Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Course Summary - Math Part (Previous lectures) Euclid gcd ; extended gcd. The ring Z m. Finite groups: Lagrange theorem (if G is finite and H is a sub-group then |H| divides |G|) Finite fields arythmetic - GF(p k ). Primitive elements in finite fields (generators of the multiplicative group with p k -1 elements) The birthday paradox.

Course Summary - Crypto Part (first 4 lectures) Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication Codes (based on CBC and on cryptographic hashing)

The Birthday Paradox: Wrap Up Let R be a finite set of size r. Pick k elements of R uniformly and independently. What is the probability of getting at least one collision ?

The Birthday Paradox (cont.) Consider the event E k : No Collision after k elements. Prob(E k )=1(1- 1/r)(1- 2/r)… (1- (k-1)/r) < exp(-1/r) exp(-2/r) … exp(-(k-1)/r) = exp(-(1+2+…+(k-1) )/r) = exp(-(k(k-1) )/2r) ~ exp(-k 2 /2r) For k=r 1/2, Prob(E k ) For k=1.2r 1/2, Prob(E k ) plot({exp(-x),1-x},x=0..0.5);

Application to Cryptographic Hashing Let H:D --> R, R of size r. Suppose we can get k random images under H. If k 2 is larger than r then the probability of a collision, 1-exp(-k 2 /2r), is large. Thus a necessary condition for avoiding collisions is that r is so large that it is infeasible to generate r 2 hash values. This leads to requiring that message digests be at least 160 bits long (2 160/2 = 2 80 is large enough).

Back to Number Theory

Fermat “Little” Theorem Let if G be a finite group with m elements. Let a be an element of G. Then a m =1 (the unit element of G).

Example G=Z p *, the multiplicative group of Z p. The polynomial x p-1 -1 has p-1 roots, so x p-1 -1 =  a  0 (x-a). > factor (x^6-1); (x-1)(x+1)(x 2 +x+1)(x 2 -x+1)‬  > factor (x^6-1) mod 7; (x+6)(x+1)(x+4)(x+2)(x+5)(x+3)‬ ‬x‭ + ‬x‭ + 1) (‬x‭ - ‬x‭

Quadratic Residues Definition: An element x is a quadratic residue modulo n if there exists y such that y 2  x mod n Claim: if p is prime there are exactly (p-1)/2 quadratic residues in Z p * Claim: if p is prime, and g is a generator of the multiplicative group, the quadratic residues are all the even powers of g g 0, g 2,…,g 2i, …, g p-3

Quadratic Residues in Z p (cont.) The quadratic residues (QR) form a subgroup of Z p *. x (p-1) -1 = (x (p-1)/2 -1) (x (p-1)/2 +1 ). Thus x (p-1)/2 -1 has (p-1)/2 roots in Z p.

Quadratic Residues in Z p (cont.) Claim: an element x in Z p is a quadratic residue if and only if x (p-1)/2  1 mod p Proof Sketch: Suppose x=y 2 (x is a QR), then x (p-1)/2 -1 =0. Suppose x (p-1)/2 =1. Let x=g i where g is primitive element. Then g i (p-1)/2 =1. Since g has order p-1, p-1 must divide i (p-1)/2, implying i even, x a QR.

Testing Quadratic Residues Efficient O(log 3 p) algorithm in Z p (p prime) Applies the repeated squaring idea. For composite m (esp. m=pq), no efficient algorithm for testing quadratic residues is known. Problem believed to be computationally hard (but not NPC).

One-Way Functions A function f: D  R is called one-way if: –Computing f(x) is “easy” –Computing f -1 (y) for almost all the images is “hard” Given the “real-world” definition of “hard” a one- way function may be a single function (e.g. SHA- 1) Given the theoretical definition, we refer to a family of one-way functions

Example The Domain is all the pairs of prime numbers. The function is f(p,q) = pq Multiplication is easy – naïve algorithm is O(n 2 ) Factoring is difficult – simple algorithm is O(2 n/2 ). NFS and ECM are better but not polynomial. The function f(p,q) = pq maintains length

The Chinese Remainder Theorem Given –x mod p –x mod q Compute x mod pq If gcd(p,q)=1 take ((x mod p) (q -1 mod p) q + (x mod q) (p -1 mod q) p) mod pq x mod 3 = 2, x mod 5 = 3, 1/3 mod 5 = 2, 1/5 mod 3 = ½ mod 3 = 2 (x mod p) (q -1 mod p) q = 2 * 2 * 5 = 20 (x mod q) (p -1 mod q) p = 3 * 2 * 3 = 18, 38 mod 15 = 8

Quadratic Residues mod n An element x is a quadratic residue modulo n if there exists y such that y 2  x mod n If x is a quadratic residue then so is –x mod n If p is prime there are exactly (p-1)/2 quadratic residues If p is prime, and g is a generator of the multiplicative group, the quadratic residues are even powers of g.

The four different square roots modulo pq Let x be a quadratic residue modulo pq Then, x mod p is a quadratic residue and so is x mod q x mod p has two roots mod p: y and p - y x mod q has two roots mod q: z and q - z Using the Chinese remainder theorem, we get four root modulo pq: A, B, pq – A, pq – B (y,z) -> A, (p - y, q - z) -> pq – A (y, q - z) -> B, (p – y, z) -> pq – B gcd(A - B,np) = p

Factoring Idea: square roots Compute x 2 mod np Extract y = square root of x 2 mod np If y = x or y = np - x then useless If not, x 2 mod np = y 2 mod np –then gcd(x - y, np) = p or gcd(x - y,np) = q The square root extraction algorithm does not “know” if we started with x, np - x, y, or np - y

Pollards rho (ρ) method Imagine the following process mod p: x 0 – random x i+1 = x i 2 +1 mod p After p 1/2 steps, we’ll find x i, x j such that x i = x j mod p. What this means is that the function f(x) = x 2 +1 mod p loops.

Pollards rho (ρ) method Imagine the following process mod pq: x 0 – random x i+1 = x i 2 +1 mod pq This will loop only after (pq) 1/2 steps (modulo pq) However, modulo p (or q) it will loop after p 1/2 (or q 1/2 ) steps Given two values x i, x j, such that x i =x j mod p but x i <> x j mod pq, we have that gcd(x i - x j, pq) = p Repeat: –x = x mod pq –y = (y 2 +1) mod pq –If gcd(x - y, pq) > 1 then found factor

More complex factoring ideas A number is smooth with respect to the set of primes ≤ L if all prime factors are ≤ L If a smooth number has all powers even then it is easy to extract a square root Major idea: –Generate quadratic residues, one of whose roots is known –Compute a product of these quadratic residues which is smooth and has all powers even –Now, you have a 2 nd root of this product, use it for factoring

Quadratic Sieve Factoring Determine a limit L Generate random values x 2 mod pq Check them for smoothness, discard if not This process can be done entirely distributed Collect all smooth quadratic residues Solve a set of linear equations over GF(2) –This can be done if the matrix is singular, i.e., if we have sufficiently many smooth quadratic residues –How many smooth quadratic residues are required?

Discrete Log (DL) Let G be a group and g an element in G. Let y=g x and x the minimal non negative integer satisfying the equation. x is called the discrete log of y to base g. Example: y=g x mod p in the multiplicative group of Z p

Discrete Log in Z p A candidate for One Way Function Let y=g x mod p in the multiplicative group of Z p Exponentiation takes O(log 3 p) steps Standard discrete log is believed to be computationally hard. x g x is easy (efficiently computable). g x x believed hard (computionally infeasible). x g x is a one way function. This is a computation based notion.

Public-Key Cryptography The New Era (1976-present)

Classical, Symmetric Ciphers Alice and Bob share the same secret key K A,B. K A,B must be secretly generated and exchanged prior to using the unsecure channel. AliceBob

Diffie and Hellman (76) “New Directions in Cryptography” Split the Bob’s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting messages by Bob. K E can be made public (public key cryptography, assymetric cryptography)

“New Directions in Cryptography” The Diffie-Hellman paper (IEEE IT, vol. 22, no. 6, Nov. 1976) generated lots of interest in crypto research in academia and private industry. Diffie & Hellman came up with the revolutionary idea of public key cryptography, but did not have a proposed implementation (these came up 2 years later with Merkle-Hellman and Rivest-Shamir- Adelman). In their 76 paper, Diffie & Hellman did invent a method for key exchange over insecure communication lines, a method that is still in use today.

Public Exchange of Keys Goal: Two parties (Alice and Bob) who do not share any secret information, perform a protocol and derive the same shared key. Eve who is listening in cannot obtain the new shared key if she has limited computational resources.

Diffie-Hellman Key Exchange Public parameters: A prime p, and an element g (possibly a generator of the multiplicative group Z p * ) Alice chooses a at random from the interval [1..p-2] and sends g a mod p to Bob. Bob chooses b at random from the interval [1..p-2] and sends g b mod p to Alice. Alice and Bob compute the shared key g ab mod p : Bob holds b, computes (g a ) b = g ab. Alice holds a, computes (g b ) a = g ab.

DH Security DH is at most as strong as DL in Z p. Formal equivalence unknown, though some partial results known. Despite 25 years effort, still considered secure todate. Computation time is O(log 3 p).

Properties of Key Exchange Necessary security requirement: the shared secret key is a one way function of the public and transmitted information. Necessary “constructive” requirement: an appropriate combination of public and private pieces of information forms the shared secret key efficiently. DH Key exchange by itself is effective only against a passive adversary. Man-in-the-middle attack is lethal.

Security Requirements Is the one-way relationship between public information and shared private key sufficient? A one-way function may leak some bits of its arguments. Example: g x mod p Shared key may be compromised Example: g x+y mod p

Security Requirements (cont.) The full requirement is: given all the communication recorded throughout the protocol, computing any bit of the shared key is hard Note that the “any bit” requirement is especially important

Other DH Systems The DH idea can be used with any group structure Limitation: groups in which the discrete log can be easily computed are not useful Example: additive group of Z p Currently useful DH systems: the multiplicative group of Z p and elliptic curve systems

Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication is encrypted and authenticated by symmetric keys Automatic distribution of keys- flexibility and scalability Periodic refreshing of keys- reduced material for attacks, recovery from leaks