) and GCD(c, m) = 1 then ac -1 ≡ bc -1 (mod m) or a/c ≡ b/c (mod m) In other words, division works well as long as you divide by something relatively prime to the modulus m, i.e. invertible. It is like avoiding dividing by Solving ax ≡ b (mod m) with a, b, m given. If GCD(a, m) = 1 then the solutions are all numbers x ≡ a -1 b (mod m) If GCD(a, m) = g then there are solutions when g|b The equation is equivalent to a/xg ≡ b/g (mod m/g) Now GCD(a/g, m/g)=1 so x ≡ (a/g) -1 (b/g)(mod m/g) are the solutions g ∤ b If g ∤ b then there are no solutions
Crash course in Number Theory 15/38 Since GCD(7, 11) = 1 then we have solutions So x ≡ 7 -1 6 (mod 11) Find 7 -1 (mod 11) 11 = 1 = 1 = 1 So 1 = 4 – 1 (3) 1 = 4 – 1 (7 – 1 4) 1 = 2 7 1 = 2 ( 7) - 1 7 = 2 7 3
Crash course in Number Theory 16/38 Thus 1 ≡ -3 7 (mod 11) and 1 ≡ 8 7 (mod 11) So 7 -1 ≡ 8 (mod 11) So x ≡ 6 8 ≡ 4 (mod 11)
Crash course in Number Theory 17/38 Since GCD(6, 10) = 2 and 2|8 then we have solutions! So, this is the same as 3x ≡ 4 (mod 5). We get 3 -1 ≡ 2 (mod 5) So x ≡ 4 2 (mod 5) ≡ 3 (mod 5) ℤ Another way to write that is x = 3 + 5n where n ℤ Yet another is x ≡ 3 or 8 (mod 10)
Crash course in Number Theory 18/38 ∤ Can’t since GCD(6, 10) = 2 and 2 ∤ 7 (Has no solutions)
Crash course in Number Theory 19/38 The integers that are 1 mod 17 are those of the form 17n+1 The first few positive integers that are 17n+1 bigger than 1 are 18, 35, 52 Note 18=2 9; so 2 9 ≡ 1 (mod 17) and 2 -1 ≡ 9 (mod 17) and 9 -1 ≡ 2 (mod 17) We also have 18=3 6, so 3 and 6 are inverses mod 17 We have 35=5 7 so 5 and 7 are inverses Try going back 18=2 9 ≡ (-2)(-9)≡15 8 Furthermore, 18=3 6 ≡ (-3)(-6)≡14 11 Similarly, we have 35=5 7 ≡ (-5)(-7)≡12 10 Note that 16 ≡ -1 and 1=(-1)(-1)≡16 16 ℤ /17 ℤ * So now we have the inverse of all elements of ℤ /17 ℤ *
Crash course in Number Theory 20/38 ℤ >0, ℤ /n ℤ * = {a|1≤a≤n, GCD(a, n)=1}. (n) ℤ /n ℤ * Let n ℤ >0, Let ℤ /n ℤ * = {a|1≤a≤n, GCD(a, n)=1}. Then the Euler Phi function n denoted (n) is | ℤ /n ℤ * | ℤ /12 ℤ * = {1, 5, 7, 11} So (12) = 4 We have (5) = 4 and (6) = 2 (p) In general if p is prime then (p) = p - 1
Crash course in Number Theory 21/38 p (p r )= p r – p r-1 = p r-1 (p-1) If r≥1, and p is prime, then (p r )= p r – p r-1 = p r-1 (p-1) (5 3 ) = 5 2 ( ) = 100 (p) So if n = ∏p i α i then (p) = p 1 α 1 -1 (p 1 – 1)… p r α r -1 (p r – 1) (mn)= (m) (n) If GCD(m, n) = 1 then (mn)= (m) (n) (720) = (2 4 ) (3 2 ) (5) = 2 3 (2 – 1)3 1 (3 – 1)(5 - 1) = 192
Crash course in Number Theory 22/38 p If p is prime and a ℤ then a p ≡ a (mod p). If p does not divide a then a p-1 ≡ 1 (mod p) So it is guaranteed that 4 11 ≡ 4 (mod 11) since 11 is prime and 6 11 ≡ 6 (mod 11) and 2 10 ≡ 1 (mod 11). You can check that they are all true! (m) = 1 (mod m) If GCD(a, m) = 1 then a (m) = 1 (mod m) (10) = (5) (2) = 4 1. ℤ /10 ℤ * ={1, 3, 7, 9} Consider (10) = (5) (2) = 4 1. ℤ /10 ℤ * ={1, 3, 7, 9} So it is guaranteed that 1 (10) ≡ 1 4 ≡ 1 (mod 10), 3 4 ≡ 1 (mod 10), 7 4 ≡ 1 (mod 10) and 9 4 ≡ 1 (mod 10)
Crash course in Number Theory 23/38 a b (m) ℤ ≥ 0 a c b m If GCD(c, m)=1 and a ≡ b (mod (m)) with a, b ℤ ≥ 0 then c a ≡ c b (mod m) (21) = (7) (3) = 6 2 = 12 5 Note (21) = (7) (3) = 6 2 = 12 and 3005 ≡ 5 (mod 12) So ≡ 2 5 ≡ 32 ≡ 11 (mod 21) (m) In other words, exponents work mod (m) as long as the bases are relatively prime
Enciphering Transformation 24/38 P Let P be the set of possible plaintext messages For example it might be the set {A, B, … Z} of size 26 or the set {AA, AB, …, ZZ} of size 26 2 Let C be the set of possible ciphertext messages An enciphering transformation f is a map from P to C f shouldn’t send different plaintext messages to the same ciphertext message (so f should be one-to-one, or injective) f : P C and f -1 : C P; together forms a cryptosystem
Enciphering Transformation 25/38 P =0, =1, …, =25. P is plaintext letter/number A=0, B=1, …, Z=25. The Caesar cipher is an example and so… Encryption is given by C ≡ P + 3 (mod 26) Decryption is given by P ≡ C - 3 (mod 26) If you have an N letter alphabet, a shift enciphering transformation is C ≡ P + b (mod N) where b is the encrypting key and –b is the decrypting key
Enciphering Transformation For cryptanalysis, Eve needs to know it’s a shift transformation and needs to find b In general, one must assume that the nature of the cryptosystem is known (here a shift) 26/38 Say you intercept a lot of C and want to find b so you can decrypt future messages. Methods Try all 26 possible b’s. Probably only one will give sensible P Use frequency analysis. You know E = 4 is the most common letter in English. You have a lot of C and notice that J = 9 is the most common letter in the C so you try b = 5 Say you intercept a lot of C and want to find b so you can decrypt future messages. Methods Try all 26 possible b’s. Probably only one will give sensible P Use frequency analysis. You know E = 4 is the most common letter in English. You have a lot of C and notice that J = 9 is the most common letter in the C so you try b = 5
Affine Enciphering Transformation 27/38 An Affine enciphering transformation is of the form C ≡ aP + b (mod N) where the pair (a, b) is the encrypting key. You need GCD(a, N)=1 or else different P’s will encrypt as the same C (as there are N/GCD(a, N) possible aP’s). C ≡ 4P + 5 (mod 26). Note B = 1 and O = 14 go to 9 = J C ≡ 3P + 5 (mod 26) is OK since GCD(3, 26) = 1
Affine Enciphering Transformation 28/38 P = U = 20 C≡ 3 (mod 26) ≡ 64 ≡ 12 (mod 26) AliceBob message U C ≡ aP + b (mod N)a=3, b=4 C=12 Inverse of 3 over (mod 26)? C - 4 ≡ 3P (mod 26) 3 -1 (C – 4) ≡ P (mod 26) 3 -1 ≡ 9 (mod 26) So P ≡ 9(12 – 4) (mod 26) ≡ 9 8 ≡ 20 (mod 26)
Affine Enciphering Transformation 29/38 In general Encryption : C ≡ aP + b (mod N) and Decryption : P ≡ a -1 (C – b) (mod N) The decryption key is (a -1, -a -1 b) In general Encryption : C ≡ aP + b (mod N) and Decryption : P ≡ a -1 (C – b) (mod N) The decryption key is (a -1, -a -1 b)
Affine Enciphering Transformation Cryptanalysis How to cryptanalyze Affine system? We have N=26 You could try all (26) 26 = 312 possible key pairs (a, b) or do frequency analysis 30/38 Have two unknown keys. So, you need two equations. Assume you are the enemy and you have a lot of C. You find Y=24 is the most common and H=7 is the second m ost common. In English, E=4 is the most common and T=19 is the second most common. Let’s say that decryption is by P ≡ a C + b (mod 26), where a=a -1 and b =-a -1 b.
Affine Enciphering Transformation Cryptanalysis 31/38 First, we find (a, b ) by using P ≡ a C + b (mod 26). We assume 4≡a 24+b (mod 26) and 19≡a 7+b (mod 26). By subtracting, we get 17a ≡ 4-19 ≡ 4+7 ≡ 11 (mod 26). So, a ≡ (mod 26). We can use the Euclidean algorithm to find ≡23(mod 26). So a ≡ 23 11 ≡ 19 (mod 26). Plugging this into an earlier equation, we see 19≡a 7+b (mo d 26) ≡ 19 7+b (mod 26) and so b ≡ 16 (mod 26). Thus, P ≡ a C + b (mod 26) ≡ 19C + 16 (mod 26).
Cryptanalysis 32/38 Cryptanalysis is the breaking of codes or the study of breaking codes Cryptosystems come in 3 kinds Those that have been broken (most) Those that have not yet been analyzed (because they are new and not yet widely used) Those that have been analyzed but not broken (RSA, Discrete log cryptosystems, triple DES, AES)
Cryptanalysis 33/38 3 most common ways for the enemy to turn ciphertext into plaintext Steal / purchase / bribe to get key Exploit sloppy implementation / protocol problems (hacking) Cryptanalysis 3 most common ways for the enemy to turn ciphertext into plaintext Steal / purchase / bribe to get key Exploit sloppy implementation / protocol problems (hacking) Cryptanalysis
Stream Ciphers 34/38 Modern stream ciphers are symmetric key cryptosystems So, Alice and Bob must agree on a key beforehand The plaintext is turned into ASCII So, Alice and Bob must agree on a key beforehand The plaintext is turned into ASCII The plaintext Go would be encoded as They both generate the same random bit stream like , which we call the keystream Alice gets the ciphertext by bit-by-bit XORing
Stream Ciphers 35/38
Stream Ciphers 36/38 Plaintext (Go) Key XOR Ciphertext Ciphertext Key XOR Plaintext (Go)
Stream Ciphers 37/38 Let p i be the ith bit of plaintxt, k i be the ith bit of keystream and c i be the ith bit of ciphertext. Then here c i = p i k i and p i = c i k i
Finite Fields 38/38 ℤℤ = p If p is a prime, we rename ℤ /p ℤ = p, the field with p elements {0, 1, … p-1} All elements α other than 0 have GCD(α, p)=1 so we can find α -1 (mod p) So it’s like other fields like the rationals, reals and complex numbers p * Denote {0, 1, … p-1} by p * here we do +, p * The group p * is a cyclic group p * The group p * has generators g (also called primitive roots of p) 12 p-1 The sets {g, g 1, g 2, …, g p-1 } and {1, … p-1} are the same (though the elements will be in different orders)