Group 5: Daryl, Etkin, Supartha, Rajendra and Aarthi 1

 Two Information Coding Schemes  RSA Algorithm  Privacy  Authenticity  Reed-Solomon Codes  (Bursty) Noise Tolerance 2

3

4

5 Trinity? Yes, it’s me.

 Encrypt messages with a symmetric-key cryptosystem (e.g. DES, AES, etc…)  Requires prior agreement on a shared key over a secure channel  What if Neo and Trinity have yet to meet? 6

 Mathematically-related public/private key pairs are generated  Messages encrypted with public key  Can only be decrypted with private key  Infeasible to compute private key from public key alone  No need to agree on a shared key! 7

 Rivest, Shamir and Adleman (1977)  Based on difficulty of computing prime factors of large integers 8

1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 9 Setup Usage

1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 10

 Let e, d, n be integers with n ≠ 0  Fact: If gcd(e, n) = 1 (i.e. e and n are coprime) then there exists d such that de ≡ 1 (mod n)  In other words, the multiplicative inverse of e (mod n) exists when gcd(e, n) = 1 11

1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 12

1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 13

 Definition: no. of integers 1 ≤ a ≤ n with gcd(a, n) = 1  Formula:  For n = pq where p and q are primes 14

 Let x, y, m, n be integers with n ≥ 0  Fact: If x ≡ y (mod ɸ (n)), then m x ≡ m y (mod n)  In other words, working in mod n requires that we work mod ɸ (n) in the exponent 15

1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 16

1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Encrypt with C ≡ M e (mod n) 7. Decrypt with M ≡ C d (mod n) 17 (M e ) d ≡ M (mod n) and (M d ) e ≡ M (mod n)

1. Pick p = 37 and q = Compute n = 1591 and ɸ (n) = Pick e = 71 gcd(e, ɸ (n)) = gcd(71, 1512) = 1 4. Compute d = 575 (Extended Euclidean Algorithm) de = ≡ 1 (mod 1512) 5. Public key is (n, e), private key is (n, d) 6. Encrypt: C ≡ M e ≡ ≡ 908 (mod 1591) 7. Decrypt: M ≡ C d ≡ ≡ 1234 (mod 1591) 18

1. Pick two distinct primes p and q 2. Compute n = pq and ɸ (n) = (p – 1)(q – 1) 3. Pick e where 1 < e < ɸ (n) and gcd(e, ɸ (n)) = 1 4. Compute d where de ≡ 1 (mod ɸ (n)) 5. Public key is (n, e), private key is (n, d) 6. Sign M with S ≡ M d (mod n) ; Send (M, S) 7. Verify that M ≡ S e (mod n) 19 Reversed! Sign with private key Verify with public key

1. Modular exponentiation ▪ Successive-Squaring 2. Computing d from e and ɸ (n) ▪ Extended Euclidean Algorithm 3. Finding large primes 20

 Successive-Squaring to Compute C ≡ M e (mod n) Let e = e k e k–1 … e 0 (binary representation of e) C := 1 For i := k, k – 1, …, 0 C := (C * C) mod n If e i = 1 Then C := (C * M) mod n End For  Performance: O(log e)  Memory: O(1) 21

 Extended Euclidean Algorithm:  Since e and ɸ (n) are coprime, solving yields d = y satisfying 22 Find max. q i satisfyingand x i and y i satisfying When r k = 0, stop and output gcd(a, b) = r k-1 and x = x k-1 and y = y k-1 Similar to Euclidean Algorithm for gcd(a, b), but retain quotients q i at each step i to compute x i and y i

 Generate a large random integer  Apply primal test repeatedly  Primality Tests:  Miller-Rabin  Solovay-Strassen  Fermat Primality Test  Euler Witness, Euler Liar 23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39 ???

40

Noise is Natural Studied models in general  Binary Symmetric Channel  Binary Erasure Channel  Noisy Typewriter Channel  Continuous Output Channel … 41

42

43 MC

44

45

46 MC No Structure?? Have to store the whole mapping in a codebook

47 G = n x k, where n =7, k=4 for example, Hamming Code is Linear =

48

 Applications: CDs, Space Communication, …  Robust against Burst errors 49 From left: Gustave Solomon & Irving S. Reed

50

51

52

53

54

55

 A set of elements with two operations “Addition” and “Multiplication” defined on these elements.  Closed under these two operations  Basically all arithmetic operations are allowed Examples: Set of Real numbers, Set of Rational numbers… 56

 A field with finite number of elements. Example: {0,1} with modulo operations In general {0,1,2….p-1} is a field with p elements with modulo operations. (p is prime) How to construct fields with 8 elements? In general how to construct p r elements?? 57

 A field with 2 m elements can be constructed by extending the field GF(2) which is {0,1}.  Let α denotes an additional element in GF(2 m ).  Now GF(2 m ) ={ 0,1, α,α 2,….. α 2 m -1, α 2 m,…}  To make the number of elements 2 m, we restrict α 2 m -1 = 1 = α 0 58

GF(2 m )={0, α 0, α,…… α 2 m -2 }  Any non-zero element in GF(2 m ) can be written as a polynomial of degree at most m-1.  Coefficients are from GF(2)  Also they can be mapped to binary values. 59

 An irreducible polynomial f(x) of degree m is said to be primitive if the smallest positive integer n for which f(x) divides x n +1 is n=2 m -1.  Example: 1 + x + x 4 because it divides x n +1 for n=15 and not for other values less than 15.  Used for construction GF(2 m )  RS codes use GF(2 m ). 60

61

62

63

 Linear Code  Cyclic  d = n-k+1 (Maximum Distance Separable)  Can correct up to n-k erasures  Can correct up to (n-k)/2 symbol errors 64

 This form of encoding is not in Systematic form  Systematic form : Parity symbols message symbols   Message polynomial α + α 3 x + α 5 x 2  Code Polynomial α 0 + α 2 x + α 4 x 2 + α 6 x 3 + αx 4 + α 3 x 5 + α 5 x 6  A generator polynomial g(x) is defined as g(x) = (x-α) (x-α 2 ) …………… (x-α 2t ) 65

 Shift the message polynomial m(x) by 2t positions by multiplying m(x) by x 2t.  Define p(x) = x 2t m(x) (mod g(x))  The final codeword polynomial u(x) is u(x) = p(x) + x 2t m(x) 66

 Message polynomial α + α 3 x + α 5 x 2  Yielding αx 4 + α 3 x 5 + α 5 x 6 after multiplication with x 2t i.e. x 4  Take g(x) = (x- α)(x- α 2 )(x- α 3 )(x- α 4 ) = x 4 – α 3 x 3 + α 0 x 2 – αx + α 3 = α 3 + αx + α 0 x 2 + α 3 x 3 +x 4 Next divide α x 4 + α 3 x 5 + α 5 x 6 by g(x) to find the remainder p(x) = α 0 + α 2 x 4 + α 4 x 2 + α 6 x 3. Now u(x)=α 0 + α 2 x + α 4 x 2 + α 6 x 3 + αx 4 + α 3 x 5 + α 5 x 6 67

 The syndrome is the result of a parity check performed on the received polynomial r(x) to determine whether r(x) is a valid codeword.  The syndromes are basically evaluations of the received polynomial r(x) at α, α 2, α 3,… α 2t. S i = r(α i ), i=1,2,….2t  If r(x) is a valid codeword then we get all the S i evaluate to zero.  Any non-zero S i indicates the presence of errors. 68

 The errors introduced by the channel during transmission can be modeled as a polynomial e(x) over the field GF(2 m ).  Hence r(x) = u(x) + e(x).  The problem finding e(x) from r(x) (or the syndromes) is decoding. 69

 Given any collection of k coefficients from the polynomial u(x), it is possible to construct the remaining coefficients of u(x).  If at most ‘t’ of the coefficients of u(x) are incorrect, it is possible to reconstruct all the coefficients of u(x) correctly.  Polynomial multiplication/division using FFT takes O(klogk) where k is the max of degrees of the polynomial. 70

 Error polynomial e(x) = e 0 + e 1 x +….e n x n  Suppose the received polynomial r(x) has ν errors in it at the locations i 1,i 2,…i ν. The magnitude of error at these locations are e i j.  Then syndromes can be written in the form Sj = e 1 j x l j + e 2 j x l j + ….+e ν j x l j j=1,2,…2t where X l = α il 71

72

1. Calculate Syndromes 2. Find the error locator polynomial  Peterson-Gorenstein-Zierler Decoder 3. Find error locations  Chien Search 4. Find error values  Forney’s Algorithm 73

74 Non- Linear System!! Finding S j for j = 1 to 2t

75  Intuition: The roots of this polynomial are inverses of the error locations  Help to find the locations where an error has occurred Expanding Λ(x):

76 For x = X l -1 and for any 1 ≤ l ≤ ν Multiplying throughout by Y l X l (j+ν)

77 Sum over l = 1 to t

78  Equation (1) – (4) now form a system of Linear Equations

79  Solved for Λ i s by finding the largest value of ν for which M ν is non-singular starting from ν = t  Overall this algorithms runs in polynomial time  ν ≤ t; 2t = n – k = O(n) (could also be O(1) for large n & k)  Use polynomial-time algorithms for matrix determinants and inversion

80

81 For i ≥ ν, Y i X i = 0  The Middle matrix is singular  M μ is singular

1. Calculate Syndromes 2. Find the error locator polynomial  Peterson-Gorenstein-Zierler Decoder 3. Find error locations  Chien Search 4. Find error values  Forney’s Algorithm 82

 Find roots of Error Locator Polynomial, Λ(x), by exhaustive search  Evaluate Λ(α i ) for i = 1, 2, …, 2t  Find all i where Λ(α i ) = 0  α i is a root of Λ(x)  Error locations will also be of the form: α j  Here, α j = α -1 and j = 2t – i.  If number of errors found is ≥ t, abort process 83

84

 Number of iterations = O(n)  Linear time algo  Correctness of Chien Search:  Viewing Λ(x) as a polynomial over a finite field 85

1. Calculate Syndromes 2. Find the error locator polynomial  Peterson-Gorenstein-Zierler Decoder 3. Find error locations  Chien Search 4. Find error values  Forney’s Algorithm 86

87 Convert to matrix form Vandermonde Matrix

88  Defining the Syndrome polynomial:  Defining the Error Evaluator polynomial: where, b is the degree of the smallest root of the generating function of the code &

 Computing coefficients of Ω(x) takes ≈ ν 2 /2 multiplications  Computing each Y i takes 2ν+1 multiplications and one reciprocal  Total computation time needed ≈ 2.5ν 2 multiplications  ν = O(n)  Operations needed O(n 2 )  Polynomial Time algorithm 89

1. Calculate Syndromes 2. Find the error locator polynomial  Peterson-Gorenstein-Zierler Decoder 3. Find error locations  Chien Search 4. Find error values  Forney’s Algorithm 90

 r(x) = u(x) + e(x)  Decoding techniques help determine e(x) completely  Hence, u(x) = r(x) – e(x) = Message sent is recovered 91 We are done!!

 Other more efficient (implementation wise) algorithms for decoding:  Berlekamp-Massey Decoder (LFSR and iterative correction)  Euclidean Algorithm (Values and locations simultaneously determined using iterative GCD of polynomials)  Decoders implemented as dedicated chips by manufacturers (Hardware and Software) 92

RSA: 1. Evgeny Milanov, RSA algorithm, Kenneth Rose, Elementary Number Theory and its applications, 5 th Ed., Pearson International 3. Trappe & Washington, Introduction to Cryptography with Coding Theory, 2 nd Ed., Pearson International Reed-Solomon Codes: 1. Bernard Sklar, Reed Solomon error correction, solomon/elementLinks/art_sklar7_reed-solomon.pdf solomon/elementLinks/art_sklar7_reed-solomon.pdf 2. V. Guruswami, Introduction to Coding Theory, CMU, John Gill, EE 387 Note #7, Stanford University, Wikipedia 93

Thanks for your attention!! 94