CS363Week 3 - Friday

Last time

What did we talk about last time? AES Public key cryptography

Questions?

Assignment 1

Project 1

Security PresentationMatt Shank

Number Theory

Prime

RSA depends in large part on the difficulty of factoring large composite numbers (particularly those that are a product of only 2 primes)

Recall that an integer p is prime if p > 1 p is not divisible by any positive integers other

than 1 and itself Trivia: The largest prime currently known is

257885161 – 1 It has 17,425,170 digits in base 10

Fundamental theorem of arithmetic

Any integer greater than 1 can be factored into a unique series of prime factors: Example: 52 = 22 ∙ 13

Two integers a and b (greater than 1) are relatively prime or coprime if and only if a shares no prime factors with b

Rabin-Miller primality testing We won't get into the number theory behind this (yet) A Rabin-Miller primality test works as follows: Let n be the number you want to prove if it's prime or

not n must be odd, thus n – 1 is even (n – 1) = 2sd where s and d are positive integers and d is

odd If n is prime, then for any integer 1 < a < n, exactly one of

the two is true:▪ ad 1 (mod n) or▪ a2rd -1 (mod n), 1 ≤ r < s

Pick several a values, see if either of the two cases hold If it ever doesn't, you know you have a composite

Rabin-Miller example

What if we want to see if 221 is prime? n – 1 = 220 = 22∙55 s = 2 d = 55 Attempt 1: Let a = 174

a20·d mod n = 17455 mod 221 = 47 ≠ 1, n − 1 a21·d mod n = 174110 mod 221 = 220 = n − 1 Check!

Attempt 2: Let a = 137 a20·d mod n = 13755 mod 221 = 188 ≠ 1, n − 1 a21·d mod n = 137110 mod 221 = 205 ≠ n − 1 Oh no!

Every successful attempt means there is only a 25% chance that the number is composite

So, after k attempts, there is a 4-k chance that the number is composite

Greatest common divisor

The greatest common divisor or GCD of two numbers gives the largest factor they have in common

Example: GCD( 12, 18 ) = GCD( 42, 56 ) =

For small numbers, we can determine GCD by doing a complete factorization

Euclid's algorithm

For large numbers, we can use Euclid's algorithm to determine the GCD of two numbers

Algorithm GCD( a, b)1. If b = 0▪ Return a

2. Else▪ temp = a mod b▪ a = b▪ b = temp

3. Goto Step 1 Example: GCD( 1970, 1066)

Extended Euclid's algorithm We can extend Euclid's

algorithm to give us the multiplicative inverse for modular arithmetic

Example: Find the inverse of 120 mod 23

Let a be the number Let b be the modular

base

Find Inverse(a, b) x = 0 lastx = 1 y = 1 lasty = 0 while b ≠ 0 ▪ quotient = a div b▪ temp = b▪ b = a mod b▪ a = temp▪ temp = x▪ x = lastx-quotient*x ▪ lastx = temp▪ temp = y▪ y = lasty-quotient*y ▪ lasty = temp

Return lastx

More Number Theory!

Fermat’s Little Theorem

If p is prime and a is a positive integer not divisible by p, then:

ap –1 1 (mod p)

Proof of Fermat's Theorem Assume a is positive and less than p Consider the sequence a, 2a, 3a, …, (p – 1)a If these are taken mod p, we will get:

1, 2, 3, …, p – 1 This bit is the least obvious part of the proof However (because p is prime) if you add any non-zero

element repeatedly, you will eventually get back to the starting point, covering all values (except 0) once

Multiplying this sequence together gives: a ∙ 2a ∙ 3a ∙ … ∙ (p – 1)a 1 ∙ 2 ∙ 3 ∙ … ∙ (p – 1) (mod

p) ap – 1(p – 1)! (p – 1)! (mod p) ap – 1 1 (mod p)

Euler's in the mix too

Euler’s totient function (n) (n) = the number of positive

integers less than n and relatively prime to n (including 1)

If p is prime, then (p) = p – 1 If we have two primes p and q

(which are different), then:(pq) = (p)∙(q) = (p – 1)(q – 1)

Take that, Fermat

Euler’s Theorem:For every a and n that are relatively prime,

a(n) 1 (mod n)

This generalizes Fermat’s Theorem because (p) = p – 1 if p is prime

Proof is messier

RSA

RSA Algorithm

Named for Rivest, Shamir, and Adleman

Take a plaintext M converted to an integer

Create an ciphertext C as follows:C = Me mod n

Decrypt C back into M as follows:M = Cd mod n = (Me)d mod n = Med mod n

The pieces

Term Details Source

M Message to be encrypted Sender

C Encrypted message Computed by sender

n Modulus, n = pq Known by everyone

p Prime number Known by receiver

q Prime number Known by receiver

e Encryption exponent Known by everyone

d Decryption exponent Computed by receiver

(n) Totient of n Known by receiver

How it Works

To encrypt:C = Me mod n

e is often 3, but is always publically known

To decrypt:M = Cd mod n = Med mod n

We get d by finding the multiplicative inverse of e mod (n)

So, ed 1 (mod (n))

Why it Works

We know that ed 1 (mod (n)) This means that ed = k(n) + 1 for

some nonnegative integer kMed = Mk(n) + 1 M∙(M(n))k (mod n) By Euler’s Theorem

M(n) 1 (mod n) So, M∙(M(n))k M (mod n)

An example

M = 26p = 17, q = 11, n = 187, e = 3C = M3 mod 187 = 185 (n) = (p – 1)(q – 1) = 160d = e-1 mod 160 = 107Cd = 185107 mod 187 = 26 If you can trust my modular

arithmetic

Why it’s safe

You can’t compute the multiplicative inverse of e mod (n) unless you know what (n) is

If you know p and q, finding (n) is easy

Finding (n) is equivalent to finding p and q by factoring n

No one knows an efficient way to factor a large composite number

Upcoming

Next time…

Key management issues Cryptographic hash functions Yuki Gage presents

Reminders

Finish reading Section 2.7 and 12.3 Start reading Section 2.8 Finish Assignment 1

Due tonight by midnight