Sicurezza delle Reti - uniroma2.it · Why this lesson? •Do you really know what a group is? •Do you know how obtain a group? •Do you know how modular arithmetic works? •Why

Sicurezza delle Reti Esercitazione

22-05-2012

[email protected]

Why this lesson?

• Do you really know what a group is?

• Do you know how obtain a group?

• Do you know how modular arithmetic works?

• Why crypto assumption works? • How to choose a group?

• Many boring, but useful, things explained in this lesson!

• I hope

Sicurezza delle Reti - Esercitazione

Groups

• Let 𝔾 be a set and ∘(•,•) a binary operator

• We define (𝔾, ∘) as “group” if we have: • Closure: ∀𝑔, ℎ ∈ 𝔾 ⇒ 𝑔 ∘ ℎ ∈ 𝔾 • Identity Element: ∃𝑒 ∈ 𝔾 𝑠. 𝑡. ∀𝑔 ∈ 𝔾 ⇒ 𝑒 ∘ 𝑔 = 𝑔 • Inverse Element: ∃ℎ ∈ 𝔾 𝑠. 𝑡. ∀𝑔 ∈ 𝔾 ⇒ ℎ ∘ 𝑔 = 𝑒 • Associativity: ∀𝑔1, 𝑔2, 𝑔3 ∈ 𝔾 ⇒ (𝑔1∘ 𝑔2) ∘ 𝑔3 = 𝑔1 ∘ (𝑔2∘ 𝑔3)

• A group (𝔾, ∘) is abelian if:

• Commutativity: ∀𝑔, ℎ ∈ 𝔾 ⇒ 𝑔 ∘ ℎ = ℎ ∘ 𝑔

• If 𝔾 has a finite number of elements ⇒ finite group • The order of 𝔾 is denoted by |𝔾|


Groups: example

• Consider the set of integers ℤ • We have all value in {𝟎, 𝟏, 𝟐, … } ∪ {−𝟏,−𝟐,−𝟑,… }

• What about ℤ, ∘ = (ℤ,+)?

• Closure: 𝑔 + ℎ ∈ ℤ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 + 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 + ℎ = 𝑒? • Associativity: (𝑎 + 𝑏) + 𝑐 = 𝑎 + (𝑏 + 𝑐)?

• Commutativity: 𝑎 + 𝑏 = b + a?

• Finite group?


Groups: example


• What about ℤ, ∘ = (ℤ,+)?

• Closure: 𝑔 + ℎ ∈ ℤ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 + 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 + ℎ = 𝑒? • Associativity: (𝑎 + 𝑏) + 𝑐 = 𝑎 + (𝑏 + 𝑐)?


• Finite group?


Groups: example


• What about ℤ, ∘ = (ℤ, ∙)?

• Closure: 𝑔 ∙ ℎ ∈ ℤ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∙ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∙ ℎ = 𝑒? • Associativity: (𝑎 ∙ 𝑏) ∙ 𝑐 = 𝑎 ∙ (𝑏 ∙ 𝑐)?

• Commutativity: 𝑎 ∙ 𝑏 = b ∙ a?

• Finite group?


Groups: example


• What about ℤ, ∘ = (ℤ, ∙)?

• Closure: 𝑔 ∙ ℎ ∈ ℤ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∙ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∙ ℎ = 𝑒? • Associativity: (𝑎 ∙ 𝑏) ∙ 𝑐 = 𝑎 ∙ (𝑏 ∙ 𝑐)?


• Finite group?


Groups: example

• Consider the set of reals ℝ • What about ℝ, ∘ = (ℝ, ∙)?

• Closure: 𝑔 ∙ ℎ ∈ ℝ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∙ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∙ ℎ = 𝑒? • Associativity: (𝑎 ∙ 𝑏) ∙ 𝑐 = 𝑎 ∙ (𝑏 ∙ 𝑐)?


• Finite group?

• Try with the set of reals ℝ\{𝟎}


Groups: example

• Consider the set of reals ℝ • What about ℝ, ∘ = (ℝ, ∙)?

• Closure: 𝑔 ∙ ℎ ∈ ℝ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∙ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∙ ℎ = 𝑒? • Associativity: (𝑎 ∙ 𝑏) ∙ 𝑐 = 𝑎 ∙ (𝑏 ∙ 𝑐)?


• Finite group?

• Try with the set of reals ℝ\{𝟎}


Divisibility

• In the set of integers ℤ we can’t divide always

𝟐𝟒 ÷ 𝟔 = 𝟒 ∈ ℤ …but… 𝟐𝟒 ÷ 𝟓 ∉ ℤ

• We say that "a divides b" (𝒂|𝒃) if:

∃𝒄 ∈ ℤ: 𝒂 ∙ 𝒄 = 𝒃

• Observe that if 𝑎|𝑏 and 𝑎|𝑐 then:

𝒂| 𝑿𝒃 + 𝒀𝒄 , ∀𝑿, 𝒀 ∈ ℤ


Primes

• If 𝒂|𝒃: a is divisor for b • If 𝒂|𝒃 and 𝑎 ≠ 1, 𝑏: a is factor of b

• An integer 𝒑 > 𝟏 is prime if has no factors

• A prime can be devided only by 1 and itself

• A positive integer not prime is composite and:

𝑵 = 𝒑𝒊𝒆𝒊

𝒊 , {𝒑𝒊}: 𝒑𝒓𝒊𝒎𝒆𝒔


Divisibility: obvious

• We can write a relation between integers 𝑎, 𝑏: 𝑎 = 𝑞𝑏 + 𝑟

𝑞 =𝑎

𝑏

• If 𝒄 𝒂𝒃 𝑎𝑛𝑑 𝒈𝒄𝒅 𝒂, 𝒄 = 𝟏 ⇒ 𝒄 𝒃

• If 𝒑 𝑝𝑟𝑖𝑚𝑒 𝑎𝑛𝑑 𝒑 𝒂𝒃 ⇒ 𝒑 𝒂 𝑜𝑟 𝒑|𝒃

• If 𝒈𝒄𝒅 𝒑, 𝒒 = 𝟏 𝑎𝑛𝑑 𝒑|𝑵 𝑎𝑛𝑑 𝒒|𝑵 ⇒ 𝒑𝒒|𝑵


Modular Arithmetic

• Let 𝑎,𝑁 ∈ ℤ • Remember that: 𝑎 = 𝑞N + 𝑟

𝒂 𝒎𝒐𝒅𝑵 ≡ 𝒓

• We obtained that:

𝑎 ∈ … ,−2,−1,0, 1,2,…

but…

𝑟 ∈ {0, 1, 2,… ,𝑁 − 1} ⇒ ℤ𝑵: {0, … ,𝑁 − 1}


Modular Arithmetic

• Modular arithmetic works as you expect:

𝑁 = 12 ⇒ ℤ𝟏𝟐: 0,1,2,3,4,5,6,7,8,9,10,11

• 15 + 16 = ? 𝑖𝑛 ℤ𝟏𝟐 • 15 ∗ 16 = ? 𝑖𝑛 ℤ𝟏𝟐 • 15 − 16 = ? 𝑖𝑛 ℤ𝟏𝟐

• Can reduce then compute too:

• 198275 + 982763 = 75 + 63 = 38 𝑖𝑛 ℤ𝟏𝟎𝟎


Groups: ℤ𝑵

• Consider the set of integers ℤ𝑵 • Let 𝑁 > 1 ⇒ ℤ𝑵: {0, … ,𝑁 − 1} • Define the addition as 𝑎 + 𝑏 ≝ [(𝑎 + 𝑏) 𝑚𝑜𝑑𝑁] • What about ℤ𝑵, ∘ = (ℤ𝑵, +)?

• Closure: 𝑔 + ℎ ∈ ℤ𝑵? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 + 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 + ℎ = 𝑒? • Associativity: 𝑎 + 𝑏 + 𝑐 = 𝑎 + (𝑏 + 𝑐)?


• Finite group?


Groups: ℤ𝑵

• Consider the set of integers ℤ𝑵 • Let 𝑁 > 1 ⇒ ℤ𝑵: {0, … ,𝑁 − 1} • Define the multiplication as 𝑎 ∗ 𝑏 ≝ [(𝑎 ∗ 𝑏) 𝑚𝑜𝑑𝑁] • What about ℤ𝑵, ∘ = (ℤ𝑵,∗)?

• Closure: 𝑔 ∗ ℎ ∈ ℤ𝑵? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∗ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∗ ℎ = 𝑒? • Associativity: 𝑎 ∗ 𝑏 ∗ 𝑐 = 𝑎 ∗ (𝑏 ∗ 𝑐)?

• Commutativity: 𝑎 ∗ 𝑏 = b ∗ a?

• Finite group?


Groups: ℤ𝑵∗

• Over rationals we define the inverse as:

𝒂−𝟏 =𝟏

𝒂

• In ℤ𝑁 we define the inverse of x as:

𝒚 ∈ ℤ𝑵 s.t. 𝒙 ∙ 𝒚 = 𝟏 in ℤ𝑵

• Then the inverse of 2 in ℤ𝑵 is always: 𝑵+𝟏

𝟐

2 ∗𝑁+1

2= 𝑁 + 1 = 1 in ℤ𝑵


Groups: ℤ𝑵∗

• Then the inverse of 2 in ℤ𝑵 is: 𝑵+𝟏

𝟐

• Iff 𝑵 is odd! • Else…no inverse!

• An element x in ℤ𝑵 has an inverse iff:

𝒈𝒄𝒅 𝒙,𝑵 = 𝟏 ⇔ 𝒙 𝑎𝑛𝑑 𝑵 𝑎𝑟𝑒 𝒓𝒆𝒍𝒂𝒕𝒊𝒗𝒆𝒔 𝒑𝒓𝒊𝒎𝒆𝒔

• Can we define a multiplicative group over ℤ𝑵?


Groups: ℤ𝑵∗

• Can we define a multiplicative group over ℤ𝑵?

• ℤ𝑵∗ = 𝑠𝑒𝑡 𝑜𝑓 𝑖𝑛𝑣𝑒𝑟𝑡𝑖𝑏𝑙𝑒 𝑒𝑙𝑒𝑚𝑒𝑛𝑡𝑠 𝑖𝑛 ℤ𝑁 =

= {𝑥 ∈ ℤ𝑁: gcd 𝑥, 𝑁 = 1} Examples:

• 𝒑 𝑝𝑟𝑖𝑚𝑒 ⇒ ℤ𝑝∗ = ℤ𝑝\{0} = 1,2,3,… , 𝑝 − 1

• 𝑵 = 𝟔 ⇒ ℤ6∗ = 1, 5

• 𝑵 = 𝟏𝟐 ⇒ ℤ12∗ = {1, 5, 7, 11}


Groups: ℤ𝑵∗

• Consider the set of integers ℤ𝑵∗

• Let 𝑁 > 1 ⇒ ℤ𝑵∗

• Define the multiplication as 𝑎 ∗ 𝑏 ≝ [(𝑎 ∗ 𝑏) 𝑚𝑜𝑑𝑁] • What about ℤ𝑵, ∘ = (ℤ𝑵,∗)?



• Finite group?


Groups: ℤ𝑵∗

• Consider the set of integers ℤ𝑵∗

• Let 𝑁 > 1 ⇒ ℤ𝑵∗

• Define the multiplication as 𝑎 ∗ 𝑏 ≝ [(𝑎 ∗ 𝑏) 𝑚𝑜𝑑𝑁] • What about ℤ𝑵, ∘ = (ℤ𝑵,∗)?



• Finite group?


Euclid Algorithm

• For 𝒂, 𝒃 ∈ ℤ: 𝐠𝐜𝐝 𝐚, 𝐛 is the greater common divisor • Exists 𝑿, 𝒀 ∈ ℤ s.t. 𝐗𝒂 + 𝒀𝒃 = 𝒈𝒄𝒅(𝒂, 𝒃)

• How to calculate 𝑔𝑐𝑑(𝑎, 𝑏)?

𝑔𝑐𝑑 12,18 = 6 ⇒ 12X + 18Y = 6

• If 𝐠𝐜𝐝 𝐚, 𝐛 = 𝟏 ⇒ a and b are relatively primes

𝑔𝑐𝑑 5,16 = 1 ⇒ 5X + 16Y = 1

• How to calculate 𝑋 and 𝑌?


Euclid Algorithm

• For 𝒂, 𝒃 ∈ ℤ: 𝐠𝐜𝐝 𝐚, 𝐛 is the greater common divisor • Exists 𝑿, 𝒀 ∈ ℤ s.t. 𝐗𝒂 + 𝒀𝒃 = 𝒈𝒄𝒅(𝒂, 𝒃)

• How to calculate 𝑔𝑐𝑑(𝑎, 𝑏)? Use Euclid Algorithm

𝑔𝑐𝑑 12,18 = 6 ⇒ 12X + 18Y = 6

• How to calculate 𝑋 and 𝑌? Use Extended Euclid Algorithm

12X + 18Y = 6 ⇒ 12 ∙ 2 + 18 ∙ −1 = 6


Euclid Algorithm

• We wants to calculate 𝐠𝐜𝐝 𝟏𝟗𝟕𝟎, 𝟏𝟎𝟔𝟔 how to do it? • Prime factorization of composite numbers:

𝟏𝟗𝟕𝟎

𝟐=𝟗𝟖𝟓

𝟓= 197

𝟏𝟎𝟔𝟔

𝟐=𝟓𝟑𝟑

𝟏𝟑= 41

• We can write as:

𝟏𝟗𝟕𝟎 = 2 ∙ 5 ∙ 197 𝟏𝟎𝟔𝟔 = 2 ∙ 13 ∙ 41


Euclid Algorithm

• We wants to calculate 𝐠𝐜𝐝 𝟏𝟗𝟕𝟎, 𝟏𝟎𝟔𝟔 how to do it? • Use Euclid Algorithm:


gcd(1970, 1066) ⇒ gcd(1066, 904) gcd(904, 162) ⇒ gcd(162, 94) gcd(94, 68) ⇒ gcd(68, 26) gcd(26, 16) ⇒ gcd(16, 10) gcd(10, 6) ⇒ gcd(6, 4) gcd(4, 2) ⇒ gcd(2, 0)

def gcd(a, b): if (b|a): return b else: return gcd(b, a % b)

Extended Euclid Algorithm

• We wants to calculate 𝑿, 𝒀 how to do it? Remember that ∃𝒒, 𝒓 ∶ 𝒂 = 𝒒𝒃 + 𝒓

• Use Extended Euclid Algorithm:


egcd(5, 3) = (1, -1, 2) Solving:

q =5

3= 1

r = 5 − 3 = 2

3𝑋 + 2𝑌 = 1 …

def egcd(a, b): if (b|a): return (b,0,1) else:

q =𝑎

𝑏

r = a − qb (d, X, Y) = egcd(b, r) return (d, Y, X-Yq)

Linear equations

• We learned to compute modular arithmetic • We learned that is very simple

• Can we solve modular equations?

𝑎𝑥 + 𝑏 = 0 in ℤ𝑁

𝑥 = −𝑏

𝑎 in ℤ𝑁 ⇒ 𝑥 = −𝑏 ∗ 𝑎

−1 in ℤ𝑁

• Solve the equation 3𝑥 + 2 = 7 in ℤ19 ⇒ 𝑥 = 8


Cyclic Groups

• Let 𝔾 be a finite group of order m • 𝔾 is a cyclic group if:

∃𝑔 ∶ 𝑔0, 𝑔1, 𝑔2, … , 𝑔𝑚−1 = 𝔾

• Where g is a generator

• 𝑵 = 𝟕 ⇒ ℤ𝑁∗ = {1, 2, 3, 4, 5, 6}

• 𝑔 = 2 ⇒ 20, 21, 22, 23, 24, 25 = 1,2,4, 𝟏, 𝟐, 𝟒

• 𝑔 = 3 ⇒ 30, 31, 32, 33, 34, 35 = {1, 3, 2, 6, 4, 5} = 𝔾


Cyclic Groups: order

• The group generated by g <g>= {𝑔0, 𝑔1, 𝑔2, …… }

• Defines a sub-group of ℤ𝑁

• The order of <g> is the smallest a s.t. 𝑔𝑎 = 1 in ℤ𝑁

• For groups of prime order ⇒ all elements are generators

• Except the identity!

• N.B. 𝑔 ℤ𝑁 = 1 in ℤ𝑁

• < 3 > = 6 𝑖𝑛 ℤ7, < 2 > = 3 𝑖𝑛 ℤ7, < 1 > = 1 𝑖𝑛 ℤ7


Cyclic Groups: order

• For an integer N define 𝜑 𝑁 = | ℤ𝑁

∗ | ⇒ Euler’s 𝜑 totient function

• What about 𝜑 𝑁 value? • If N prime: 𝜑 𝑁 = 𝑁 − 1 • If 𝑵 = 𝒑 ∗ 𝒒: 𝜑 𝑁 = 𝑝 − 1 ∗ 𝑞 − 1

• If 𝑵 = 𝒑𝒊𝒊𝒆𝒊: 𝜑 𝑁 = (𝑝𝑖−1)𝑖 ∗ 𝑝𝑖𝑖

𝑒𝑖−1

• ∀𝑥 ∈ ℤ𝑁∗⇒ 𝑥𝜑 𝑁 = 1 in ℤ𝑁

∗

• ∀𝑥 ∈ ℤ𝑁∗⇒ 𝑥𝑖 in ℤ𝑁

∗ = 𝑥𝑖 𝑚𝑜𝑑𝜑 𝑁

• Useful in RSA Assumption! Do you remember it?


Cyclic Groups: find primes

• If p prime: 𝜑 𝑝 = 𝑝 − 1

• ∀𝑥 ∈ ℤ𝑝∗⇒ 𝒙𝝋 𝒑 = 𝟏 in ℤ𝑝

∗

• We want to generate a prime of ℓ − 𝑏𝑖𝑡𝑠

1. Choose a random 𝑥 ∈ −2ℓ, 2ℓ+1 − 1

2. If we compute 𝑦 = 2𝑥−1 in ℤ𝑥

3. What about 𝑥?


Cyclic Groups: find primes

• If p prime: 𝜑 𝑝 = 𝑝 − 1

• ∀𝑥 ∈ ℤ𝑁∗⇒ 𝒙𝝋 𝑵 = 𝟏 in ℤ𝑁

∗

• We want to generate a prime of ℓ − 𝑏𝑖𝑡𝑠

1. Choose a random 𝑥 ∈ −2ℓ, 2ℓ+1 − 1

2. If we compute 𝑦 = 2𝑥−1 in ℤ𝑥

3. If 𝑦 = 2𝑥−1 = 1 in ℤ𝑥 ⇒ 𝒙 𝒊𝒔 𝒑𝒓𝒊𝒎𝒆

4. Warning: 𝑷 𝒙 𝒏𝒐𝒕 𝒑𝒓𝒊𝒎𝒆 < 𝟐−𝟔𝟎 Sicurezza delle Reti - Esercitazione

Review

• We defined (𝔾, ∘) group if it has som properties…

• We defined the 𝒂 𝒎𝒐𝒅𝑵 as the remainder of 𝑎

𝑁

• We defined additive ℤ𝑁 and multiplicative ℤ𝑁

∗ groups over 𝑁

• We defined how to find and test a prime

• We discovered when a group is cyclic and what a generator is


A trick: Chinese Remainder

• We have 𝑵 = 𝒑 ∗ 𝒒 composite • We want compute: 𝑥 𝑚𝑜𝑑𝑁 • Can reduce it…exists a theorem for it!

𝑥 𝑚𝑜𝑑 𝑝 ∗ 𝑞 = { 𝑥 𝑚𝑜𝑑𝑝 , 𝑥 𝑚𝑜𝑑𝑞 }

• Compute:

• 177𝑚𝑜𝑑35 = 177 𝑚𝑜𝑑5 , 177 𝑚𝑜𝑑7 = 2,2 = 2𝑚𝑜𝑑35 • 24𝑚𝑜𝑑35 = 24𝑚𝑜𝑑5 , 24𝑚𝑜𝑑7 = (4, 3)

• Can simplify the representation through pair! • Can improve some computation in RSA!


All togheter

Remembering above concepts, computes: • 14 ∗ 13 𝑚𝑜𝑑15 = ?

• 112𝑚𝑜𝑑15 = ?

• 29100𝑚𝑜𝑑35 = ?

• 1825𝑚𝑜𝑑35 = ?

• How many elements in ℤ15? What about generators?


Modular e-roots

• We know how to solve linear equations in ℤ𝑁

𝒂𝒙 + 𝒃 = 𝟎 in ℤ𝑵 ⇒ 𝒙 = −𝒃 ∗ 𝒂−𝟏 in ℤ𝑵

• What about higher degree polynomial?

• How to solve equations like:

𝒙𝟐 = 𝜶 or 𝒙𝟐𝟕 = 𝜶 or 𝒙𝟑𝟐 = 𝜶 𝑖𝑛 ℤ𝑵


Modular e-roots

• Let 𝒑 be a prime and 𝐜 ∈ ℤ𝒑

• If ∃𝒆 ∶ 𝒙𝒆 = 𝒄 in ℤ𝒑 ⇒ e is an e’th-root of c

• Examples:

• 71

3 in ℤ𝟏𝟏 ⇒ 73−1𝑚𝑜𝑑10 in ℤ𝟏𝟏 = ?

• 31

2 in ℤ𝟏𝟏 ⇒ 32−1𝑚𝑜𝑑10 in ℤ𝟏𝟏 = ?

• 11

3 in ℤ𝟏𝟏 ⇒ 13−1𝑚𝑜𝑑10 in ℤ𝟏𝟏 = ?


Modular e-roots

• When 𝒄𝟏

𝒆 in ℤ𝑝 exists?

• Suppose gcd 𝑒, 𝑝 − 1 = 1:

• Then ∀𝑥 ∈ ℤ𝑝∗ ⇒ ∃𝑐

1

𝑒 in ℤ𝑝

• But if gcd 𝑒, 𝑝 − 1 ≠ 1?

• Suppose 𝑒 = 2 • If 𝒑 is prime ⇒ gcd 2, 𝑝 − 1 = ?


Quadratic Residue

• If 𝒑 is prime ⇒ gcd 2, 𝑝 − 1 = 2

• Define quadratic residue the element y ∈ ℤ𝑝∗ :

• If ∃𝒙 ∈ ℤ𝒑∗ s.t. 𝒙𝟐 = 𝒚 𝒎𝒐𝒅𝒑

• In ℤ𝒑

∗ ⇒ 𝑓 𝑥 : 𝑥 ⟶ 𝑥2 is one-way

• 𝑥 in ℤ𝒑 is Q.R. if 𝑥1

2 is computable in ℤ𝒑


1 10

1

2 9

4

3 8

9

4 7

5

5 6

3

x −x

x2

Quadratic Residue

• If we have 𝒑 = 𝟑𝒎𝒐𝒅𝟒 • Can compute efficiently the square root:

• If 𝒄 ∈ ℤ𝒑∗

is Q.R. ⇒ 𝒄 = 𝒄𝒑+𝟏

𝟒 𝒎𝒐𝒅𝒑

• Usefull when cannot invert 2 in ℤ𝒑−𝟏

• Example:

4 𝐢𝐧 ℤ𝟏𝟏 = 𝟒𝟑𝒎𝒐𝒅𝟏𝟏 = 𝟗 ⇒ 𝟗𝟐𝒎𝒐𝒅𝟏𝟏 = 𝟒


Quadratic Equations

• We know how to solve linear equations modulo N

𝒂𝒙 + 𝒃 = 𝟎 𝒎𝒐𝒅 𝑵 ⇒ 𝒙 = −𝒃 ∗ 𝒂−𝟏𝒎𝒐𝒅 𝑵

• What about quadratic equations?

𝒂𝒙𝟐 + 𝒃𝒙 + 𝒄 = 𝟎 𝒎𝒐𝒅 𝑵

• Standard solution:

𝒙 =−𝒃 ± 𝒃𝟐 − 𝟒𝒂𝒄

−𝟐𝒂


Quadratic Equations


𝒂𝒙𝟐 + 𝒃𝒙 + 𝒄 = 𝟎 𝒎𝒐𝒅 𝑵


𝒙 =−𝒃 ± 𝒃𝟐 − 𝟒𝒂𝒄

−𝟐𝒂 𝒎𝒐𝒅𝑵

1. Compute: −𝟐𝒂 −𝟏𝒎𝒐𝒅𝑵

2. Compute: 𝒃𝟐 − 𝟒𝒂𝒄𝟏

𝟐𝒎𝒐𝒅𝑵

3. Put all togheter!


Quadratic Equations: example


𝒙𝟐 + 𝟒𝒙 + 𝟏 = 𝟎 𝒎𝒐𝒅 𝟐𝟑


𝒙 =−𝟒 ± 𝟏𝟔 − 𝟒

−𝟐 𝒎𝒐𝒅𝟐𝟑

1. Compute: −𝟐 −𝟏𝒎𝒐𝒅𝟐𝟑 = 𝟏𝟏

2. Compute: 𝟏𝟔 − 𝟒𝟏

𝟐𝒎𝒐𝒅𝟐𝟑 = 𝟗 3. Put all togheter ⇒ 𝒙𝟏 = 𝟗, 𝒙𝟐 = 𝟓


Sub-Groups

• If 𝒑 is prime then the set of Q.R. is a sub-group of ℤ𝒑∗

• ℚℝ𝑝 ⊂ ℤ𝒑∗

• The square modulo p is two-to-one function:

ℚℝ𝑝 = ℤ𝒑∗

2=𝑝 − 1

2

• If we choose a prime q:

• If 𝒑 = 𝟐 ∗ 𝒒 + 𝟏 is also prime ⇒ 𝒑 is strong prime

ℚℝ𝑝 = ℤ𝒑∗

2=𝑝 − 1

2=2 ∗ 𝑞

2= 𝑞


Sub-Groups: example

1. Take: 𝒒 = 𝟓

2. Compute: 𝒑 = 𝟐 ∗ 𝒒 + 𝟏 = 𝟏𝟏 ⇒ prime! Not so strong…

3. We have: ℤ11∗ = {1,2,3,4,5,6,7,8,9,10} ⇒ ℤ11

∗ = 10

4. Take the group of residues ℚℝ11 = {1,3,4,5,9} ⇒ ℚℝ11 = 5 ⇒ The order is prime!

• All elements except the identity are generators!


Sub-Groups: find generators


def generate(ℓ): p = find_strong_prime(ℓ) q = (p-1)/2 x = random(ℤ𝑝

∗ )

g = 𝒙𝟐 mod p return (p, q, g)

• We wants to generate a group • We wants to extract a generator of that group

p = 11 q = 5 x = 7 g = 49 mod 11 = 5 return (p, q, g)

< 𝟓 >= 𝟓𝟎, 𝟓𝟏, 𝟓𝟐, 𝟓𝟑, 𝟓𝟒 𝒎𝒐𝒅𝟏𝟏 = 𝟏, 𝟓, 𝟑, 𝟒, 𝟗 = ℚℝ11

How are bignums represented?


• We need a representation of big-nums • How represent an n-bits number (e.g. n = 2048)? • We have only 32-\64-\128-bits architectures

So…combine registers…

32 bits 32 bits 32 bits 32 bits ⋯

n/32 blocks

Computational costs


• Given an n-bits integer N • Sum in ℤ𝑵: 𝑻+ = 𝑶 𝒏 ⇒ 𝒍𝒊𝒏𝒆𝒂𝒓

• Multiplication in ℤ𝑵: 𝑻∗ = 𝑶 𝒏

𝟐

• Division in ℤ𝑵: 𝑻÷ = 𝑶 𝒏𝟐

• Exponentiation in ℤ𝑵: 𝑻𝒆𝒙𝒑 < 𝑶 𝒍𝒐𝒈 𝒏 ∗ 𝒏𝟐

Exponentiation


• Given a finite cyclic group 𝔾 (e.g. 𝔾 = ℤ𝑝∗ )

• Want efficiently compute 𝑔𝑥 Example:

𝑥 = 53 = 110101 2 = 32 + 16 + 4 + 1

𝑔53 = 𝑔32 ∗ 𝑔16 ∗ 𝑔4 ∗ 𝑔1

Easy Problems


• Given composite 𝑵 and 𝒙 ∈ ℤ𝑵 → find 𝒙−𝟏 in ℤ𝑵

• Use Extended Euclid Algorithm!

• Given prime p and polynomial 𝒇(𝒙) in ℤ𝑵

• find 𝒙 in ℤ𝒑 s.t. 𝒇 𝒙 = 𝟎 in ℤ𝒑

• Need to solve equation in ℤ𝒑

• Running time is linear in 𝒅𝒆𝒈 (𝒇)

• … but many other problems are difficult

Hard Problems


• Integer Factoring • RSA

• Discrete Logarithm

• Computational Diffie Hellman • Decisional Diffie Hellman

• Many Others…

Factoring Assumption


• Given p,q primes compute the composite 𝑵 = 𝒑 ∗ 𝒒

• We can say that factoring N is hard • NOT impossible ⇒ No teorethic!

• It depends on 𝒑, 𝒒 generation

• Length • Randomness • Distance between 𝒑, 𝒒

• Many algorithms to solve the factoring problem

• All of that can’t factor big and random N • …in reasonable time

RSA Assumption


• Assumed that the factorization of 𝑵 = 𝒑 ∗ 𝒒 is hard • We deduce that without knowing 𝒑 ∗ 𝒒:

• We cannot compute 𝝋 𝑵 = (𝒑 − 𝟏)(𝒒 − 𝟏)

• So we cannot work with exponent:

𝒙𝒊 𝒎𝒐𝒅𝑵 = 𝒙𝒊 𝒎𝒐𝒅𝝋 𝑵

• If we need to compute the e-root, we need 𝝋 𝑵 !

𝒙𝒊−𝟏 𝒎𝒐𝒅𝑵 = 𝒙𝒊

−𝟏 𝒎𝒐𝒅𝝋 𝑵

RSA Assumption


• RSA exploit this obtaining something like factorization hardness!

def generate(ℓ): (N, p, q) = generate_modulus(ℓ) 𝜑 𝑁 = (p-1)(q-1) e = random(ℤ𝑁

∗ ) : gcd(e, 𝜑 𝑁 ) = 1 𝑑 = 𝑒−1𝑚𝑜𝑑𝜑 𝑁 return (N, e, d)

PK: (N, e) SK: (N, d)

• Public Key contains e but…cannot compute: 𝑑 = 𝑒−1𝑚𝑜𝑑𝜑 𝑁

RSA Improvements


To speed up RSA decryption use small private key d ( 𝑑 ≈

2128 )

𝑐𝑑 = 𝑚 (𝑚𝑜𝑑 𝑁)

Wiener’87: if d < N0.25 then RSA is insecure.

BD’98: if d < N0.292 then RSA is insecure

Insecure: d can be found from (N,e) ⇒ Avoid that!

RSA Improvements


To speed up RSA encryption use a small e:

• 𝑐 = 𝑚𝑒 (𝑚𝑜𝑑 𝑁)

• Minimum value: 𝒆 = 𝟑 ( gcd (𝑒, (𝑁) ) = 1)

• Recommended value: 𝒆 = 𝟔𝟓𝟓𝟑𝟕 = 𝟐𝟏𝟔 + 𝟏

• Encryption: 17 multiplications

Asymmetry of RSA:

• fast encryption / slow decryption

• slow signature/ fast verification

RSA Length


Security of public key system should be comparable to security of symmetric cipher:

Cipher key-size Modulus size

80 bits 1024 bits

128 bits 3072 bits

256 bits (AES) 15360 bits

Discrete Log Assumption


• Fixed a prime 𝑝 > 2 and 𝑔 in ℤ𝑝∗ of order 𝑞:

• Consider the function: 𝒙 ⟼ 𝑔𝑥 in ℤ𝒑

• Now, consider the inverse function:

𝒍𝒐𝒈g (𝒈

𝒙) = 𝒙

Example:

in : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

𝑙𝑜𝑔2(⋅) : 0, 1, 8, 2, 4, 9, 7, 3, 6, 5

Discrete Log Assumption


• Given 𝔾 and let 𝒈 be a generator

𝔾 = 𝑔0, 𝑔1, … , 𝑔𝑞−1

• Computing discrete log of 𝒈𝒙 is hard

• Because no efficient algorithm exists

• Same as factoring ⇒ No teorethic!

• Hardness depends on the selection of 𝔾

DH Assumptions


Computational DH (CDH)

• Given 𝔾 and a generator 𝒈 • Given (𝒈, 𝒈𝒂, 𝒈𝒃)

• It’s hard to compute:

𝐡 = 𝒈𝐚𝐛

• e.g. DH Key Exchange

Decisional DH (DDH)

• Given 𝔾 and a generator 𝒈 • Given 𝐓𝐃𝐃𝐇 = (𝒈

𝒂, 𝒈𝒃, 𝒈𝒄) • e.g. 𝒄 = 𝒂𝒃

• The tuple 𝐓𝐃𝐃𝐇 • Looks random in 𝔾

• e.g. El-Gamal Encryption

Strong primes

• Strong primes can be used to obtain special groups

• Why choose strong primes for RSA Cryptosystems? • Improve the factoring hardness of the system • Gives sub-group where all elements has inverse!

• Why choose strong primes for DH Cryptosystems?

• Discrete-Log problem hardest in prime-order groups • Gives sub-group where all elements are generator!


Documents

Sicurezza delle Reti - uniroma2.it · Why this lesson? •Do you really know what a group is? •Do you know how obtain a group? •Do you know how modular arithmetic works? •Why