1. Chap. 8,9: Introduction to number theory and RSA algorithm Jen-Chang Liu, 2004 Adapted from Lecture slides by Lawrie Brown

2. The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll give you anything in the world you ask for." Daniel Webster: "Fair enough. Prove that for n greater than 2, the equation a n + b n = c n has no non-trivial solution in the integers." They agreed on a three-day period for the labor, and the Devil disappeared. At the end of three days, the Devil presented himself, haggard, jumpy, biting his lip. Daniel Webster said to him, "Well, how did you do at my task? Did you prove the theorem?' "Eh? No... no, I haven't proved it." "Then I can have whatever I ask for? Money? The Presidency?' "What? Oh, that — of course. But listen! If we could just prove the following two lemmas — " — The Mathematical Magpie, Clifton Fadiman

3. Clifton Fadiman Clifton Fadiman was a multi-talented writer, critic, raconteur and bookworm. He is best remembered as moderator of the erudite radio quiz show Information, Please, which ran from 1938 until 1952. He wrote a book: The Lifetime Reading Plan ( 一生的讀書計畫 ) ，列 出 西方經典一百本 西方經典一百本

4. Key Distribution Problem Symmetric schemes require both parties to share a common secret key How to securely distribute this key ? often secure system failure due to a break in the key distribution scheme (eavesdropping)

5. Key Distribution methods given parties A and B have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & physically deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B Not suitable for large systems Initial distribution?

6. Scale of key distribution problem A network with N hosts => N(N-1)/2 pairs Node-level encryption N(N-1)/2 Application-level encryption 10 applications/node

7. Key distribution center (KDC) KDC shares a unique key (master key) with each user to distribute secret key (session key) between a pair of users: scale of key distribution problem reduces to N E MK1 (Secret key) E MK2 (Secret key) Secret key

8. Asymmetric cryptography Real world example: locker Public key & private key

9. Difference between symmetric and asymmetric cryptography Symmetric encryption: Reverse operation is possible Asymmetric encryption: Hard to find reverse operation

10. One-way trap door function Public key Private key

11. Motivation: RSA public-key algorithm One key for encryption, one key for decryption Public directory Alice Bob

12. Preview of RSA algorithm R: Rivest, S: Shamir, A: Adleman Plaintext M, ciphertext C C = M e mod n, where 0 ≤ M < n M = C d mod n = (M ed ) mod n Q: Is there e, d, n such that (M ed )≡ M mod n ? A: Euler’s theorem Q: Given e, i s it possible to compute M directly from C ?

13. Outline Prime numbers Fermat ’ s and Euler ’ s Theorems RSA algorithm Testing for primality

14. Prime Numbers prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers note: 1 is prime, but is generally not of interest eg. 2,3,5,7 are prime, 4,6,8,9,10 are not prime numbers are central to number theory list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199

15. Prime Factorisation prime factorisation: any integer a>1 can be factored in a unique way, are primes each a i is a positive integer eg. 91=7×13 ; 3600=2 4 ×3 2 ×5 2 Note: factoring a number is relatively hard compared to multiplying the factors together to generate the number

16. Relatively Prime Numbers & GCD two numbers a,b are relatively prime if have no common divisors apart from 1 eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers eg. 300=2 2 ×3 1 ×5 2 18=2 1 ×3 2 hence GCD(18,300)=2 1 ×3 1 ×5 0 =6

17. Outline Prime numbers Fermat’s and Euler’s Theorems RSA algorithm Testing for primality

18. Fermat's Theorem also known as Fermat’s Little Theorem a p-1 mod p = 1 where p is prime and gcd(a,p)=1 [a, p 互質 ] useful in public key and primality testing

19. Proof of Fermat ’ s law Recall: p is a prime, Z p is a Galois Field Any a multiplied by {1,2,…,p-1} will span {1,2, …,p-1} in some order a×2a×…×((p-1)a) ≡ [(a mod p)×(2a mod p)×…×((p-1)a mod p)] mod p ≡ [1×2×…×(p-1)] mod p ≡ (p-1)! mod p (p-1)! a p-1 ≡ (p-1)! mod p

20. Proof of Fermat ’ s law (cont.) (p-1)! a p-1 ≡ (p-1)! mod p Because (p-1)! is relatively prime to p a p-1 ≡ 1 mod p This can be re-written as a p ≡ a mod p Example: a = 7, p = 19 => 7 18 ≡ 1 mod 19 ? 7 18 =7 16 ×7 2 7 2 =49 ≡ 11 mod 19 7 4 =7 2 ×7 2 ≡ (11×11) mod 19= 7 mod 19 7 8 =7 4 ×7 4 ≡ (7×7) mod 19= 11 mod 19 7 16 =7 8 ×7 8 ≡ (11×11) mod 19= 7 mod 19 ≡ (7×11) mod 19 = 1 mod 19

21. Euler ’ s Totient Function ø(n) when doing arithmetic modulo n complete set of residues is: 0..n-1 reduced set of residues is those numbers (residues) which are relatively prime to n eg. for n=10, complete set of residues is {0,1,2,3,4,5,6,7,8,9} reduced set of residues is {1,3,7,9} number of elements in reduced set of residues is called the Euler Totient Function ø (n) i.e. is the number of positive integers less than n and relatively prime to n

22. Example: totient function ø (37)=? 37 is a prime, {1, …,36} are all relatively prime to 37 ø(37)=36 ø (35)=? List them: {1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26, 27,29,31,32,33,34} ø(35)=24

23. Euler ’ s Totient Function ø(n) Some special case: for p (p prime) : ø(p) = p-1 for pq (p  q, both prime): ø(pq)=(p-1)×(q-1) Proof for ø(pq) = (p-1)×(q-1) {1,2,3, …, pq-1} 與 pq 互質的個數？ => 與 pq 非互質個數： 1. p 的倍數： {p, 2p, 3p, …, (q-1)p} 2. q 的倍數： {q, 2q, 3q, …, (p-1)q} ø (p q) =pq-1 – (p-1) – (q-1) = pq-p-q+1 = (p-1)(q-1)= ø (p)× ø (q)

24. Euler's Theorem Fermat's Theorem: a n-1 ≡ 1 mod n Euler’s theorem: a ø(n) ≡ 1 mod n where gcd(a,n)=1 eg. a=3;n=10; ø(10)=4; hence 3 4 = 81 = 1 mod 10 a=2;n=11; ø(11)=10; hence 2 10 = 1024 = 1 mod 11

25. Proof for Euler ’ s theorem a ø(n) ≡ 1 mod n, gcd(a,n)=1 n is a prime => Fermat ’ s theorem Arbitrary n: ø(n) means the number of integers that is relatively prime to n, denote the set of integers as Multiply each by a, modulo n: S is a permutation of R !!! * a is relatively prime to n, and x i is relative prime to n => so does ax i * There is no duplicate in S

26. Proof for Euler ’ s theorem (cont.) is the permutation of mod n OR (M ed )≡ M mod n Recall: RSA algorithm

27. Corollary to Euler ’ s theorem RSA algorithm: Euler ’ s theorem: Given prime p and q, n=pq, 0<a<n (M ed )≡ M mod n gcd(a, n)=1 a: plaintext => not necessary prime to n !!! 1. a is prime to n => Euler ’ s theorem 2. a is NOT prime to n => a 是 p 的倍數 或 a 是 q 的倍數 Prove case 1: a = cp but a  qp, because 0<a<n=pq => gcd(a, q) = 1

28. Corollary to Euler ’ s theorem (cont.) case 1: a = cp, gcd(a,q)=1 Euler ’ s theorem 自乘 ø (p) 次 => Totient function => Multiply a=cp => Δ

29. Corollary to Euler ’ s theorem (cont.) Given prime p and q, n=pq, 0<a<n Alternative form of the corollary (used in RSA) By Euler ’ s theorem

30. RSA from Euler ’ s corollary RSA algorithm: find e, d, n to satisfy Euler ’ s corollary: given primes p and q, n=pq, 0<a<n, and arbitrary k (M ed )≡ M mod n We want ed = k  ( n) + 1 => ed ≡ 1 mod  ( n) or d ≡ e -1 mod  ( n) (d is the multiplicative inverse of e, it exists If d (and e) is relatively prime to  (n) )

31. Outline Prime numbers Fermat ’ s and Euler ’ s Theorems RSA algorithm Testing for primality

32. RSA algorithm – decide parameters 1. Select primes p and q. 2. Calculate n=pq. 3. Calculate  (n)=(p-1)(q-1) 4. Select e that is relative prime to and less than  (n) 5. Determine d such that de ≡ 1 mod  (n),and d<  (n) (d is the multiplicative inverse of e, find it using Extended Euclid ’ s algorithm) Example: p=17, q=11 n= 17x11 = 187  (n)= 16x10 = 160 e = 7 d = 23

33. RSA encryption/decryption example Public key: KU={e,n}={7,187} Private key: KR={d,n}={23,187}

34. Ingredient and security of RSA p, q: two primes (private, chosen) n=pq (public, calculated) e, with gcd(  (n),e)=1 (public, chosen) 1<e<  (n) d ≡ e -1 mod  (n) (private, calculated)  (n) must be a secret, else d can be calculated n is known =>  (n) can be calculated from n? p, q must be secrets =>  (n) = (p-1)(q-1) => p, q calculated from n?

35. The security of RSA Brute-force: try all private keys Mathematical attacks: Factor n into its two prime factors, n=> p×q Determine  (n) directly Determine d directly without  (n) Timing attacks: depends on the running time of the decryption algorithm Same complexity

36. RSA recommended key size How to evaluate RSA security ? rough extrapolations of the running times for smaller keys TWIRL: a hardware for integer factorization for a 1024-bit RSA key in less than a year with only $10 million worth of hardware Protection Lifetime of Data Present – 2010 Present – 2030 Present – 2031 and Beyond Minimum symmetric security level 80 bits112 bits128 bits Minimum RSA key size 1024 bits2048 bits3072 bits

37. Complexity of factorization problem (key size)

39. Single prime modulus RSA algorithm: Fermat’s theorem: A single prime modulus n? (a ed )≡ a mod n a n ≡ a mod n, n is a prime ed = k(n-1) + 1 a n-1 ≡ 1 mod n a k(n-1)+1 ≡ a mod n => ed ≡ 1 mod (n-1) => e, d 互為 Z n-1 下的乘法反元素 However, if (e, n) is public We can calculate d easily !!! (Z n-1 下的乘法反元素 )

40. MultiPrime RSA RSA: n = p  q MultiPrime RSA: n = p  q  r ? More primes to make up the modulus, Ex. 1024 bits RSA, 341, 341, 342 bits primes the faster the private key operations the easier to factor

41. Computation – encryption/decryption Modular exponentiation: Fast algorithm use the property: Write exponential d as binary number: b k b k-1 …b 1 b 0 ex. 23 10 = 10111 2 = 2 4 +2 2 +2 1 +2 0 M = C d mod n (a x b) mod n = (a mod n) x (b mod n) mod n 11 23 mod 187 =(11 16 ×11 4 ×11 2 ×11 1 ) mod 187 =[(11 16 mod 187)×(11 4 mod 187)×(11 2 mod 187)×(11 1 mod 187)] mod 187 =…=88

42. Fast exponentiation a b mod n b=10111 1 a1a1 22 1010 a10a10 自乘  2+1 101 a 101 自乘  a  2+1 1011 a 1011 自乘  a  2+1 10111 a 10111 自乘  a a x  a x =a 2x

43. Pseudo-code for fast exponentiation c=0; /* c will be the exponent at last */ d=1; /* d will be the a b mod n at last */ for(i=k; i>=0; i--){ /* k+1 bits for b */ c = 2*c; d = (d*d) mod n; if ( b i == 1 ){ c = c+1; d = (d*a) mod n } Timing attacks If this bit is 1, exec. time will be slower

44. Resist to timing attacks Constant exponentiation time return the results of exponentiation after a fixed time Random delay Add random delay to the exp. execution time Blinding Multiply ciphertext by a random number

45. Reading assignment The code book ( 碼書 ) 報告重點：年代，人物，故事，加解密方式 投影片請多用書上圖片解說故事及人物 Report one chapter per week Chap.1: 洪善群, 張凱鈞 Chap. 2: 鄧偉華 Chap. 3: Chap. 4: Chap. 5: Chap. 6: Chap. 7: PGP 93321510, 93321538, 93321518