Cryptography 2014 Lecture 5 Some number theory. One-way functions, trapdoors.

Cryptography 2014
Lecture 5
Some number theory.
Modular arithmetic.
Extended Euclidean algorithm.
Modular exponentiation.
Fermat’s little theorem.
One-way functions, trapdoors.
RSA encryption.
November 19, 2014
1 / 39
CBC
CBC where attacker can predict the IV is not CPA-secure !!
Suppose given c ← ECBC (k, m) can predict IV for next message
!"#$%&
*&∈&9&
41&←&5&"#($!!%&'$!*⨁"#()&6&
'()%&
<8?(=4;&/0&
*←+!
,-./0⨁/01&2&&&,1&3&,-&
4&←&5&"#$!!%&'$!"#()!6&&&78&
4&←&5&"#$!!%&'$!+(⨁"#)!6&
7:;<:;&-&
=>&4516&.&41516&
AdvCPA [A, E ] = Pr [EXP(0) = 1] − Pr [EXP(1) = 1]
November 19, 2014
2 / 39
Intro Number Theory
Number Theory to construct:
Key exchange protocols
Digital signatures
Public-key encryption
November 19, 2014
3 / 39
Notation
From here on:
N denotes a positive integer.
p denote a prime.
Notation:
ZN = {0, 1, 2, . . . , N − 1}
Can do addition and multiplication modulo N in this set.
For math people ZN denotes a ring!
November 19, 2014
4 / 39
Modular arithmetic
Examples
Let N = 12
9 + 8 = 5 in Z12
5 × 7 = 11 in Z12
5 − 7 = 10 in Z12
Arithmetic in ZN works as you expect, e.g. x · (y + z) = x · y + x · z in ZN
November 19, 2014
5 / 39
Congruences, equality in ZN
Congruences
For a, b ∈ Z and N ∈ N, all the following have the same meaning (and defines the last
two):
a mod N = b mod N.
a = b + k · N for some k ∈ Z.
a ≡ b (mod N).
a = b ∈ ZN
Arithmetic in ZN
Fix N > 0. We define addition +N , subtraction −N and multiplication ·N in ZN by
a +N b
=
a −N b
=
(a + b) mod N
(a − b) mod N
a ·N b
=
(a · b) mod N
November 19, 2014
6 / 39
Greatest Common Divisor
Greatest Common Divisor
For integers x, y : gcd(x, y) is the greatest common divisor of x, y .
In simple words: the largest integer that divides both x and y .
Example: gcd(12, 18) = 6
Fact
For all integers x, y there exist integers a, b such that
a · x + b · y = gcd(x, y )
a,b can be found efficiently using the extended Euclidean algorithm.
Example:
2 × 12 − 1 × 18 = 6
If gcd(x, y ) = 1 we say that x and y are relatively prime.
Example: gcd(3, 5) = 1.
November 19, 2014
7 / 39
Greatest Common Divisor (gcd)
gcd can be calculated using the Euclidean algorithm
The Euclidean Algorithm (GCD)
Input: Integers a, b with a ≥ b ≥ 0
Output: The greatest common divisor of a and b
if b divides a
return b
else return GCD (b, [a mod b])
November 19, 2014
8 / 39
Modular inversion
Over the rationals, inverse of 2 is 1/2. What about ZN ?
Definition
The inverse of x in ZN is an element in ZN such that:
x · y = 1 in Zn
y is denoted x
−1
.
Example
Let N be an odd integer. The inverse of 2 in ZN is
Why? 2 N+1
= N + 1 = 1 in ZN
2
N+1 2
November 19, 2014
9 / 39
Modular inversion
Which elements have an inverse in ZN ?
Lemma
x in ZN has an inverse if and only if gcd(x, N) = 1
Proof Preview: ∃a, b : a · x + b · N = 1 ⇒ a · x = 1 ⇒ x = a−1 ∈ ZN
November 19, 2014
10 / 39
More notation
Definition
Z∗N = (set of invertible elements in Z) =
= {x ∈ ZN : gcd(x, N) = 1}
Examples:
1
For prime p, Z∗p = Zp r {0} = {1, 2, . . . , p − 1}
2
Why? gcd(p, 0) = 0 6= 1 and |Z∗p | = p − 1
3
Z∗12 = {1, 5, 7, 11}
For x in Z∗N , can find x −1 , using extended Euclidean algorithm.
November 19, 2014
11 / 39
More notation
Definition
Z∗N = (set of invertible elements in Z) =
= {x ∈ ZN : gcd(x, N) = 1}
Examples:
1
For prime p, Z∗p = Zp r {0} = {1, 2, . . . , p − 1}
2
Why? gcd(p, 0) = 0 6= 1 and |Z∗p | = p − 1
3
Z∗12 = {1, 5, 7, 11}
For x in Z∗N , can find x −1 , using extended Euclidean algorithm.
Example
Let us find 1/17 ∈ Z43
17 · x = 1( mod 43)
We can do that using the extended Euclidean Algorithm (example on the board!)
November 19, 2014
11 / 39
More notation
Definition
Z∗N = (set of invertible elements in Z) =
= {x ∈ ZN : gcd(x, N) = 1}
Examples:
1
For prime p, Z∗p = Zp r {0} = {1, 2, . . . , p − 1}
2
Why? gcd(p, 0) = 0 6= 1 and |Z∗p | = p − 1
3
Z∗12 = {1, 5, 7, 11}
For x in Z∗N , can find x −1 , using extended Euclidean algorithm.
Solving modular linear equations
Solve: a · x + b = 0 in ZN
⇒ Solution: x = −b · a−1 in ZN
Find a−1 in ZN using extended Euclidean algorithm. Run time: O(log2 N)
November 19, 2014
11 / 39
Extended Euclidean Algorithm
If we know a, b we can find X and Y such that X · a + Y · b = d
Extended Euclidean Algorithm
Input: Integers a, b with a ≥ b > 0
Output: (d, X , Y ) with d = gcd(a, b) and X · a + Y · b = d
If b divides a
return (b, 0, 1)
else
Compute integers q, r with a = qb + r and 0 ≥ r < b
(d, X , Y ) := eGCD(b, r ) /* note that Xb +Yr=d */
return (d, Y, X-Yq)
November 19, 2014
12 / 39
Review
N denotes an n-bit positive integer. p denotes a prime.
ZN = {0, 1, . . . , N − 1}
(ZN )∗ = (set of invertible elements in ZN ) =
= {x ∈ ZN : gcd(x, N) = 1}
November 19, 2014
13 / 39
Fermat’s theorem (1640)
Theorem
Let p be a prime:
∀x ∈ Z∗p : x p−1 = 1 in Zp
Proven by Euler about 100 years later
Example:
p = 5.
34 = 81 = 1 in Z5
So ...
x ∈ Z∗p ⇒ x · x p−2 = 1 ⇒ x −1 = x p−2 in Zp
Another way to compute inverses, but less efficient that Euclid. works only for modulo p
primes It takes O(log3 p)
November 19, 2014
14 / 39
Application: generating random primes
Suppose we want to generate a large random prime
say, prime p of length 1024 bits (i.e. p ≈ 21024 )
Algorithm
Step 1: Choose a random integer p ∈ [21024 , 21025 − 1]
Step 2: Test if 2p−1 = 1 in Zp
If so, output p and stop. If not go to step 1.
Simple algorithm (not the best). Pr [p not prime] < 2−60
With a few hundred iterations you find a prime.
November 19, 2014
15 / 39
The structure of (Zp )∗
Theorem - Euler
(Zp )∗ is a cyclic group, that is
∃g ∈ (Zp )∗ such that {1, g , g 2 , g 3 , . . . , g p−2 } = (Zp )∗
g is called a generator of (Zp )∗ .
g p−1 = 1 so we stop in g p−2
Example:
p = 7, {1, 3, 32 , 33 , 34 , 35 } = {1, 3, 2, 6, 4, 5} = (Z7 )∗
Not every element is a generator: {1, 2, 22 , 23 , 24 , 25 } = {1, 2, 4}
November 19, 2014
16 / 39
Order
For g ∈ (Zp )∗ the set {1, g , g 2 , g 3 , · · · } is called
the group generated by g , denoted < g >
Definition
The order of g ∈ (Zp )∗ is the size of < g >
ordp (g ) = | < g > | = smallest a > 0 s.t. g a = 1 in Zp
Example: ord7 (2) = 3, ord7 (1) = 1
Theorem - Lagrange
∀g ∈ (Zp )∗ : ordp (g ) divides p − 1
November 19, 2014
17 / 39
Euler’s generalisation of Fermat (1736)
Definition
For an integer N define φ(N) = |(ZN )∗ | (Euler’s φ function)
Examples
φ(12) = |{1, 5, 7, 11}| = 4 : φ(p) = p − 1
Why?
Z∗p = Zp r {0} = {1, 2, . . . , p − 1}
For N = p · q : φ(N) = N − p − q + 1 = (p − 1)(q − 1)
Why?
- N is the size of ZN .
- Remove all elements not relatively prime to N (divisible by p, divisible by q)
Theorem (Euler):
∀x ∈ (ZN )∗ :
x φ(N) = 1 in ZN ⇒ Applies to composites not only primes (like Fermat’s)!
Example: 5φ(12) = 54 = 625 = 1 in Z12
Generalisation of Fermat’s theorem ⇒ Basis of the RSA cryptosystem.
November 19, 2014
18 / 39
Arithmetic
Given: two n-bit integers
Addition and subtraction: linear time O(n)
Multiplication: naively O(n2 ) (In reality about O(n · logn))
Division with remainder: O(n2 )
November 19, 2014
19 / 39
Exponentiation
Finite cyclic group G (for example G = (Zp )∗ )
Goal: Given g in G and x compute g x We can use the square root algorithm!
Example:
Suppose: x = 53 = (110101)2 = 32 + 16 + 4 + 1
Then g 53 = g 32+16+4+1 = g 32 · g 16 · g 4 · g 1
!"!"!#"!"!$"!"!%"!"!&'"!"!(#""""""""""""""""!)("
Required: Only 9 multiplications.
November 19, 2014
20 / 39
The repeated squaring algorithm
Input: g in G and x > 0 : Output g x
write x = (xn , xn−1 . . . x2 x1 x0 )2
Algorithm
for i = 0 to n do:
if (x[i] == 1) : z ← z · y
y ← y 2 output z
Number of iterations: log 2 x
November 19, 2014
21 / 39
Running times
Given n-bit integer N
Addition and subtraction in ZN : linear time T+ = O(n)
Modular multiplication in ZN : naively Tx = O(n2 )
Modular exponentiation in ZN (g x )
O ( log x) ·TX ≤ O (log x) · n2 ≤ O(n3 )
| {z }
iterations
November 19, 2014
22 / 39
Public key encryption
Bob: generates (PK , SK ) and gives PK to Alice.
Alice
m
!"
Bob
c
c
$%"
#"
m
&%"
Non-interactive applications: (e.g. Email)
Bob sends email to Alice encrypted using pkalice
Note: Bob needs pkalice (public key management)
November 19, 2014
23 / 39
Public key encryption
A public-key encryption system is a triple of algorithms (G , E , D)
Definition
G(): randomised algorithm outputs a key pair (pk, sk).
E(pk, m) : randomised algorithm that takes m ∈ M and outputs c ∈ C .
D(sk, c) : deterministic algorithm that takes c ∈ C and outputs m ∈ M or ⊥
Consistency: ∀(pk, sk) output G :
∀m ∈ M :
D(sk, E (pk, m)) = m
November 19, 2014
24 / 39
Security: eavesdropping
For b = 0, 1 define experiments EXP(0) and EXP(1) as:
'&
!"#$%&
+,-./-0←1+0!
,-&
()*%&(&
23&.&24&&∈&5&6&&&&7237&8&7247&
9&←&:+,-.&"#0&
';&∈&<3.4=&
:>?+'0&
Definition:
E = (G , E , D) is semantically secure (IND-CPA) if for all efficient A:
AdvS S[A, E ] = Pr [EXP(0) = 1] − Pr [EXP(1) = 1] < negligible
November 19, 2014
25 / 39
Chosen Ciphertext Security: definition
E (G , E , D) public-key encryption over (M, C ). For b = 0, 1 define EXP(b)
'()*&"
!"
+,-./-0←1+0!
,-"
#$%&"#"
,,-!.#$/&!0)""""""<>"∈"'""
7>"←"?+-.!"10"
"#$%%&'(&)""""74"."75""∈"8"9"""":74:";":75:"
<"←"=+,-.!*+0"
,,-!.#$/&!2)""""""<>"∈"'""9""""""1!3!"!
""
7>"←"?+-.!"10"
!2"∈"34.56"
Definition
E is CCA secure (a.k.a. IND-CCA) if for all efficient A:
AdvCCA [A, E ] = Pr [EXP(0) = 1] − Pr [EXP(1) = 1] is negligible.
November 19, 2014
26 / 39
One-way functions
One-way function
A one-way function f : X → Y has the properties that
it is computationally “easy” to compute (evaluate) f (x) for any x ∈ X .
it is computationally “difficult” to invert f , i.e. given y ∈ Y , to find an x ∈ X such
that f (x) = y .
Of course, this is vague and needs to be more precisely defined, but the idea is to use
such an f as an encryption function.
November 19, 2014
27 / 39
Trapdoor functions (TDF)
Definition
A trapdoor function X → Y is a triple of efficient algorithms (G , F , F −1 )
G () : randomised algorithm outputs a key pair (pk, sk)
F (pk, ·) : deterministic algorithm that defines a function X → Y
F −1 (sk, ·) : defines a function Y → X that inverts F (pk, ·)
More precisely: ∀(pk, sk) output by G
∀x ∈ X : F −1 sk, F (pk, x) = x
Secure TDFs
(G , F , F −1 ) is secure if F (pk, ·) is a “one-way” function:
can be evaluated, but cannot be inverted without sk.
→ Evaluate (compute) the function in the forward direction is very easy.
→ No one can evaluate the function in the reverse direction unless they have the
trapdoor (sk).
November 19, 2014
28 / 39
Trapdoor functions
In simple words...
A secure trapdoor function is a one-way function f with the further property that if you
know some secret extra information, inverting “f” becomes “easy”.
Refined idea:
For encryption, we use a trapdoor one-way function for which only the receiver knows
the secret (trapdoor).
November 19, 2014
29 / 39
Public and private keys
Public and private keys
A key is now a pair (pk, sk) ∈ K × K, consisting of a public key pk and a private key sk.
We want the following:
A family {Epk }pk∈K of encryption functions, so that each choice of pk gives a
one-way function Epk : M → C.
A family {Dsk }sk∈K of decryption functions Dsk : C → M, such that
for each sk there is a sk such that Dsk (Epk (x)) = x for all x ∈ M.
It is easy for a user to generate a (pk, sk) pair, but computing sk from sk in infeasible
(so, sk is the trapdoor).
November 19, 2014
30 / 39
Review: arithmetic mod composites
Let N = p · q where p, q are prime
ZN = {0, 1, 2, . . . , N − 1},
(ZN )∗ = { invertible elements in ZN }
Facts:
x ∈ ZN is invertible ⇔ gcd(x, N) = 1
Number of elements in (ZN )∗ is φ(N) = (p − 1)(q − 1) = N − p − q + 1
By choosing
a random element in Zn it is very likely to be in (ZN )∗ (that is invertible).
Euler’s Theorem:
∀x ∈ (ZN )∗ :
x φ(N) = 1
November 19, 2014
31 / 39
The RSA trapdoor permutation
First published: Scientific American, Aug. 1977.
Very widely used:
SSL/TLS: certificates and key-exchange
Secure e-mail and file systems
. . . many others
RSA: Rivest, Shamir and Adleman (Turing Award 2003).
November 19, 2014
32 / 39
The RSA trapdoor permutation
The RSA trapdoor permutation
G() : choose random primes p, q ≈ 1024 bits. Set N = pq.
Choose integers e, d such that e · d = 1(modφ(N))
(This means that e and d are relatively prime to φ(N), modulo inverses.)
output pk = (N, e), sk = (N, d)
—————————————————————————F (pk, x) : Z∗N → Z∗N RSA(x) = xe in Zn
—————————————————————————F −1 (sk, y ) = y d :
y d = RSA(x)d = x ed = x kφ(n)+1 = (x φ(N) )k · x = x
November 19, 2014
33 / 39
The RSA assumption
RSA assumption: RSA is one-way permutation
RSA assumption
For all efficient algorithms A:
Pr A(N, e, y ) = y 1/e < negligible
R
R
where p, q ← n-bit primes, N ← pq, y ← Z∗N
November 19, 2014
34 / 39
Textbook RSA is insecure
Textbook RSA encryption:
public key: (N, e)
Encrypt: c ← me (in ZN )
secret key: (N, d)
Decrypt:c d → m
Insecure crypto system!!
It is a deterministic encryption!
Is not semantically secure and many attacks exist!
⇒ The RSA trapdoor permutation is not an encryption scheme!
November 19, 2014
35 / 39
RSA example
Key setup
Alice chooses p = 7 and q = 11; hence N = 77 and Φ(N) = 60.
Alice then chooses e = 37 and computes d = 13 (extended Euclid on inputs 60 and 37,
at the same time checking gcd (60, 37) = 1).
The public key is thus (77, 37).
Encryption
Bob wants to send m = 8 to Alice. He computes (in Z77 ) C = 837 = 57.
Decryption
Alice, on receiving C , computes 5713 = 8 and has recovered m.
November 19, 2014
36 / 39
RSA attack
CLIENT HELLO
&,-.'/$
)"))0'-12"3$2$
!"#$
%&'()"&$
SERVER HELLO (e,N)
c=RSA(k)
!"#$
*"&+"&$
!"
Suppose k is 64 bits: k ∈ {0, . . . , 264 } Eve sees: k e in ZN
If k = k1 · k2 where k1 , k2 < 234 (prob. ≈ 20%) then c/ke1 = ke2 in ZN
C , N, e : known to the Attacker.
Meet-in-the-middle attack!
Attack Steps
Step 1: Build table: c/1e , c/2e , c/3e , . . . , c/234 e. time: 234
Step 2: For k2 = 0, . . . , 234 test if k2e is in table. time:234
Output matching (k1 , k2 ). Total attack time ≈ 240
November 19, 2014
37 / 39
Things to remember
Things to remember
Which elements have an inverse in ZN ?
How can I find the inverse?
What does the Fermat’s theorem say?
What does Euler’s theorem say?
What is IND-CCA?
How does RSA work?
Why RSA textbook is not secure?
Attacks against RSA!
Optional and Recommended Reading
A Computational Introduction to Number Theory and Algebra
V. Shoup, 2008 (V1), Chapter 1-4, 11, 12
Available at http://shoup.net/ntb/ntb-v2.pdf
November 19, 2014
38 / 39
References:
Crypto Course Stanford, Dan Boneh
“Cryptography and Network Security: Principles and practice” (Chapters 4.1-4.3,
8.1-8.3, 9.1-9.2)
“Introduction to Modern Cryptography”, Lindell and Katz (Chapter 7.1.1-7.1.4, 7.2,
10.1, 10.2, 10.4, B.1.2)
November 19, 2014
39 / 39