Embed Size (px)
Citation preview
The RSA Algorithm and Reed-Solomon Codes
Group 5: Daryl, Etkin, Supartha, Rajendra and Aarthi
1
2
Introduction
Two Information Coding Schemes
RSA Algorithm Privacy Authenticity
Reed-Solomon Codes (Bursty) Noise Tolerance
3
Welcome to the Matrix
4
Privacy
5
Authenticity
Trinity?
Yes, it’s me.
6
Shared Key Cryptography
Encrypt messages with a symmetric-key cryptosystem (e.g. DES, AES, etc…)
Requires prior agreement on a shared key over a secure channel
What if Neo and Trinity have yetto meet?
7
Public Key Cryptography
Mathematically-related public/private key pairs are generated
Messages encrypted with public keyCan only be decrypted with private
key
Infeasible to compute private key from public key alone
No need to agree on a shared key!
8
RSA Algorithm
Rivest, Shamir and Adleman (1977)Based on difficulty of computing prime factors of large integers
9
RSA Algorithm
1. Pick two distinct primes p and q
2. Compute n = pq and ɸ(n) = (p – 1)(q – 1)
3. Pick e where 1 < e < ɸ(n) and
gcd(e, ɸ(n)) = 1
4. Compute d where
de ≡ 1 (mod ɸ(n))
5. Public key is (n, e), private key is (n, d)
6. Encrypt with C ≡ M
e (mod n)
7. Decrypt with M ≡ C
d (mod n)
Setup
Usage
10
RSA Algorithm
1. Pick two distinct primes p and q
2. Compute n = pq and ɸ(n) = (p – 1)(q – 1)
3. Pick e where 1 < e < ɸ(n) and
gcd(e, ɸ(n)) = 1
4. Compute d where
de ≡ 1 (mod ɸ(n))
5. Public key is (n, e), private key is (n, d)
6. Encrypt with C ≡ M
e (mod n)
7. Decrypt with M ≡ C
d (mod n)
11
Modular Multiplicative Inverse Let e, d, n be integers with n ≠ 0
Fact:
If gcd(e, n) = 1 (i.e. e and n are coprime)
then there exists d such that de ≡ 1 (mod n)
In other words, the multiplicative inverse of e (mod n) exists when gcd(e, n) = 1
12
RSA Algorithm
1. Pick two distinct primes p and q
2. Compute n = pq and ɸ(n) = (p – 1)(q – 1)
3. Pick e where 1 < e < ɸ(n) and
gcd(e, ɸ(n)) = 1
4. Compute d where
de ≡ 1 (mod ɸ(n))
5. Public key is (n, e), private key is (n, d)
6. Encrypt with C ≡ M
e (mod n)
7. Decrypt with M ≡ C
d (mod n)
13
RSA Algorithm
1. Pick two distinct primes p and q
2. Compute n = pq and ɸ(n) = (p – 1)(q – 1)
3. Pick e where 1 < e < ɸ(n) and
gcd(e, ɸ(n)) = 1
4. Compute d where
de ≡ 1 (mod ɸ(n))
5. Public key is (n, e), private key is (n, d)
6. Encrypt with C ≡ M
e (mod n)
7. Decrypt with M ≡ C
d (mod n)
14Euler’s Totient Function
ɸ(n)
Definition:no. of integers 1 ≤ a ≤ n with gcd(a,
n) = 1Formula:
For n = pq where p and q are primes
15
Modular Exponentiation
Let x, y, m, n be integers with n ≥ 0
Fact:
If x ≡ y (mod ɸ(n)) ,
then mx ≡ m
y (mod n)
In other words, working in mod n requires that we work mod ɸ(n) in the exponent
16
RSA Algorithm
1. Pick two distinct primes p and q
2. Compute n = pq and ɸ(n) = (p – 1)(q – 1)
3. Pick e where 1 < e < ɸ(n) and
gcd(e, ɸ(n)) = 1
4. Compute d where
de ≡ 1 (mod ɸ(n))
5. Public key is (n, e), private key is (n, d)
6. Encrypt with C ≡ M
e (mod n)
7. Decrypt with M ≡ C
d (mod n)
17
RSA Algorithm
1. Pick two distinct primes p and q
2. Compute n = pq and ɸ(n) = (p – 1)(q – 1)
3. Pick e where 1 < e < ɸ(n) and
gcd(e, ɸ(n)) = 1
4. Compute d where
de ≡ 1 (mod ɸ(n))
5. Public key is (n, e), private key is (n, d)
6. Encrypt with C ≡ M
e (mod n)
7. Decrypt with M ≡ C
d (mod n)
(M
e)
d ≡ M (mod n)
and
(M
d)
e ≡ M (mod n)
18
Example: M = 1234
1. Pick p = 37 and q = 43
2. Compute n = 1591 and ɸ(n) = 1512
3. Pick e = 71
gcd(e, ɸ(n)) = gcd(71, 1512) = 1
4. Compute d = 575 (Extended Euclidean Algorithm)
de = 40825 ≡ 1 (mod 1512)
5. Public key is (n, e), private key is (n, d)
6. Encrypt: C ≡ M
e ≡ 1234
71 ≡ 908 (mod 1591)
7. Decrypt: M ≡ C
d ≡ 908 575 ≡ 1234 (mod 1591)
19
RSA Algorithm for Signatures
1. Pick two distinct primes p and q
2. Compute n = pq and ɸ(n) = (p – 1)(q – 1)
3. Pick e where 1 < e < ɸ(n) and
gcd(e, ɸ(n)) = 1
4. Compute d where
de ≡ 1 (mod ɸ(n))
5. Public key is (n, e), private key is (n, d)
6. Sign M with S ≡ M
d (mod n); Send (M, S)
7. Verify that M ≡ S
e (mod n)
Reversed!Sign with private
keyVerify with public
key
20
Implementing…
1. Modular exponentiation▪ Successive-Squaring
2. Computing d from e and ɸ(n) ▪ Extended Euclidean Algorithm
3. Finding large primes
21
Modular Exponentiation Algo. Successive-Squaring to Compute C ≡ M
e (mod n)
Let e = ek ek–1 … e0 (binary representation of e)
C := 1
For i := k, k – 1, …, 0
C := (C * C) mod n
If ei = 1 Then C := (C * M) mod n
End For
Performance: O(log e) Memory: O(1)
22
Computing d from e and ɸ(n)
Extended Euclidean Algorithm:
Since e and ɸ(n) are coprime,
solving
yields d = y satisfying
Find max. qi satisfying and xi and yi
satisfying
When rk = 0, stop and output gcd(a, b) = rk-1 andx = xk-1 and y = yk-1
Similar to Euclidean Algorithm for gcd(a, b), but retain quotients qi at each step i to compute xi and yi
Generating Large Primes
Generate a large random integer Apply primal test repeatedly
Primality Tests: Miller-Rabin Solovay-Strassen Fermat Primality Test
Euler Witness, Euler Liar
23
Algorithm
1: Pick a large random integer 2: If for any small prime (Sieving) 3: go back to step 1
4: repeat times (Miller-Rabin)5: pick random integer 6: do a primality test on (, )7: if test fails8: go back to step 19: is probably prime
24
Sieving
Sieve of Eratosthenes
1: Pick a large random integer 2: If for any small prime 3: go back to step 1
25
Miller-Rabin Primality Test
4: repeat times5: pick random integer 6: do a primality test on (, )7: if test fails8: go back to step 19: is probably prime
26
Miller-Rabin Primality Test
divides or or
By Euclid’s Lemma
27
Fermat’s Little TheoremIf is prime and for any integer
such that doesn’t divide
28
Miller-Rabin Primality Test
: prime candidate: random integer
is odd
29
Miller-Rabin Primality Test
or
30
Psuedocode
31
Example
prime candidate
random integer
32
Example
Either is a prime or is an Euler liar Now, we try another a
33
Example
prime candidate
random integer
34
Example
is a composite is an Euler liar is an Euler witness
35
Deterministic Miller-RabinTrying all possible witnesses below a
limit
Not used in practice
if p < 341,550,071,728,321, it is enough to test a = 2, 3, 5, 7, 11, 13, and 17.
36
Complexity and Error
Complexity of Sieve of Eratosthenes: log(S)
Complexity of Miller-Rabin: : number of tests
Complexity of Deterministic Miller-
Rabin
37
Reed-Solomon Codes
38
39
Agent Smith is Frustrated
???
40
Disrupts Channel
41
Noisy Channel
Noise is Natural
Studied models in general Binary Symmetric Channel Binary Erasure Channel Noisy Typewriter Channel Continuous Output Channel …
42
Error Correction (Toy Example)
𝐸 : {0,1 }𝑘→ {0,1 }𝑛 ,𝑛≥𝑘
43
Error Correction
A
Code
MC
00000
01001
10010
11011
100
101
110
111
[𝑛 ,𝑘 ,𝑑 ]=[3,2 , ? ]
44
Code Distance (Toy Example)
𝑑(𝑅𝑒𝑑 ,𝐵𝑙𝑢𝑒)
𝑑/2
𝑑/2
45
Hamming Distance d
Distance between ∆
For example,
1010010001 ∆
Code Distance
46
Linear Codes
MC
00000
01001
10010
11011
100
101
110
111
No Structure??Have to store the whole mapping in a codebook
Linear Code: If is a field and , is a subspace of then is said to be a linear code
47
Linear Codes
As is a subspace, there exists a basis where is the dimension of the subspace
Any code word can be expressed as a linear combination of these basis vectors.
Linear Code: If is a field and , is a subspace of then is said to be a linear code
1 0 0 00 1 0 00 0 1 00 0 0 10 1 1 11 0 1 1
1 1 01¿ ¿ ¿
G =
1 ¿0 ¿01
¿
n x k, where n =7, k=4
for example,
Hamming Code is Linear[𝑛 ,𝑘 ,𝑑 ]=[7,4,3 ]
1 ¿0 ¿01100
¿=
48
Singleton Bound
a code over alphabet of length and min distance
How many code words possible?
Singleton Bound
Reed Solomon Code
Applications: CDs, Space Communication, …
Robust against Burst errors
49
From left: Gustave Solomon & Irving S. Reed
[1960] Reed Solomon Code
50
Reed Solomon Code (Original View)Given Create a polynomial p
p has degree at most A non zero polynomial of degree
with coefficients from field has at most roots in .
51
Reed Solomon Sketch (Original View)
points are sufficient for describing the polynomial.
Instead, we evaluate the polynomial at points and send them.
52
Reed Solomon Sketch
Decoding: look at all possible subset from the
set of n symbols received Interpolate a message polynomial for
each subset Most popular message is the correct
result But, impractical
For, [255,249,6], = 359 billion
53
RS Sketch
54
Reed Solomon Code
55
Finite Fields
56
Field
A set of elements with two operations “Addition” and “Multiplication” defined on these elements.
Closed under these two operations Basically all arithmetic operations
are allowed
Examples: Set of Real numbers, Set of Rational numbers…
57
Finite Field
A field with finite number of elements.
Example: {0,1} with modulo operationsIn general {0,1,2….p-1} is a field with p elements with modulo operations. (p is prime)
How to construct fields with 8 elements?
In general how to construct pr elements??
58
Galois Field GF(2m)
A field with 2m elements can be constructed by extending the field GF(2) which is {0,1}.
Let α denotes an additional element in GF(2m).
Now GF(2m) ={ 0,1, α ,α2,….. α2m
-1, α2m,
…}
To make the number of elements 2m, we restrict
α2m
-1 = 1 = α0
59
GF(2m)={0, α0, α,…… α2m-2 }
Any non-zero element in GF(2m) can be written as a polynomial of degree at most m-1.
Coefficients are from GF(2) Also they can be mapped to binary values.
60
Primitive Polynomial
An irreducible polynomial f(x) of degree m is said to be primitive if the smallest positive integer n for which f(x) divides xn+1 is n=2m-1.
Example: 1 + x + x4 because it divides xn+1 for n=15 and not for other values less than 15.
Used for construction GF(2m) RS codes use GF(2m).
61
The Field GF(23) Let f(x) = 1 + x + x3 be a primitive
polynomial. Let α an element of the extension field
be defined as the root of the polynomial f(x).
1 + α + α3 =0 α3 = 1 + αÞ α4 = α + α2
Þ α5 = 1 + α + α2
Þ α6 = 1+ α2
Þ α7 = 1
62
63
Reed Solomon Code: RS[n,k,d]• Given n = 2m -1, k =2m-1-2t, RS code can
be constructed as ( t is number of errors it can correct)– Construct a finite field GF(2m) with 2m
elements using irreducible polynomial– Choose α1, …αn from the Field GF(2m)
Given in GF(2m)Create a polynomial
p– The codeword is
64
Properties of RS(n,k,d)
Linear Code Cyclic d = n-k+1 (Maximum Distance
Separable) Can correct up to n-k erasures Can correct up to (n-k)/2 symbol
errors
65
Systematic Encoding
This form of encoding is not in Systematic form
Systematic form : Parity symbols message symbols
010 110 111 100 001 011 101 010 110 111
Message polynomial α + α3x + α5x2
Code Polynomial α0 + α2x + α4x2+ α6x3+ αx4+ α3x5+ α5x6
A generator polynomial g(x) is defined as g(x) = (x-α) (x-α2) …………… (x-α2t)
66
Encoding in Systematic Form
Shift the message polynomial m(x) by 2t positions by multiplying m(x) by x2t.
Define p(x) = x2t m(x) (mod g(x))
The final codeword polynomial u(x) is
u(x) = p(x) + x2t m(x)
67
Example RS[7,3,5]
Message polynomial α + α3x + α5x2
Yielding αx4 + α3x5 + α5x6 after multiplication with x2t i.e. x4
Take g(x) = (x- α)(x- α2)(x- α3)(x- α4) = x4 – α3x3+ α0x2 – αx + α3
= α3 + αx + α0x2 + α3x3+x4
Next divide α x4 + α3x5 + α5x6 by g(x) to find the remainder p(x) = α0 + α2x4+ α4x2+ α6x3.Now u(x)=α0 + α2x + α4x2+ α6x3+ αx4+ α3x5+ α5x6
68
Syndrome Computation
The syndrome is the result of a parity check performed on the received polynomial r(x) to determine whether r(x) is a valid codeword.
The syndromes are basically evaluations of the received polynomial r(x) at α, α2, α3,… α2t.
Si = r(αi) , i=1,2,….2t If r(x) is a valid codeword then we get all the Si
evaluate to zero. Any non-zero Si indicates the presence of
errors.
69
Error Polynomial
The errors introduced by the channel during transmission can be modeled as a polynomial e(x) over the field GF(2m).
Hence r(x) = u(x) + e(x).
The problem finding e(x) from r(x) (or the syndromes) is decoding.
70
Properties of RS codes
Given any collection of k coefficients from the polynomial u(x), it is possible to construct the remaining coefficients of u(x).
If at most ‘t’ of the coefficients of u(x) are incorrect, it is possible to reconstruct all the coefficients of u(x) correctly.
Polynomial multiplication/division using FFT takes O(klogk) where k is the max of degrees of the polynomial.
71
Structure of Syndrome
Error polynomial e(x) = e0 + e1x +….enxn
Suppose the received polynomial r(x) has ν errors in it at the locations i1,i2,…iν. The magnitude of error at these locations are eij.
Then syndromes can be written in the form
Sj = e1jxl
j + e2jxlj + ….+eνjxl
j
j=1,2,…2t
where Xl= αil
Decoders for Reed Solomon Codes
72
Outline
1. Calculate Syndromes
2. Find the error locator polynomial Peterson-Gorenstein-Zierler Decoder
3. Find error locations Chien Search
4. Find error values Forney’s Algorithm
73
Generating Syndrome Polynomials
74
Sj =P
k YkX jk where Yk = ei k ;X k = ®i kSj =
Pk YkX j
k where Yk = ei k ;X k = ®i kSj =P
k YkX jk where Yk = ei k ;X k = ®i k
Sj =X
k
YkX jk where Yk = ei k ;X k = ®i k
Non-LinearSystem!!
Finding Sj for j = 1 to 2t
Error Locator Polynomial
a = 3
75
Intuition: The roots of this polynomial are inverses of the error locations
Help to find the locations where an error has occurred
Expanding Λ(x):
Using Error Locator Polynomial
76
For x = Xl-1 and for any
1 ≤ l ≤ ν
Multiplying throughout by Yl Xl
(j+ν)
Using Error Locator Polynomial
77
Sum over l = 1 to t
Using Error Locator Polynomial
78
Repeating for j = 1 to
Equation (1) – (4) now form a system of Linear Equations
Peterson-Gorenstein-Zierler Decoder (1960)
79
Solved for Λis by finding the largest value of ν for which Mν is non-singular starting from ν = t
Overall this algorithms runs in polynomial time ν ≤ t; 2t = n – k = O(n) (could also be O(1) for large n & k) Use polynomial-time algorithms for matrix determinants and
inversion
Outline
1. Calculate Syndromes
2. Find the error locator polynomial Peterson-Gorenstein-Zierler Decoder
3. Find error locations Chien Search
4. Find error values Forney’s Algorithm
82
Chien Search
Find roots of Error Locator Polynomial, Λ(x), by exhaustive search
Evaluate Λ(αi) for i = 1, 2, …, 2t
Find all i where Λ(αi) = 0 αi is a root of Λ(x)
Error locations will also be of the form: αj
Here, αj = α-1 and j = 2t – i.
If number of errors found is ≥ t, abort process
83
Lambda
Outline
1. Calculate Syndromes
2. Find the error locator polynomial Peterson-Gorenstein-Zierler Decoder
3. Find error locations Chien Search
4. Find error values Forney’s Algorithm
86
Finding error values87
Convert to matrix formVandermondeMatrix
Forney’s Algorithm88
Defining the Syndrome polynomial:
Defining the Error Evaluator polynomial:
Error value Yi for all i ϵ{1, 2, …, }:
where, b is the degree of the smallest root of the generating function of the code &
Outline
1. Calculate Syndromes
2. Find the error locator polynomial Peterson-Gorenstein-Zierler Decoder
3. Find error locations Chien Search
4. Find error values Forney’s Algorithm
90
Dial ‘D’ for you message
r(x) = u(x) + e(x)
Decoding techniques help determine e(x) completely
Hence, u(x) = r(x) – e(x) = Message sent is recovered
91
We are done!!
Extras
Other more efficient (implementation wise) algorithms for decoding: Berlekamp-Massey Decoder (LFSR and
iterative correction) Euclidean Algorithm (Values and locations
simultaneously determined using iterative GCD of polynomials)
Decoders implemented as dedicated chips by manufacturers (Hardware and Software)
92
ReferencesRSA:1. Evgeny Milanov, RSA algorithm, http://www.math.washington.edu/~
morrow/336_09/papers/Yevgeny.pdf2. Kenneth Rose, Elementary Number Theory and its applications, 5th Ed., Pearson
International3. Trappe & Washington, Introduction to Cryptography with Coding Theory, 2nd Ed.,
Pearson International
Reed-Solomon Codes:4. Bernard Sklar, Reed Solomon error correction, http://
ptgmedia.pearsoncmg.com/images/art_sklar7_reed-solomon/elementLinks/art_sklar7_reed-solomon.pdf
5. V. Guruswami, Introduction to Coding Theory, CMU, http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/
6. John Gill, EE 387 Note #7, Stanford University, http://www.stanford.edu/class/ee387/handouts/notes7.pdf
7. Wikipedia
93
Thanks for your
attention!!
94
