The Algebra of Encryption CS 6910 Semester Research and Project University of Colorado at Colorado Springs By Cliff McCullough 20 July 2011

Modern Cryptography 7/20/2011Cliff McCullough2

Multi-Precision Calculator 7/20/2011Cliff McCullough3

That’s a lot of digits 7/20/2011Cliff McCullough4

Modular Arithmetic The Division Algorithm a = m b + r “Any integer a can be divided by b in such a way that the remainder is smaller than b.” (Burton, 2007, p. 17) 7/20/2011Cliff McCullough5

Examples 13 = 1 * ◦ 13 ≡ 1 mod 12 9 = 0 * ◦ 9 ≡ 9 mod 12 7/20/2011Cliff McCullough6

Addition First express the numbers in modular form Add the numbers and collect the terms Adjust the multiplier if needed so that the residue is positive and less than the modulus 7/20/2011Cliff McCullough7

Subtraction First express the numbers in modular form Subtract the numbers and collect the terms Adjust the multiplier if needed so that the residue is positive and less than the modulus 7/20/2011Cliff McCullough8

Multiplication Multiplication is merely repeated addition Adjust the multiplier so that the residue is positive and less than the modulus 7/20/2011Cliff McCullough9

Division Division is tricky Instead of c ---- = e d We write c = d * e Ask by what number, e, can we multiply d to result in c, in modular arithmetic? 7/20/2011Cliff McCullough10

Division by Multiplicative Inverse Another way to divide is to multiply by the MMI c * d -1 = e MMI: d * d -1 = 1 mod modulus Ask by what number, d -1, can we multiply d such that the result is 1 in modular arithmetic? 7/20/2011Cliff McCullough11

Useful Functions Euclidean Algorithm ◦ Greatest Common Divisor ◦ Modular Multiplicative Inverse Modular Exponentiation Chinese Remainder Theorem Euler’s Totient Function 7/20/2011Cliff McCullough12

Greatest Common Divisor Compare the smaller number to the larger Find the quotient of the two numbers Multiply the smaller by the quotient and subtract Now compare the residue with the previous smaller number Continue until the residue is zero 7/20/2011Cliff McCullough13

GCD Example Example from (Euclidean algorithm, 2011) 7/20/2011Cliff McCullough14

GCD Results AE = 3 * CF CD = 2 * AE + CF = 2 * 3 * CF + CF = 7 * CF AB = CD + AE = 7 * CF + 3 * CF = 10 * CF 7/20/2011Cliff McCullough15

Extended Euclidean Algorithm Use Extended Euclidean Algorithm Basically keep track of the coefficients 1. Start by writing the two numbers 2. Find the quotient 3. Multiply the second equation by the quotient and subtract from the first 4. Repeat steps 2 and 3 until the residue is zero 7/20/2011Cliff McCullough16

Extended Euclid Example 50 = 50 ( 1) + 35 ( 0) 35 = 50 ( 0) + 35 ( 1), q = 1 15 = 50 ( 1) + 35 ( -1), q = 2 5 = 50 ( -2) + 35 ( 3), q = 3 0 = 50 ( 7) + 35 (-10) 7/20/2011Cliff McCullough17

Finding the MMI 13 = 13 ( 1) + 4 ( 0) 4 = 13 ( 0) + 4 ( 1), q = 3 1 = 13 ( 1) + 4 ( -3) 1 = 13 (1) + 4 (-3) + 13 (-4) + 4 (13) 1 = 13 (1 - 4) + 4 ( ) 1 = 13 (-3) + 4 (10) 7/20/2011Cliff McCullough18

Modular Exponentiation Initiate X = base, E = exponent, Y = 1 If E is odd ◦ Replace Y = X * Y ◦ Replace E = E - 1 E is now even ◦ Replace X = X * X ◦ Replace E = E ÷ 2 When E = 0, Y is the answer (Garrett, 2004, p. 123) 7/20/2011Cliff McCullough19

Exponentiation Example 7/20/2011Cliff McCullough20 E = 11 = Y = 3 8 * 3 2 * 3 1 = 6561 * 9 * 3 = NotesXEY Initialization3111 E is odd103 E is even95 E is odd427 E is even812 E is even65611 E is odd

Modular Exponentiation Example E = 11 = Y = 3 8 * 3 2 * 3 1 = 237 * 9 * 3 mod 527 7/20/2011Cliff McCullough21 NotesXEY Initialization3111 E is odd103 E is even95 E is odd427 E is even812 E is even2371 E is odd075

Consider Multiplication x 1111 x /20/2011Cliff McCullough22

Chinese Remainder Theorem Reduces calculation time by dealing with smaller numbers Some elements may be pre-calculated and used repeatedly for subsequent calculations 7/20/2011Cliff McCullough23

How To CRT Pre-calculations ◦ Know the Factors of M = m 1 * m 2 ◦ Calculate each M i ◦ Calculate MMI of each M i mod m i ◦ Calculate A i Perform the operation Combine the results (Stallings, 2011, pp. p ) 7/20/2011Cliff McCullough24

CRT Pre-calculations Chose m 1 and m 2 M = m 1 * m 2 = 37 * 49 = 1813 Calculate M i = M ÷ m i M 1 = 1813 ÷ 37 = 49 M 2 = 1813 ÷ 49 = 37 Calculate M i -1 mod m i M 1 -1 mod m 1 = mod 37 ≡ 34 M 2 -1 mod m 2 = mod 49 ≡ 4 7/20/2011Cliff McCullough25

CRT Pre-calculations too Calculate A i A 1 = M 1 * M 1 -1 mod M = 49 * 34 mod 1813 ≡ 1666 A 2 = M 2 * M 2 -1 mod M = 37 * 4 mod 1813 ≡ 148 7/20/2011Cliff McCullough26

CRT Addition Compute x + y = z i mod m i for each m i 973 mod 37 = mod 49 = mod 37 = mod 49 = z 1 = 23 mod 37 z 2 = 34 mod 49 Combine results (x + y) mod M = (z 1 * A 1 + z 2 * A 2 ) mod M ( ) mod 1813 = (23 * * 148) mod 1813 ≡ /20/2011Cliff McCullough27

CRT Multiplication Compute x * y = z i mod m i for each m i 1651 mod 37 = mod 49 = 34 * 73 mod 37 = 36 * 73 mod 49 = z 1 = 14 mod 37 z 2 = 32 mod 49 Combine results (x * y) mod M = (z 1 * A 1 + z 2 * A 2 ) mod M ( ) mod 1813 = (14 * * 148) mod 1813 ≡ 865 7/20/2011Cliff McCullough28

Euler’s Totient Function Euler’s totient function, Φ(n), identifies the number of integers, less than n, that are relatively prime to n. A good treatment of Euler’s Totient function can be found in (Burton, 2007, pp ). Φ(n)=(p i )*(q j )=(p i - p i-1 )*(q j - q j-1 ) (Burton, 2007, pp ) 7/20/2011Cliff McCullough29

Phi Examples 21 = 3 * 7 Φ(21)=(3 - 1) * (7 - 1) = 2 * 6 = 12 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are the 12 numbers less than 21 that are coprime to = 4 * 5 Φ(21)=( ) * ( ) = (4-2)*(5-1)=2*4=8 The 8 integers less than 20 coprime to 20 are 1, 3, 7, 9, 11, 13, 17, 19 7/20/2011Cliff McCullough30

Public Key Cryptography - RSA RSA uses Euler’s theorem If a and n are coprime then a Φ(n) ≡ 1 mod n (Burton, 2007, p. 137) 7/20/2011Cliff McCullough31

How to RSA Chose two prime numbers p and q Form n = p * q and find Φ(n) Choose encryption exponent e coprime to Φ(n) Find MMI of e mod Φ(n) Encrypt: C = M e mod n Decrypt: M = C d mod n Public key (e, n) Private key d and p, q if using CRT 7/20/2011Cliff McCullough32

Why Does RSA Work C = M e mod n M = (C) d = M e*d mod n e and d were chosen such that e * d ≡ 1 mod Φ(n), therefore: e * d = m * Φ(n) + 1 Remember the Euler’s Theorem M Φ(n) ≡ 1 mod n M e*d = M m Φ(n)+1 = (M Φ(n) ) m * M ≡ 1 m * M mod n 7/20/2011Cliff McCullough33

RSA and CRT To use CRT, we need to know the factors of n Thus, we only use CRT to decrypt 7/20/2011Cliff McCullough34

RSA Example Let: p = 17 q = 31 e = 11 message: M = 3 n = p * q = 17 * 31 = 527 Φ(n) = 16 * 30 = 480 d = e -1 mod Φ(n) ≡ 131 7/20/2011Cliff McCullough35

RSA-CRT Pre-calculations P = n ÷ p = 31 P -1 mod p ≡ 11 A p = P * P -1 mod n = 31 * 11 mod 527 ≡ 341 Q = n ÷ q = 17 Q -1 mod q ≡ 11 A q = Q * Q -1 mod n = 17 * 11 mod 527 ≡ 187 d p = d mod Φ(p) = 131 mod 16 ≡ 3 d q = d mod Φ(q) = 131 mod 30 ≡ 11 7/20/2011Cliff McCullough36

RSA Encrypt Encrypt is standard C = M e mod n = 3 11 mod 527 ≡ 75 7/20/2011Cliff McCullough37

RSA-CRT Decrypt Decrypt uses CRT ◦ Complete the operation M p = C dp mod p = 75 3 mod 17 ≡ 3 M q = C dq mod q = mod 31 ≡ 3 ◦ Combine the results M = (M p * A p + M q * A q ) mod n = (3 * * 187) mod 527 ≡ 3 7/20/2011Cliff McCullough38

How to Share a Secret (Shamir, November, 1979) describes how to share a secret A simple way of looking at this is to use a curve described by a polynomial function f(x) = a t x t + a t-1 x t-1... a 1 x + a 0 Typically a 0 is the secret information a 1 through a t are chosen randomly 7/20/2011Cliff McCullough39

Why It Remains a Secret We have t + 1 unknowns ◦ the t + 1 coefficients We need t + 1 points on the curve to identify all the coefficients The secret shares are points on the curve ◦ x, f(x) number pairs ◦ x can be an index. Only f(x) must be secret 7/20/2011Cliff McCullough40

Paillier Cryptography Carmichael function is very similar to Euler’s totient function λ(n) = lcm(p-1, q-1) Useful properties w λ ≡ 1 mod n w λn ≡ 1 mod n 2 Which implies w λ = an + 1 w λn = bn (Paillier, 1999) 7/20/2011Cliff McCullough41

How to Paillier Choose two safe primes p and q Calculate n = p * q and λ(n) Define the function u - 1 L(u) = n Choose a generator value g such that L(g λ mod n 2 ) and n are coprime Public key is (g, n) Private key is λ 7/20/2011Cliff McCullough42

Paillier Encrypt For plaintext message m < n Chose a random number r < n Encrypt message m c = g m r n mod n 2 7/20/2011Cliff McCullough43

Paillier Decrypt Decrypt L(c λ mod n 2 ) m = mod n L(g λ mod n 2 ) 7/20/2011Cliff McCullough44

The Generator g Start from the Carmichael function g λ = 1 + an g λx = (1 + an) x Use binomial expansion (1+an) x = 1 + x(an) + n 2... Result g λx = (1 + an) x = (1 + xan) mod n 2 7/20/2011Cliff McCullough45

Decrypt Numerator c λ - 1 g λm r λ n - 1 L(c λ mod n 2 ) = mod n 2 = mod n 2 n n Applying the Generator g Result and Carmichael function (1 + man) (1) - 1 L(c λ mod n 2 ) = mod n 2 = ma mod n 2 n 7/20/2011Cliff McCullough46

Decrypt Denominator g λ - 1 (1 + an) - 1 L(g λ mod n 2 ) = mod n 2 = mod n 2 n n L(c λ mod n 2 ) = a mod n 2 7/20/2011Cliff McCullough47

The Decrypt Result Combining the results gives L(c λ mod n 2 ) ma mod n 2 m = mod n = mod n L(g λ mod n 2 ) a mod n 2 7/20/2011Cliff McCullough48

Cryptographic Blinding Cryptographic blinding allows for a message to be multiplied by a specially treated random number, while still allowing the message to be decrypted without knowledge of the random number. (Blinding (cryptography), 2011) 7/20/2011Cliff McCullough49

Paillier Blinding We can apply any succession of blinding factors without affecting the successful decryption c = g m * r 1 n r 2 n... r k n mod n 2 = g m * (r 1 r 2... r k ) n mod n 2 = g m * r n mod n 2 7/20/2011Cliff McCullough50

Tallying the Vote Paillier cryptography is well suited to voting due to its homomorphic property The multiplication of two ciphertexts is equivalent to the addition of the respective paintexts. (Paillier, 1999, p. 13) This way, the votes may be tallied without decrypting the ciphertext. 7/20/2011Cliff McCullough51

Homomorphic Paillier Start with two messages and encrypt c 1 = g m1 r 1 n mod n 2 c 2 = g m2 r 2 n mod n 2 Now multiply the two ciphertexts c 1 * c 2 = g m1 r 1 n * g m2 r 2 n mod n 2 = g m1 g m2 * r 1 n r 2 n mod n 2 = g m1 + m2 * (r 1 r 2 ) n mod n 2 = g m3 * r 3 n mod n 2 7/20/2011Cliff McCullough52

References Cited Blinding (cryptography). (2011, June 3). Retrieved July 10, 2011, from Wikipedia: Burton, D. M. (2007). Elementary Number Theory, Sixth Edition. New York, New York 10020: McGraw-Hill Higher Education. Euclidean algorithm. (2011, June 30). Retrieved July 7, 2011, from Wikipedia: Garrett, P. (2004). The Mathematics of Coding Theory. Upper Saddle River, New Jersey: Pearson Prentice Hall. MPIR home page. (n.d.). Retrieved July 9, 2011, from MPIR: Paillier, P. (1999). Public-Key Cryptosystems Based on Composite Degree Residuosity Clases. Advances in Cryptology - Eurocrypt '99, pp /20/2011Cliff McCullough53

References continued Safe prime. (2010, August 24). Retrieved July 9, 2011, from Wikipedia: Shamir, A. (November, 1979). How to Share a Secret. Communications of the ACM, Stallings, W. (2011). Cryptography and Network Security, Principles and Practice, Fifth Edition. Prentice Hall. The GNU Muliple Precision Arithmetic Library. (n.d.). Retrieved July 9, 2011, from GNU: 7/20/2011Cliff McCullough54