Public Key Crypto
Public Key Crypto
Groups
A group G, sometimes denoted by {G, ·} is a set of elements with a binary operation, denoted
by ·, that associates to each ordered pair (a, b) of elements in G an element (a · b) in G, such that
the following axioms are obeyed.]The operator · is generic and can refer to addition,
multiplication, or some other mathematical operation.
If a group has a finite number of elements, it is referred to as a finite group, and the order of the
group is equal to the number of elements in the group. Otherwise, the group is an infinite group.
Cyclic Group
We define exponentiation within a group as repeated application of the group operator, so that a3 = a · a
· a. Further, we define a0 = e, the identity element; and a-n = (a')n. A group G is cyclic if every element of
G is a power ak (k is an integer) of a fixed element a εG. The element a is said to generate the group G, or
to be a generator of G. A cyclic group is always abelian, and may be finite or infinite.
The additive group of integers is an infinite cyclic group generated by the element 1. In this case,
powers are interpreted additively, so that n is the nth power of 1.
Ring
A ring R, sometimes denoted by {R, +, x}, is a set of elements with two binary operations,
called addition and multiplication, such that for all a, b, c in R the following axioms are obeyed:
(A1-A5) R is an abelian group with respect to addition; that is, R satisfies axioms A1 through
A5. For the case of an additive group, we denote the identity element as 0 and the inverse of a as
al
a.
(M1) Closure under multiplication: If a and b belong to R, then ab is also in R.
ep
With respect to addition and multiplication, the set of all n-square matrices over the real
numbers is a ring.
Commutative Ring
Let S be the set of even integers (positive, negative, and 0) under the usual operations of addition
and multiplication. S is a commutative ring. The set of all n-square matrices defined in the
preceding example is not a commutative ring.
Integral Domain
we define an integral domain, which is a commutative ring that obeys the following axioms:
Let S be the set of integers, positive, negative, and 0, under the usual operations of addition
and multiplication. S is an integral domain.
Fields
A field F, sometimes denoted by {F, +, x}, is a set of elements with two binary operations, called
addition and multiplication, such that for all a, b, c in F the following axioms are obeyed:
(A1M6) F is an integral domain; that is, F satisfies axioms A1 through A5 and M1 through M6.
(M7) Multiplicative inverse: For each a in F, except 0, there is an element a-1 in F such that
aa-1 = (a-1)a = 1.
In essence, a field is a set in which we can do addition, subtraction, multiplication, and division
without leaving the set. Division is defined with the following rule: a/b = a(b-1).
al
Familiar examples of fields are the rational numbers, the real numbers, and the complex
ep
numbers. Note that the set of all integers is not a field, because not every element of the set has
itn
Modular Arithmetic
Given any positive integer n and any nonnegative integer a, if we divide a by n, we get an integer
quotient q and an integer remainder r that obey the following relationship:
a=qn+r…………………….*(1)
Two integers a and b are said to be congruent modulo n, if (a mod n) = (b mod n).
i.e.
Divisors
We say that a nonzero b divides a if a = mb for some m, where a, b, and m are integers. That is, b
divides a if there is no remainder on division. The notation is commonly used to mean b divides
a. Also, if b|a, we say that b is a divisor of a.
al
If a|1, then a = ±1.
If a|b and b|a, then a = ±b.
ep
Any b 0 divides 0.
If b|g and b|h, then b|(mg + nh) for arbitrary integers m and n.
itn
1. a b (mod n) if n|(a-b).
2. a b (mod n) implies b a (mod n)..
3. a b (mod n) and b c (mod n) imply a c (mod n).
To demonstrate the first point, if n|(a b), then (a b) = kn for some k. So we can write a = b + kn.
Therefore, (a mod n) = (reminder when b + kn is divided by n) = (reminder when b is divided by
n) = (b mod n)
Examples
11 mod 8 = 3; 15 mod 8 = 7
[(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2
(11 + 15) mod 8 = 26 mod 8 = 2
[(11 mod 8) (15 mod 8)] mod 8 = 4 mod 8 = 4
(11 15) mod 8 = 4 mod 8 = 4
[(11 mod 8) x (15 mod 8)] mod 8 = 21 mod 8 = 5
(11 x 15) mod 8 = 165 mod 8 = 5
This is referred to as the set of residues, or residue classes modulo n. To be more precise, each integer in
Zn represents a residue class. We can label the residue classes modulo n as [0], [1], [2],...,[n 1], where
If we perform modular arithmetic within Zn, the properties shown in Table (below) hold for integers in
Zn. Thus, Zn is a commutative ring with a multiplicative identity element.
Commutative laws (w + x) mod n = (x + w) mod n
al
(w x x) mod n = (x x w) mod n
ep
For a given prime, p, the finite field of order p, GF(p) is defined as the set Zp of integers {0, 1,..., p- 1},
together with the arithmetic operations modulo p. (GF stands for Galois field)
Arithmetic in GF(7)
It is easy to find the multiplicative inverse of an element in GF(p) for small values of p. You
simply construct a multiplication table, such as shown in Table above, and the desired result can
ep
be read directly. However, for large values of p, this approach is not practical.
itn
EXTENDED EUCLID(m, b)
1. (A1, A2, A3) ←(1, 0, m); (B1, B2, B3) ←(0, 1, b)
2. if B3 = 0 return A3 = gcd(m, b); no inverse
3. if B3 = 1 return B3 = gcd(m, b); B2 = b1 mod m
4. Q=⌊ ⌋
Exercise: trace the above algorithms for finding multiplicative inverse of 550 in GF(1759)
Prime Numbers
Prime Numbers
An integer p > 1 is a prime number if and only if its only divisors are ± 1 and ±p. Examples are 7 , 13…
91 = 7 x 13 (factorization)
3600 = 24 x 32 x 52
11011 = 7 x 112 x 13
Fermat’s theorem
Fermat's theorem states the following: If p is prime and a is a positive integer not divisible by p, then
ap-1=1 (mod p)
(here a and p are relatively prime)
Example
a = 7, p = 19
72 = 49 11(mod 19)
74 =72 x72 11x11=121 7(mod 19)
al
78 49 11(mod 19)
ep
Before presenting Euler's theorem, we need to introduce an important quantity in number theory,
referred to as Euler's totient function and written (n), defined as the number of positive integers
less than n and relatively prime to n. By convention, (1) = 1.
n (n)
1 1
3 2
13 12
14 6
15 8
19 18
20 8
Euler's theorem
Euler's theorem states that for every a and n that are relatively prime:
Examples
Miller-Rabin Algorithm
The algorithm due to Miller and Rabin is typically used to test a large number for primality. Before
explaining the algorithm, we need some background.
If p is prime and a is a positive integer less than p, then a2 mod p = 1 if and only if either a mod
p = 1 or a mod p= 1 mode p = p-1. By the rules of modular arithmetic (a mode p) (a mode p) = a2
mod p. Thus if either a mode p = 1 or a mod p = 1, then a2 mod p = 1. Conversely, if a2 mod p =
1, then (a mod p)2 = 1, which is true only for a mod p = 1 or a mod p = 1.
Let p be a prime number greater than 2. We can then write p 1 = 2kq, with k > 0 q odd. Let a be
any integer in the range 1 < a < p 1. Then one of the two following conditions is true:
These considerations lead to the conclusion that if n is prime, then either the first element in the list of
residues, or remainders, (aq, a2q,..., , q, , q) modulo n equals 1, or some element in the list
equals (n-1); otherwise n is composite (i.e., not a prime). On the other hand, if the condition is met, that
does not necessarily mean that n is prime.
For example, if n = 2047 = 23 x 89, then n 1 = 2 x 1023. Computing, 21023 mod 2047 = 1, so that 2047
meets the condition but is not prime.
We can use the preceding property to devise a test for primality. The procedure TEST takes a
candidate integer n as input and returns the result composite if n is definitely not a prime, and
al
TEST (n)
itn
1. Public-Key Cryptosystems
1. Plaintext: This is the readable message or data that is fed into the algorithm as input.
2. Encryption algorithm: The encryption algorithm performs various transformations on the
plaintext.
3. Public and private keys: This is a pair of keys that have been selected so that if one is used
for encryption, the other is used for decryption. The exact transformations performed by the
algorithm depend on the public or private key that is provided as input.
4. Ciphertext: This is the scrambled message produced as output. It depends on the plaintext
and the key. For a given message, two different keys will produce two different ciphertexts.
5. Decryption algorithm: This algorithm accepts the ciphertext and the matching key and
produces the original plaintext.
al
ep
itn
There is some source A that produces a message in plaintext, X =[X1, X2,..., XM,]. The M elements of X
are letters in some finite alphabet. The message is intended for destination B. B generates a related pair of
keys: a public key, PUb, and a private key, PUb. PUb is known only to B, whereas PUb is publicly
available and therefore accessible by A. this is shown in figure next page.
With the message X and the encryption key PUb as input, A forms the ciphertext Y = [Y1, Y2,...,
YN]:
Y = E(PUb, X)
The intended receiver, in possession of the matching private key, is able to invert the
transformation:
X = D(PRb, Y)
al
ep
itn
In this case, A prepares a message to B and encrypts it using A's private key before transmitting it. B can
decrypt the message using A's public key. Because the message was encrypted using A's private key, only
A could have prepared the message. Therefore, the entire encrypted message serves as a digital signature.
In addition, it is impossible to alter the message without access to A's private key, so the message is
authenticated both in terms of source and in terms of data integrity. Figure show the use of public-key
encryption to provide authentication:
Y = E(PRa, X)
Y = E(PUa, Y)
It is, however, possible to provide both the authentication function and confidentiality by a
double use of the public-key scheme:
al
1. It is computationally easy for a party B to generate a pair (public key PUb, private key PRb).
2. It is computationally easy for a sender A, knowing the public key and the message to be
encrypted, M, to generate the corresponding ciphertext:
C = E(PUb, M)
3. It is computationally easy for the receiver B to decrypt the resulting ciphertext using the
private key to recover the original message:
4. It is computationally infeasible for an adversary, knowing the public key, PUb, to determine
the private key, PRb.
5. It is computationally infeasible for an adversary, knowing the public key, PUb, and a
ciphertext, C, to recover the original message, M.
We can add a sixth requirement that, although useful, is not necessary for all public-key
applications:
al
ep
In this lecture we only consider Algorithms of family i.e. Integer Factorization Algorithm and
Discrete Logarithms.
RSA is an algorithm for public-key cryptography. It was the first algorithm known to be suitable
for signing as well as encryption, and one of the first great advances in public key cryptography.
RSA is widely used in electronic commerce protocols, and is believed to be secure given
sufficiently long keys and the use of up-to-date implementations.
Operation: RSA involves a public key and a private key. The public key can be known to
everyone and is used for encrypting messages. Messages encrypted with the public key can only
be decrypted using the private key.
Encrypting Messages
Alice transmits her public key (n, e) to Bob and keeps the private key secret. Bob send message
M to Alice by turning M into a number m < n by using a reversible protocol called a padding
scheme. He then computes the ciphertext c as: c = me mod n. Bob then transmits c to Alice.
Decrypting Messages
Alice can recover m from c by using her private key exponent d by the following computation:
m = cd mod n. Given m, she can recover the original message M.
This is actually the smallest possible value for the modulus n for which the RSA algorithm
works. Now say we want to encrypt the message m = 7,
c = me mod n = 73 mod 33 = 343 mod 33 = 13.
Hence the ciphertext c = 13. To check decryption we compute m' = cd mod n = 137 mod 33 = 7.
Description: The simplest and original implementation of the protocol uses the multiplicative
group of integers modulo p, where p is a prime and g is primitive root of p.
Steps:
1. Generate the global public elements p and g, where p is a prime number and g < p is a
primitive root of p.
X
2. User A selects a random integer number XA<p, and computes YA = g A mod p.
3. User B independently selects a random integer XB<p, and computes
X
YB = g B mod p.
al
4. Each side keeps the X value private and makes the Y value available publicly to the other
side.
ep
Example: Alice and Bob agree to use a prime number p=23 and base g=5.
X
Alice chooses a secret integer XA =6, then sends Bob (YA = g A mod p):56 mod 23 = 8.
X
Bob chooses a secret integer XB =15, then sends Alice (YB = g B mod p):515 mod 23= 19.
Alice computes (YB)XA mod p: 196 mod 23 = 2 and Bob computes (YA)XB mod p: 815 mod 23 =
2.
Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them,
for sending messages across the same open communications channel. Of course, much larger values of
XA, XB, and p would be needed to make this example secure, since it is easy to try all the possible values
X X
of g A B mod 23 (there will be, at most, 22 such values, even if XA, XB are large). If p were a prime of at
least 300 digits, and XA, XB were at least 100 digits long, then even the best algorithms known today
X
could not find a given only g, p, and g A mod p, even using all of mankind's computing power. The
problem is known as the discrete logarithm problem. Note that g need not be large at all, and in practice
is usually either 2 or 5.
al
ep
itn