Ch1 - Algorithms with numbers Basic arithmetic Basic arithmetic Addition Addition Multiplication Multiplication Division Division Modular arithmetic Modular arithmetic RSA –factoring is hard RSA –factoring is hard Primality testing Primality testing

Addition 53+35= =88 Cost? (n – number of bits) Cost? (n – number of bits) O(n) O(n)

Multiplication 13x11=143 13x11=143 Cost? Cost? O(n 2 ) O(n 2 )

al-Khwārizmī Operations Operations determining parity (even or odd) determining parity (even or odd) addition addition duplation (doubling a number, left shift) duplation (doubling a number, left shift) mediation (halving a number, rounding down, right shift) mediation (halving a number, rounding down, right shift)

al-Khwārizmī Cost? Cost? O(n 2 ) O(n 2 ) Can we do better? Can we do better?

Division Cost? Cost?

Modular arithmetic A system for dealing with restricted ranges of integers A system for dealing with restricted ranges of integers Addition Addition x+y mod N, assuming x, y <N x+y mod N, assuming x, y <N O(n), n - number of bits N has (size of input) O(n), n - number of bits N has (size of input) (x+y mod N = x+y or x+y-N) Multiplication Multiplication x*y mod N x*y mod N ?

Modular arithmetic

RSA Ron Rivest, Adi Shamir, Leonard Adleman (1977) Ron Rivest, Adi Shamir, Leonard Adleman (1977) Algorithm for public-key cryptography, based on the presumed difficulty of the factoring problem. Algorithm for public-key cryptography, based on the presumed difficulty of the factoring problem A.M. Turing Award 2002 A.M. Turing Award 2002 A.M. Turing Award 2002 A.M. Turing Award RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site. RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site. Needed for implementing RSA: Needed for implementing RSA: FLT (Fermat’s Little Theorem) FLT (Fermat’s Little Theorem) Fast Exponentiation Fast Exponentiation Extended Euclidean Algorithm Extended Euclidean Algorithm Modular inverses Modular inverses CRT (Chinese Remainder Theorem) CRT (Chinese Remainder Theorem)

Turing Lecture on Early RSA Days, Ronald L. Rivest

In April 2012, the factorization of 143 is achieved.

RSA public-key cryptosystem In a public-key cryptosystem, everyone has a public key and a secret key. Suppose Alice and Bob are two participants. Alice P A, S A Bob P B, S B The keys specify 1-1 functions from message M to itself: M= S A (P A (M)) M= P A (S A (M)) Communication channel P A (M) encryptdecrypt Encryption: M P A S A M Bob Alice

RSA Digital signatures: Communication channel S A (M) Accept =? SASA PAPA MM BobAlice

RSA algorithm Select at random 2 large prime numbers p & q; Select at random 2 large prime numbers p & q; ( p & q might be, say, 100 decimal digits each. ) Compute n: n = pq; Compute n: n = pq; Select an odd integer e that is relatively prime to Select an odd integer e that is relatively prime to  (n) = (p-1)(q-1); Compute d as the multiplicative inverse of e, modulo  (n); Compute d as the multiplicative inverse of e, modulo  (n); (de  1 mod  (n)) Publish P = (e, n) as the RSA public key; Publish P = (e, n) as the RSA public key; Keep secret S = (d, n) as the RSA secret key. Keep secret S = (d, n) as the RSA secret key. If M  Z n ={0,1,…,n-1}, P(M) = M e mod n S(C) = C d mod n, C=P(M).

RSA example Pick p = 47, q=71. n=pq=3337.  (n) = (p-1)(q-1)=46*70=3220, choose e=79 (at random). d =79 -1 mod 3220 = P A =(79, 3337). S A =(1019, 3337). Message: M = = = M1 = 688  mod 3337 = 1570 =C1 M2 = 232  mod 3337 = 2756 =C2 … C = C1 = 1570  mod 3337 = 688 =M1 … C2 = 158  mod 3337 = 3 =M2

Another example n = 4559, e = 13. Smiley Transmits: “Last name Smiley” L A S T N A M E S M I L E Y L A S T N A M E S M I L E Y mod 4559, mod 4559, … mod 4559, mod 4559, … m e mod n

RSA Bob receives the encrypted blocks c = m e mod n. He have a private decryption exponent d which when applied to c recovers the original blocks m : (m e mod n ) d mod n = m For n = 4559, e = 13 the decryptor d = 3397.

RSA n = 4559, d = mod 4559, mod 4559, … mod 4559, mod 4559, … L A S T N A M E S M I L E Y L A S T N A M E S M I L E Y

RSA Technical difficulties: How do we know the algorithm works correctly? How do we know the algorithm works correctly? How to pick large prime numbers? How to pick large prime numbers? Compute pq Compute pq How to choose e How to choose e Compute d Compute d How to compute M e, C d How to compute M e, C d Can any one break the code? Can any one break the code?

RSA If I want to encrypt credit card numbers, how big my p and q should be? If I want to encrypt credit card numbers, how big my p and q should be? If I want to encrypt words of four random characters from ASCII set, how big my p and q should be? If I want to encrypt words of four random characters from ASCII set, how big my p and q should be?

How to pick large prime numbers ?

Primality testing Hard, but much easier than factoring. Hard, but much easier than factoring. Fermat’s Little Theorem(~1640): Fermat’s Little Theorem(~1640): If p is prime, then  a, s.t. 1≤a<p, a p-1  1 (mod p). The numbers make us fail are called The numbers make us fail are called Fermat pseudoprime -extremely rare (ex =1mod341; Carmichael number 561, =1mod561) Fermat pseudoprime -extremely rare (ex =1mod341; Carmichael number 561, =1mod561) ?

Lagrange’s Prime Number Theorem Theorem: The number of prime numbers between 1 and x is “about” x/lnx. Not only are primes easy to detect, but they are also relatively abundant.

Carmichael number A number c is a Carmichael number if it is not a prime, and still for all prime divisors d of c it so happens that d-1divides c-1. The smallest Carmichael number is 561 = 3  11  17. If c is a Carmichael number and a is relatively prime to c, then a c-1  1 mod c.

Primality testing

Fermat's Last Theorem Fermat's Last Theorem states that x n + y n = z n has no non-zero integer solutions for x, y and z when n > 2.

RSA Technical difficulties: How do we know the algorithm works correctly? How do we know the algorithm works correctly? How to pick large prime numbers? How to pick large prime numbers? Compute pq Compute pq How to choose e How to choose e Compute d Compute d How to compute M e, C d ? How to compute M e, C d ? Can any one break the code? Can any one break the code?

How to compute M e, C d ?

Modular exponentiation In order to implement RSA, exponentiation relative some modulo needs to be done a lot. So this operation better be doable, and fast. Q: How is it even possible to compute mod 4559 ? After all, has approximately 3397·4 digits!

Modular exponentiation A: By taking the mod after each multiplication. For example: 23 3 mod 30  -7 3 (mod 30)  (-7) 2 ·(-7) (mod 30)  49 · (-7) (mod 30)  19·(-7) (mod 30)  -133 (mod 30)  17 (mod 30)

Modular exponentiation Therefore, 23 3 mod 30 = 17. Q: What if had to figure out mod 30. Same way tedious: need to multiply 15 times. Is there a better way?

Modular exponentiation A: Better way. Notice that 16 = 2·2·2·2 so that = 23 2·2·2·2 = (((23 2 ) 2 ) 2 ) 2 Therefore: mod 30  (((-7 2 ) 2 ) 2 ) 2 (mod 30)  (((49) 2 ) 2 ) 2 (mod 30)  (((-11) 2 ) 2 ) 2 (mod 30)  ((121) 2 ) 2 (mod 30)  ((1) 2 ) 2 (mod 30)  (1) 2 (mod 30)  1(mod 30) Which implies that mod 30 = 1. Q: How about mod 30 ?

Modular exponentiation A: The previous method of repeated squaring works for any exponent that’s a power of isn’t. However, we can break 25 down as a sum of such powers: 25 = Apply repeated squaring to each part, and multiply the results together. Previous calculation: 23 8 mod 30 = mod 30 = 1 Thus: mod 30  (mod 30) 

Modular exponentiation x 25 mod N x 25 mod N Cost? – polynomial time (n=logN) Cost? – polynomial time (n=logN)

Modular exponentiation How do we compute x y mod m, m>0? repeated squaring algorithm: mod-exp(x, y, m) if y = 0 then return(1) else z = mod-exp(x, y div 2, m) if y mod 2 = 0 then return(z * z mod m) else return(x * z * z mod m)

Compute d ?

Modular Inverse

GCD Greatest common divisor Greatest common divisor Example: Example:

Euclid Algorithm If a,b  Z +, apply division (mod) repeatedly as follows: a = q 1 b + r 1, where 0 < r 1 < b b = q 2 r 1 + r 2,where 0 < r 2 < r 1 r 1 = q 3 r 2 + r 3,where 0 < r 3 < r 2 …… r k-2 = q k r k-1 + r k,where 0 < r k-1 < r k r k-1 = q k+1 r k Then, r k = GCD(a,b). Then, r k = GCD(a,b). Proof: (1) r k |a, r k |b (2) if d|a, d|b, then d| r k.

Recursion Theorem  a,b  N, b  0, gcd(a,b) = gcd(b, a mod b). Proof : Let d = gcd(a,b).  d|a, d|b. d|a-qb = a mod b  d|b, d|a mod b  d|gcd(b, a mod b). Let d = gcd(b, a mod b).  d|b, d| a mod b. d|a-qb, d|b  d|a  d|gcd(a,b).  gcd(a,b) = gcd(b, a mod b).

Computing GCD Euclid gcd(x,y) { if y = 0 then return(x) else return(gcd(y,x mod y)) }

Euclid Algorithm Example: Computing gcd(125, 87) 125 = 1* = 2* = 2* = 3* = 3* = 2* = 2* = 5*1 5 = 5*1  gcd(125,87)=1 gcd(125,87) = 1 11  2*5 = 1 11  2*(38  3*11) = 1  2*38 + 7*11 = 1  2*38 + 7*(87  = 1 7*87    1 = 125*(  16) + 87*23 1 = as + bt

Extended Euclidean Algorithm  obtain gcd(a,b) and x,y, s.t. gcd(a,b) = ax+by. Extended-Euclid (a,b) Extended-Euclid (a,b) if (b= =0) return (a,1,0); (d’,x’,y’)=Extended-Euclid(b, a mod b); (d,x,y)=(d’, y’, x’-  a/b  y’); return (d,x,y); Ex: x q d y b a demo

Cost? Theorem: The algorithm above correctly computes the gcd of x and y in time O(n), where n is the total number of bits in the input (x; y)

Multiplicative Inverse Multiplicative inverse x of a, modulo n: ax = 1 mod n.  ax = kn+1 If gcd(a,n)=1, ax-kn = gcd(a,n).  ax+ny = gcd(a,n). Therefore, x can be found using extended Euclidean algorithm. Is the multiplicative inverse unique?

Multiplicative Inverse Theorem:  n>1, if gcd(a,n)=1, then ax=1 (mod n) has a unique positive solution, modulo n. Example: a = 79; n = x = ax = = 25* x = ax = = -54*

RSA Technical difficulties: How do we know the algorithm works correctly? How do we know the algorithm works correctly? How to pick large prime numbers? How to pick large prime numbers? Compute pq Compute pq How to choose e How to choose e Compute d Compute d How to compute M e, C d ? How to compute M e, C d ? Can any one break the code? Can any one break the code?

How do we know RSA works correctly? Chinese Remainder Theorem (~1700 old)

hallenge#The_prizes_and_records hallenge#The_prizes_and_records hallenge#The_prizes_and_records hallenge#The_prizes_and_records