CS5285

Information Security for eCommerce

Lecture 3

Prof. Gerhard Hancke

CS Department
City University of Hong Kong

1
 Reminder of last week
• Symmetric Encryption
– Substitution ciphers and frequency analysis
– One time pad (perfectly secure/impractical)
– Stream and block ciphers (RC4/DES/AES)
– Block cipher modes of operation
• Error propagation

2
 Today’s Lecture
• Number theory
– Background maths to public key crypto
• CILO5
(properties/design of security
mechanisms)

3
 Number Theory

We work on integers only

Slides 5-23

This is background information. See this as a reference section

for terminology. You do not need to know every single slide in
detail but you must be familiar enough with the material to apply
it to subsequent cryptography.

For example, if I ask you to show how a message is

encrypted/decrypted using RSA you must be able to do the
calculation (so it will help you to understand if you know what a
prime number, what is Eulers totient is, etc.)

4
 Divisors
Two integers: a and b (b is non-zero)
– b divides a if there exists some integer m such that
a = m·b
– Notation: b|a
– eg. 1,2,3,4,6,8,12,24 divide 24
– b is a divisor of a

Relations
1. If b|1  b = 1
2. If b|a and a|b  b = a
3. If b|0  any b  0
4. If b|g and b|h then b | (mg + nh) for any integers m and n.
5

5
 Congruence
a is congruent to b modulo n if n | a-b.

Notation: a  b (mod n)

Examples
1. 23  8 (mod 5) because 5 | 23-8
2. -11  5 (mod 8) because 8 | -11-5
3. 81  0 (mod 27) because 27 | 81-0

Properties
1. a  b (mod n) implies b  a (mod n)
2. a  b (mod n) and b  c (mod n) imply a  c (mod n)

Examples
1. m=3 (5|15)
2. m=-2 (8|-16
3. m=3 (27|81)

6
 Modular Arithmetic
• modular reduction: a mod n = r
r is the remainder when a is divided by a natural number n
• r is also called the residue of a mod n
▪ it can be represented as: a = qn + r where 0  r < n, q = a/n
where x is the largest integer less than or equal to x
▪ q is called the quotient
• 18 mod 7 = ?
• 29345723547 mod 2 = ?
• Relation between modular reduction and congruence
▪ -12 ≡ -5 ≡ 2 ≡ 9 (mod 7)
▪ -12 mod 7 = 2 (what’s the quotient?)
▪ -12 = q*n+r= -2*7+2

-12 mod 7 =2

2 -2*7 mod 7, so n is 7 and q is -2

7
 Modular Arithmetic Operations

• can do modular reduction at any point,

– a + b mod n = [a mod n + b mod n] mod n
– E.g. 97 + 23 mod 7 = [97 mod 7 + 23 mod 7] mod 7 = [6 + 2] mod 7 = 1
– E.g. 11 – 14 mod 8 = ?
3-6 mod 8 = 5
– E.g. 11 x 14 mod 8 = ?
3 x 6 mod 8 = 2

When reducing, we "usually" want to find the positive remainder after

dividing by the modulus. For positive numbers, this is simply the normal
remainder. For negative numbers we have to "overshoot" (ie find the
next multiple larger than the number) and "come back" (ie add a positive
remainder to get the number); rather than have a "negative remainder".

8
 Prime and Composite Numbers
• An integer p is prime if its only divisors are 1 and p only.
• Otherwise, it is a composite number.
• E.g. 2,3,5,7 are prime; 4,6,8,9,10 are not
• List of prime numbers less than 200:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79
83 89 97 101 103 107 109 113 127 131 137 139 149 151 157
163 167 173 179 181 191 193 197 199

• Prime Factorization: If a is a composite number, then a can be

factored in a unique way as
1 2 t
a = p1 p2 … pt
where p1 > p2 > … > pt are prime numbers and each i is a natural
number (i.e. a positive nonzero integer).
e.g. 12,250 = 72  53  2
9

9
 Prime Factorization
• It is generally hard to do (prime) factorization when
the number is large
• E.g. factorize
1. 24070280312179
2. 10893002480924910251
3. 938740932174981739832107481234871432497617
4. 93874093217498173983210748123487143249761717

10

10
 Greatest Common Divisor (GCD)
• GCD (a,b) of a and b is the largest number that divides both a and b
– E.g. GCD(60,24) = 12
• If GCD(a, b) = 1, then a and b are said to be relatively prime
– E.g. GCD(8,15) = 1
– 8 and 15 are relatively prime (co-prime)
Question: How to compute gcd(a,b)?
Naive method: factorize a and b and compute the product of
all their common factors.
e.g. 540 = 22 x 33 x 5
144 = 24 x 32
gcd(540, 144) = 22 x 32 = 36

Problem of this naive method: factorization becomes very difficult

when integers become large.
Better method: Euclidean Algorithm (a.k.a. Euclid’s GCD algorithm)
11

11
 Euclidean Algorithm
Euclid's Algorithm:
A=a, B=b
Rationale while B>0
Theorem gcd(a, b) = gcd(a, b mod a) R = A mod B
A = B, B = R
return A
Compute gcd(911, 999) :
A =qxB + R
999 = 1 x 911 + 88
911 = 10 x 88 + 31
88 = 2 x 31 + 26
31 = 1 x 26 + 5
26 =5x5+1
5 =5x1+0

Hence gcd(911, 999) = 1 Value returned

Hence gcd(911, 999) = gcd(911, 999 mod 911) = gcd(911 mod 88, 88)
= gcd(31, 88 mod 31) = gcd(31 mod 26, 26) = gcd(5, 26 mod 5)
= gcd(5, 1) = 1. 12

12
 Modular Inverse
A is the modular inverse of B mod n if

AB mod n = 1.

A is denoted as B-1 mod n.

e.g.
•3 is the modular inverse of 5 mod 7. In other words, 5-1 mod 7 = 3.
•7 is the modular inverse of 7 mod 16. In other words, 7-1 mod 16 = 7.

However, there is no modular inverse for 8 mod 14.

There exists a modular inverse for B mod n if B is relatively prime to n.

Question:
What’s the modular inverse of 911 mod 999?

14

This not a fraction!!! A is not 1/B (remember that A and B and

integers)

What can we do?

We use the extended euclidean algorithm, we know to have a

modular inverse 911 and 999 must be relative prime. So what is
the GCD?

14
 Extended Euclidean Algorithm
The extended Euclidean algorithm can be used to solve the integer
equation
ax + by = gcd(a, b)
For any given integers a and b.
Example
Let a = 911 and b = 999. From the Euclidean algorithm,
999 = 1 x 911 + 88
911 = 10 x 88 + 31
88 = 2 x 31 + 26
31 = 1 x 26 + 5
26 =5x5+1  gcd(a, b) =1
Tracing backward, we get
1 = 26 – 5 x 5
= 26 – 5 x (31 – 1 x 26) = -5 x 31 + 6 x 26
= -5 x 31 + 6 x (88 – 2 x 31) = 6 x 88 – 17 x 31
= 6 x 88 – 17 x (911 – 10 x 88) = -17 x 911 + 176 x 88
= -17 x 911 + 176 x (999 – 1 x 911) = 176 x 999 – 193 x 911
15

Extended Euclidean Algorithm solves for combination of x and y.

15
 Calculating the Modular Inverse
we now have
gcd(911, 999) = 1 = -193 x 911 + 176 x 999.
If we do a modular reduction of 999 to this equation, we have
1 (mod 999) = -193 x 911 + 176 x 999 (mod 999)
1 = -193 x 911 mod 999
1 = (-193 mod 999) x 911 mod 999
1 = 806 x 911 mod 999
1  806 x 911 (mod 999).
Hence 806 is the modular inverse of 911 modulo 999.

16

16
 The Euler phi Function
For n  1, (n) denotes the number of integers in the interval [1, n]
which are relatively prime to n. The function  is called the Euler phi
function (or the Euler totient function).

Fact 1. The Euler phi function is multiplicative. I.e. if gcd(m, n) = 1,

then (mn) = (m) x (n).
Fact 2. For a prime p and an integer e  1, (pe) = pe-1(p-1).

• From these two facts, we can find  for any composite n if the
prime factorization of n is known.
• Let n = p1e1 p2e2 … pkek where p1,…, pk are prime and each ei is a
nonzero positive integer.
• Then
(n) = p1e1-1 (p1-1) . p2e2-1 (p2-1) … pkek-1 (pk-1)

17

17
 The Euler phi Function

 (n) = {x : 1  x  n and gcd( x,n) = 1}

• (2) = |{1}| = 1
• (3) =|{1,2}| = 2
• (4) = |{1,3}| = 2
• (5) = |{1,2,3,4}| = 4
• (6) = |{1,5}| = 2

• (37) = 36
• (21) = (3–1)×(7–1) = 2×6 = 12

18

Magnitude of all numbers between 1 and n wher GCD (x,n) =1.

18
 Fermat’s Little Theorem
Let p be a prime. Any integer a not divisible by p
satisfies ap-1  1 (mod p).

• We can generalize the Fermat’s Little Theorem as follows. This is

due to Euler.
Euler’s Generalization Let n be a composite. Then a(n)  1 (mod n)
for any integer a which is relatively prime to n.

• E.g. a=3;n=10; (10)=4  34  81  1 (mod 10)

• E.g. a=2;n=11; (11)=10  210  1024  1 (mod 11)

Exercise: Compute 111,073,741,823 mod 13.

Compute 11 .1112.1112.1112.....113 mod 13 5 (mod 13)
12

19

What is your strategy?

(11^12)^89478485 .(11^3) mod 13 = 11^3 mod 13= 5 mod 13

19
 Modular Exponentiation
Let Z = { …, -2, -1, 0, 1, 2, … } be the set of integers.
Let a, e, n  Z.
Modular exponentiation ae mod n is defined as repeated
multiplications of a for e times modulo n.

Method 1 : Repeated Modular Multiplication (as defined)

e.g. 1115 mod 13 = 11 x 11 x 11 x 11 x … x 11 mod 13
= 4 x 11 x 11 x … x 11 mod 13
= 5 x 11 x … x 11 mod 13
:
=5
• performed 14 modular multiplications
• Complexity = O(e)
• What if the exponent is large?

20

Things do not always work with Fermat’s theorem – and we cannot

do repeated modular multiplication….need another method…square
and multiply.

20
 Modular Exponentiation
Method 2 : Square-and-Multiply Algorithm
e.g. 1115 mod 13 = 118+4+2+1 mod 13 = 118x114x112x11 mod 13 — (1)
• 112 = 121  4 (mod 13) — (2)
2 2
• 114 = (112)  (4)  3 (mod 13) — (3)
2 2
• 118 = (114)  (3)  9 (mod 13) — (4)
Put (2), (3) and (4) into (1) and get
1115  9 x 3 x 4 x 11  5 (mod 13)

• performed at most 2log215 modular multiplications

• Complexity = O( lg(e) )

21

Every time we just square the previous result.

This means we are working with square of less than n, rather than
larger exponentiation.

21
 Modular Exponentiation
Pseudo-code of Square-and-Multiply Algorithm to
compute ae mod n :
Let the binary representation of e be (et-1 et-2 … e1 e0).
Hence t is the number of bits in the binary representation of e.

1. z=1
2. for i = t-1 downto 0 do
3. z = z2 mod n
4. if ei = 1 then z = z x a mod n

22

If we wanted to do this on a binary number? How would it work?

Here is a good time to think – ok so this is why I need to

understand the underlying maths even if I just design and
implement systems…

Great = what if e is a key? Is there a problem? What if someone

can see time taken for each for loop iteration?

22
 Side Channel
• Platform on which software runs leaks
information
• Power usage, electromagnetic…acoustic
– Consider again (square multiply) – timing?
– Power (embedded hardware) and acoustic (PC, GNU
RSA)

23

For interest only.

Two strips on acoustic is exponentiation modulo P and the

exponentiation modulo Q, for each key slightly different positions.
Once again choose ciphertext and you can distinguish specific key
bits.

http://www.cs.tau.ac.il/~tromer/acoustic/

http://www.ecs.umass.edu/~tbashir/timing_attack_rsa_theory.ht
m

23
 The end!

?
Any questions…
24

24
 Exercise (Inverse)
e=79 and e.d mod 3220  1 mod 3220 – find d
d  79-1 mod 3220

Euclidean Algorithm
3220 = 40.79+60
79=1.60+19
60=3.19+3
19=6.3+1

Extended Euclidean Algorithm

1= 19-6.3
1= 19-6 (60-3.19) = -6.60+19.19
1= -6.60+19(79-1.60) = -25.60+19.79
1= -25(3220-40.79)+19.79 = 1019.79 -25.3220

1019.79 -25.3220 mod 3220  1019.79 mod 3220  1 mod 3220

Hence d = 1019 is the modular inverse of 79 modulo 3220.

25

25
 Exercise 2 (Inverse)
Calculate 2084-1 mod 2357

Euclidean Algorithm
• 2357 = 1.2084 + 273
• 2084 = 7.273 + 173
• 273 = 1.173 + 100
• 173 = 1. 100 + 73
• 100 = 1.73+27
• 73=2.27+19
• 27=19+8
• 19=2.8+3
• 8=2.3+2
• 3=2+1

26

26
 Exercise 2 (Inverse) ctd
• 1= 3-1.2=3-(8-2.3)= 3.3-8

• 3.(19-2.8)-8=3.19-7.8 = 3.19-7(27-19)=10.19-7.27

• 10(73-2.27)-7.27 = 10.73-27.27 = 10.73 – 27(100-1.73) = 37.73-27.100

• 37.73-27.100 = 37.(173-100)-27.100 = -64.100+37.173 = -64. (273-

173)+37.173 = -64.273 +101.173

• -64.273 +101.173 = -64.273 +101.(2084-7.273) = -771.273+101.2084 = -

771(2357-2084)+101.2084

• -771(2357-2084)+101.2084 = 872.2084-771.2357

• 872.2084-771.2357mod 2357  872.2084 mod 2357  1 mod 2357

• So 872 must be modular inverse of 2084 mod 2357.

27

27
 Exercise (Square/Mult)
Calculate 17130 mod 11

Powers of two? 1,2,4,8,16,32,64,128,256…

130 dec = 10000010 binary

17130 = 17128+2 mod 11 = 17128x172 mod 11

• 172 = 289  3 (mod 11) — (1)
2 2
• 174 = (172)  (3)  9 (mod 11) — (2)
2 2
• 178 = (174)  (9)  4 (mod 11) — (3)
16 8 2 2
• 17 = (17 )  (4)  5 (mod 11) — (4)
2 2
• 1732 = (1716)  (5)  3 (mod 11) — (5)
64 32 2 2
• 17 = (17 )  (3)  9 (mod 11) — (6)
128 64 2 2
• 17 = (17 )  (9)  4 (mod 11) — (7)

Use (7), (1) and get

17130  4 x 3 mod 11  1 mod 11
28

Every time we just square the previous result.

This means we are working with square of less than n, rather than
larger exponentiation.

28
 Exercise 2 (Square/Mult)
Calculate 17170 mod 13

Powers of two? 1,2,4,8,16,32,64,128,256…

17170 = 17128+32+8+2 mod 13 = 17128x1732x178 172mod 13

• 172 = 289  3 (mod 13) — (1)
2 2
• 174 = (172)  (3)  9 (mod 13) — (2)
2 2
• 178 = (174)  (9)  3 (mod 13) — (3)
2 2
• 1716 = (178)  (3)  9 (mod 13) — (4)
2 2
• 1732 = (1716)  (9)  3 (mod 13) — (5)
2 2
• 1764 = (1732)  (3)  9 (mod 13) — (6)
2 2
• 17128 = (1764)  (9)  3 (mod 13) — (7)

Use (7), (5), (3), (1) and get

17170 mod 13  3 x 3 x 3 x 3 mod 13  3 mod 13
29

Every time we just square the previous result.

This means we are working with square of less than n, rather than
larger exponentiation.

29