10/07/09

Three Basic Issues associated with data transmission Data Compression Problem
Can the data be compressed in some form apart from the original such that the number of bits sent is minimum, but no information is loss?

Data Compression Problem

Huffman- Coding technique in your book uses a greedy method to solve this problem. Know the probability of occurrence of each character that could appear. Represent the most frequently occurring characters by a shorter number of bits than the number of bits of the least frequently occurring characters

Data Compression Problem

Lempel-Ziv (LZ) techniques are widely used as basis for such algorithms

` ` `

Transmission of data can be subject to errors Bits can be lost. Can transmission errors be detected and if possibly be corrected? See following link for more details http://en.wikipedia.org/wiki/Error_correction

Can transmission data be made secure from unauthorized spying and /or tampering? Through out history of there have been many techniques (algorithms) to solve this problem

Recent algorithms
Diffie-Hellman Algorithm
x First public key, private algorithm x Based on the difficulty of factoring logarithms

Merkle-Hellman Algorithm
x Based on the non-fractional knapsack problem x Non-fractional knapsack problem difficult to solve
x Is NP-complete

x Intruder would have to solve the non-fractional problem for large number of items

` `

The Rivest, Shamir, Adelman (RSA) Algorithm RSA scheme based on the inability to factor large prime numbers
Scheme depends initially finding them quickly ; The security of the scheme depends on not being able to factor the product of large primes quickly

RSA scheme developed from concepts in number theory Review of number theory follows later

Large inputs here mean inputs that are large integers rather than a large amount of many integers Size of an input is measured in number of bits, the number of bits to represent that input

An algorithm with inputs a1, a2,.....,an runs in polynomial in time , if it runs time polynomial in lg a1, lg a2,....., log an
The number of bits in an integer an is

lg an  1

Addition, multiplication, division or remainder at this point thought to take one unit of time to estimate the running time of an algorithm. Counting the number of these operations when an algorithm gives an estimate of the running time of the algorithm

In a number theoretic algorithm, it is useful to consider the number of bit operations done by the algorithm to estimate running time.

Multiplication of two bit integers by ordinary F operations takes ( 2 ) . 5 F Similarly dividing an bit integer by a shorter F integer or taking the remainder by dividing by a shorter integer both take ( 2) Faster methods to do multiplication and division are known 5 F

` ` `

Review of elementary number theory Z = {....,-2, -1, 0, 1, 2....} is the set of all integers The set N = {0, 1, 2, ......} is the set of all natural numbers

` ` `

Divisibility and divisors of integers d | a means d divides a d | a ( d divides a) means a = k d for some integer k.
5 | 20 ( 5 divides 20), since 20 = 4* 5, where k =4

` ` `

Every integer divides 0. If d | a , we can say that a is a multiple of d If d does not divide d, we write d | a
5 | 18, cant write 18 = k*5

a is a multiple of d, if d | a
If 12 | 48, then 48 is a multiple of 12 48 = 4*12

If d | a and d >= 0, means d is a divisor of a

Divisors of 24 = {1, 2, 3, 4, 6, 8, 12, 24}

` ` ` `

d | a iff -d | a A divisor of an integer a is at least 1 but not greater than |a| Every integer a is divisible by 1 and a, its trivial divisors Non trivial divisors of integer a are called factors of integer a

An integer a > 1 whose only divisors are only 1 and a are called prime integers
First 20 primes are = { 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53. 59, 61. 67, 71}

An integer a > 1 not prime is called a composite integer

39 is a composite number since 39 = 3*13

The integer 1 is neither prime or composite and is called unit Similarly, 0 and negative integers are neither prime or composite

For any integer a, and positive integer n, there exist unique integers q and r, 0<=r < n, and a = q*n + r composite integer q= a / n the quotient is
r is the remainder n | a iff a mod n =0 , that the remainder is 0

` `

The integers can be divided into n equivalent class Z] ?aAn = [ a+ kn: k For example, [ 3]7 = { ....., 3 + (-2)(7) = 3 -14 = 11, 3 + (-1)(7) = -4,..3 + 0*7=3, 3 + 1*7=10 } The set of all equivalence classes for n is Zn = { n }

?aA

k= -1

k= -2

` ` ` ` `

If d | a and d | b, then d is a common divisor of a. Divisors of 30 are { 1, 2, 3, 5, 6,10,15} Divisors of 24 are { 1, 2, 3, 4, 6, 8, 12} Common divisors of 30 and 24 are {1, 2, 3, 6} If d | a and d | b, then d |(ax + by) for any integers x and y
3 | 30 and 3 | 24 implies 3 | (30(-4) + 24(-5)). 3 divides each term in sum This result is used in the Extended-Euclid GCDAlgorithm discussed below.

` ` ` ` `

The greatest common divisor of integers a and b, both not zero, are the largest common divisors of a and b Denote as gcd(a,b). Divisors of 30 are { 1, 2, 3, 5, 6,10,15} Divisors of 24 are { 1, 2, 3, 4, 6, 8, 12} Common divisors of 30 and 24 are {1, 2, 3, 6} The gcd(24,30)= 6

` ` `

Two integers a and b are relatively prime, if there only common divisors is 1. 8 and 15 are relatively prime Divisors of 8 are { 1, 2,4} Divisors of 15 are { 1, 3, 5}

` ` `

For all primes p and all integer pairs a and b, if p|ab then p|a or p|b or both Consider a=8 and b=15. Let p=5. p | 8*15 p | 120, then p | 15 A composite integer a can be written in exactly one way as a product primes. For example, 6000 = 24 * 31 * 53

Given a positive integer a and a list of all primes {pi }. i 1 while(a > 1) do while (a % pi = 0) do print pi a= a/ pi i i+1

Let a = 12. List of primes {pi } ={2, 3, 5,}. i 1 while(a > 1) do while (a % pi = 0) (12%2)=0 true do print pi print 2 a= a/ pi a=12/2=6 i i+1

Let a = 12. List of primes {pi } ={2, 3, 5,}. i 1 while(a > 1) do while (a % pi = 0) (6%2)=0 true do print pi print 2 a= a/ pi a=6/2=3 i i+1

Let a = 12. List of primes {pi } ={2, 3, 5,}. i 1 while(a > 1) do while (a % pi = 0) (3%2)=0 false do print pi a= a/ pi i i+1 i = 1 + 1=2

Let a = 12. List of primes {pi } ={2, 3, 5,}. i 1 while(a > 1) 3 > 1 true do while (a % pi = 0) (3%3)=0 true do print pi print 3 a= a/ pi a=3/3=1 i i+1

Let a = 12. List of primes {pi } ={2, 3, 5,}. i 1 while(a > 1) 3 > 1 true do while (a % pi = 0) (1%3)=0 false do print pi a= a/ pi i i+1 i = 2 +1 =3

Let a = 12. List of primes {pi } ={2, 3, 5,}. i 1 while(a > 1) 1 > 1 false DONE do while (a % pi = 0) do print pi a= a/ pi i i+1

Euclids Basic Algorithm to find the gcd(a,b)

The gcd(a,b) and gcd(b, a mod b) both divide each other and thus are equal Example gcd(24,15) and gcd(15,9) Factorization of 24 = 23 * 3 Factorization of 15 = 3 * 5 Factorization of 9 = 32.

Since gcd(a,b) and gcd(b, a mod b) are equal , a recursive algorithm can be written to solve gcd(a,b)

` `

Show that gcd(a,b) = gcd(b, a mod b). Show that gcd(a,b) | gcd(b, a mod b). Let d = gcd(a,b).It follows that d | a and d | b. / b. a mod b is a a mod b = a qb where q = linear combination of a and b. It follows that d | a mod b. But d | b, so d | gcd(b, mod a)(MORE)

Show that gcd(b, a mod b) = gcd(a,b) .

gcd(24,15) = gcd(15, 9) = gcd(9, 6) = gcd(6,3 ) = gcd (3,0) = 3

Note that answer occurs when gcd(a,0)= a which is the stop rule For the algorithm

Euclid(a,b) 1 if b= 0 2 then return a 3 else Euclid(b, a mod b)

` ` `

From above we know that if d | a and d| b, then d | (ax + by) for some integers x and y When d is the gcd(a,b), then the coefficients x and y are important x and y are useful in computing multiplicative inverses.
Public and private keys in RSA are multiplicative inverses of each other

Re-write Euclid Algorithm to compute x and y such that

gcd(a,b) = a*x + b*y

Extended-Euclid takes an input pair a and b and returns a triple of the form:
( d, x, y ) that satisfies gcd(a,b) = a*x + b*y . d = gcd(a,b)

Extended-Euclid(a, b) 1 if b = 0 2 then return (a, 1, 0)

3 (d , x, y ) = Extended-Euclid( b, a mod b) 4 (d, x, y ) = (d, y, x - a / b 5 return (d, x, y) y )

Extended-Euclid(99, 78) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 78, 21) 4 (d, x, y ) = (d, y, x - a / b y ) 5 return (d, x, y) Extended-Euclid(78, 21) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 21, 15) 4 (d, x, y ) = (d, y, x - a / b y ) 5 return (d, x, y) Extended-Euclid(21, 15) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 15, 6) 4 (d, x, y ) = (d, y, x - a / b y ) 5 return (d, x, y)

Extended-Euclid(15, 6) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 6, 3) 4 (d, x, y ) = (d, y, x - a / b y ) 5 return (d, x, y) Extended-Euclid(6, 3) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 3, 0) 4 (d, x, y ) = (d, y, x - a / b y ) 5 return (d, x, y) Extended-Euclid(3, 0) 1 if b = 0 2 then return (3, 1, 0) 3 (d , x, y ) = Extended-Euclid( 15, 6) 4 (d, x, y ) = (d, y, x - a / b y ) 5 return (d, x, y) Is true

return of (3, 1, 0) leads to a pop off the call stack

Extended-Euclid(15, 6) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 6, 3) 4 (d, x, y ) = (d, y, x - a / b y ) 5 return (d, x, y) Extended-Euclid(6, 3) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 3, 0) ( d=3.x=1.y=0) 4 (d, x, y ) = (d, y, 1 - a / b y ) (d=3 , x =0 , y= 1 ) = ( 3, 0, 1 - 6 3 *0) 5 return (3, 0, 1)

return (3, 0, 1) leads to a pop off the call stack

Extended-Euclid(15, 6) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 6, 3) ( d=3.x=0.y=1) 4 (d, x, y ) = (d, y, x - a / b y ) (d=3 , x =1 , y= 1 ) = ( 3, 0, 0 - 15 6 *1) (d=3 , x =1 , y= -2 ) = ( 3, 0, 0 5 return (3, 1, -2) 2 *1)

return (3, 1, -2) leads to a pop off the call stack

Extended-Euclid(99, 78) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 78, 21) 4 (d, x, y ) = (d, y, x - a / b y ) 5 return (d, x, y) Extended-Euclid(78, 21) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 21, 15) 4 (d, x, y ) = (d, y, x - a / b 21 / 15 y ) 5 return (d, x, y) Extended-Euclid(21, 15) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 15, 6) (d= 3, x= 1, y= -2) 4 (d, x, y ) = (d, y, x - a / b y ) (3, -2, 3 ) = ( 3. -2. 1 - 21 / 15 (- 2) 5 return (3, -2, 3)

return (3, -2, 3) leads to a pop off the call stack

Extended-Euclid(99, 78) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 78, 21) 4 (d, x, y ) = (d, y, x - a / b y ) 5 return (d, x, y) Extended-Euclid(78, 21) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 21, 15) ( d= 3. x = -2, y= 3 )
a / b

4 (d, x, y ) = (d, y, x -

y )

(3, 3, _ ) = ( 3, 3, -2 - 78 21 3) (3, 3, -11 ) = ( 3, 3, -2 - 3* 3) 5 return (3, 3, -11)

return (3, 3, -11) leads to a pop off the call stack

Extended-Euclid(99, 78) 1 if b = 0 2 then return (a, 1, 0) 3 (d , x, y ) = Extended-Euclid( 78, 21) ( d= 3. x = 3, y= -11 ) 4 (d, x, y ) = (d, y, x - a / b y ) (3, -11, _ ) = ( 3, -11, 3 -

99 78 (-11) )

(3, -11, -14 ) = ( 3, -11, 3 - 1*(-11) ) 5 5 return (3, -11, 14 )

` `

return (3, -11, -14) leads to a pop off the call stack No more calls on call stack Extended-Euclid(99,78) =
(d= 3, x= -11, y = -14)

` `

The equation d = ax + by holds 3 = 99(-11) + 78(-14)

Download following spreadsheet for Extended_Euclid Calculator ExtendedEuclid.xlsx

a 99 78 21 15 6 3

b floor(a/b) d x y d=ax + by 78 1 3 -11 14 3 21 3 3 3 -11 15 1 3 -2 3 Line 4 6 2 3 1 -2 3 2 3 0 1 0 3 1 0

b = 0 return(a 1, 0) Line 4: y = x - floor(a/b) y = 3 = 1 1 *(-2) = 1 (-2)=3

` `

Arithmetic over the integers where every result is in the set of integers {0, 1, 2,..., n-1} All operations done modulo n If n= 6, (5 + 4) mod 6 = 3

A group is a set S along with a binary operation along with the following properties:
Closure:
x the result of all operations with

are in the set S

a = a

Identity:
x There exist an element e in the group such e or a e a for all as in the set S =

Associativity:
x For any a, b, c in S (a c ( b) = a b c)

A group is a set S along with a binary operation along with the properties:
Inverses
x For each a in the set S there exist a unique element b in the set, called an inverse, such that a = b b a =e

` ` `

An addition group. Consider the set of integers Zn for some integer n Retain ordinary operation of addition and multiplication except use mod operator
a + b means (a +b) (mod n) ab means (ab) (mod n)

Define the additive group (Zn , +n )

The size of the group is n Consider (Z6 , +6 ). See table in next slide

+6 0 1 2 3 4 5

0 0 1 2 3 4 5

1 1 2 3 4 5 0

2 2 3 4 5 0 1

3 3 4 5 0 1 2

4 4 5 0 1 2 3

5 5 0 1 2 3 4

0 is the identity element: 2 +6 0 = ( 2 + 0 ) mod 6 = 2

Inverses: 0-1 = 0, (0 + 0 ) mod 6 = 0 1-1 = 5. (1 + 5) mod 6 = 0 2-1 = 4. ( 2 + 4) mod 6= 0 3-1 = 3 . ( 3 + 3) mod 6 =0

4-1 = 2, 5-1 = 1.

` ` ` ` ` `

[a]n = {a + kn: k Z} [a]n + [b] n = [ a + b] n. [a] n * [b] n = [ a * b] n. [4]6 ={4+(-1)*6, 4 + 0*6, 4+1*6,4+2*6} [2]6 ={2+(-1)*6, 2 + 0*6, 2+1*6,2+2*6} Use the least non-negative integer to represent the class

` ` `

[4]6 ={-2, 4 , 10,16} [2]6 ={-4, 2, 8,14} Use the least non-negative integer to represent the class
4 represents equivalence class [4]6 2 represents equivalence class [2]6

` ` `

[4]6 + [2]6 =[4+2]6 = [6]6 [6]6 ={6 + (-1)*6, 6+0*6, 6+1*6,6+2*6} [6]6 ={-6, 0,, 6, 12,18}
0 represents equivalence class [6]6

See full (Z+6 ,+6 ) next

10 can represents equivalence class [4]6 8 can represent equivalence class [2]6
`

(10+8) mod 6 = 0

+6 0 1 2 3 4 5

0 0 1 2 3 4 5

1 1 2 3 4 5 0

2 2 3 4 5 0 1

3 3 4 5 0 1 2

4 4 5 0 1 2 3

5 5 0 1 2 3 4

0 is the identity element: 2 +6 0 = ( 2 + 0 ) mod 6 = 2 Inverses: 0-1 = 0, (0 + 0 ) mod 6 = 0 1-1 = 5. (1 + 5) mod 6 = 0 2-1 = 4. ( 2 + 4) mod 6= 0 3-1 = 3 . ( 3 + 3) mod 6 =0

4-1 = 2, 5-1 = 1.

` `

` `

A multiplicative group. Consider the set of integers Zn for some integer n a *n b means (a*b) (mod n) Define the multiplicative group (Z* n , *n )
The elements of this group Z* n are the elements in Zn that are relatively prime to n

Z* n = { [a]n

Z such that: gcd(a,n)=1}

` ` `

A multiplicative group modulo n example Z*n = { a Z*n : gcd(a,n)= 1} For n = 15, Z*n = {1, 2, 4, 7, 8, 11,13, 14 } Group operation is a*b (mod 15)
8*11 = 13 (mod 15) The group identity is 1
x 8*1 = 8 (mod 15)

Below is the group ( Z*15 , *15 )

*15 1 2 4 7 8 11 13 14

1 1 2 4 7 8 11 13 14

2 2 4 8 14 1 7 11 13

4 4 8 1 13 2 14 7 11

7 7 14 13 4 11 2 1 8

8 8 1 2 11 4 13 14 7

11 11 7 14 2 13 1 8 4

13 13 11 7 1 14 8 4 2

14 14 13 11 8 7 4 2 1

Multiplicative Group Z*15

Identity is 1 Inverses 1-1 = 1; 2-1 = 8; 4-1 = 4: 7-1 = 13: 8-1 = 2: 11-1 =11: 13-1 = 7: 14-1 = 14 7*13 (mod 15) = 91 mod 15 (mod 15) = 1 (mod 15)

` ` ` ` `

For some a Z*n , let (d, x, y ) be the output from a call to Extended-Euclid(a, n) Since a and n are relatively prime, d = 1. So 1 = a*x + n*y. Claim is that x is the inverse of a. Since n*y mod n = 0. ax=1 (mod n)

Thus [x]n is the inverse of [a]n in Z*n.

Example: Let a = 5 and n = 11. The multiplication table will have rows from 1..10 and columns from 1..10. Since 11 is prime, 5 is relatively prime to 11. Taking the Extended-Euclid (a, n) returns ( d=1, x= -2, y=1). Download Extended-Euclid spreadsheet: ExtendedEuclidSlidePresentationFall07.xls So the multiplicative inverse of 5 is -2. But the representative of class [-2]11 is the positive value -2 + 11 = 9

(5*9) mod 11 = 45 mod 11 = 1 So 5 and 9 are inverses of each other

* 1 2 3 4 5 6 7 8 9 10

1 1 2 3 4 5 6 7 8 9 10

2 2 4 6 8 10 1 3 5 7 9

3 3 6 9 1 4 7 10 2 5 8

4 4 8 1 5 9 2 6 10 3 7

5 5 10 4 9 3 8 2 7 1 6

6 6 1 7 2 8 3 9 4 10 5

7 7 3 10 6 2 9 5 1 8 4

8 8 5 2 10 7 4 1 9 6 3

9 9 7 5 3 1 10 8 6 4 2

10 10 9 8 7 6 5 4 3 2 1

Table For Z*11

1 is unity 5 and 9 are inverses of one another

The size of Z*n is denoted by Eulers

phi function:

J(n) = n (1  (1 / p))
p/n

where p runs through all primes that divide n

If n=45,

Primes that divide n = { 3, 5}

So the size Z*n is J (45) = 45 ( 1- 1/3) (1 1/5)= 45 *(2/3)*(4/5) = 24

The size of Z*n when n is prime. n is the only integer that divides itself , sp p = n

(n) = p

(1  (1 / p))
p/n

= n ( 1- 1/n)= n( n -1)/n = n -1

If n=11 a prime,

The size Z*11 is

J (11) = 11 1

=10

The size of Z*n when n is prime. n is the only divides itself :

J (n) = p (1  (1 / p))
p/n

= n ( 1- 1/n)= n( n -1)/n = n -1

If n=13 a prime,

The size Z*11 is

J (11) = 13 1

=12

Find the solutions to ax=b (mod n) where a > 0, n > 0. The equation has zero, or one or more than one solution The equation ax=b (mod n) is solvable if and only if gcd(a,n) | b The equation ax=b (mod ) either has d distinct solutions modulo n , where d = gcd(a,n) or has no solutions.

MODULAR_LINEAR_EQUATION_SOLVER(a,b,n) 1. (d, x,y) = EXTENDED-EUCLID(a,n) 2. If d | b 3. then x0 x (b/d) mod n 4. for i 0 to d-1 5. do print ( x0 + i (n/d) ) mod n 6. else print no solutions

When for any n > 1, gcd(a,n) = 1, then the equation ax = b (mod n) has a unique solution modulo n. The result above for equation ax = 1 (mod n) has a unique solution
x0

This solution is the unique multiplicative inverse of a modulo n. Therefore, the Extended Euclid Algorithm yiels the inverse of a

Solves problem of finding those integers that leave the remainder 2,3,and 2 when divided by 3, 5, and 7 respectively.
One solution is x = 23 All solutions are of the form 23 + 105k for arbitrary integers k is the general solution.

Theorem relates pair-wise relatively primes (say 3,5,and 7) and an equation modulo there product 3*5*7=105 = n Theorem shows that Zn is identical to the Cartesian product Zn1 x Zn2 x x Znk
n = n1 * n2 *nk ni s are pair-wise-relatively prime With component-wise addition and multiplication modulo n

Operations performed on elements of Zn can be equivalently performed on the elements in Znk s. (a + b) mod n ( (a1 + b1 ) mod n , ((ak + bk) mod n ) (a * b) mod n ( (a1 * b1 ) mod n , ((ak * bk) mod n ) (a - b) mod n ( (a1 - b1 ) mod n , ((ak - bk) mod n )

Let n = n1 * n2 *nk where the ni s are pairwise relatively prime. Consider a > (a1 , a2, , ak ) where a Zn and ai Zni and ai = a mod ni for i = 1 to k.

For example let n = 5* 13 * 4 = 260 The pairs (5,13), (5,4) and (13,4) are relatively prime. Let a = 32. a1 = a mod n1 = 32 mod 5 = 2. a2 = a mod n2 = 32 mod 13 = 6 . a3 = a mod n3 = 32 mod 4 = 0 . So 32 > ( 2, 6, 0 ). 32 in Z corresponds to (2, 6, 0 ), 2 in Z5, 6 in Z13 , and 0 in Z4.

Then the mapping above of a to (a1 , a2, , ak ) is a one to one mapping between Zn and Zn1 x Zn2 xx Znk For example above 32 in Z260 corresponds to (2 in Z5, 6 in Z13 , 0 in Z4).

The operations performed on the elements of Zn can be equivalently performed on on the corresponding k-tuples by performing the operations independently in each coordinate position in the appropriate position. If a > (a1 , a2, , ak ) and b > (b1 , b2, , bk ), the ( a+ b) mod n > ( (a1 + b1) mod n1 , (a2 + b2) mod n2,, (ak + bk) mod nk ). The same holds for operations subtraction ans multiplication.

For example, 37 > (2, 11, 1 ) from above and 18 > (3 , 5, 2 ) So (37 * 18) mod 260 > (2*3 mod 5, 11*5 mod 13, 1*2 mod 4) Further (37 * 18 ) mod 260 = 146 So 146 > (1, 3 , 2)

So 146 > (1, 3 , 2) Check it. 146 > ( 146 mod 5, 146 mod 13, 146 mod 4) = ( 1, 3 , 2 ). Also given (1, 3, 2), 146 can be computed as folllows.

Let mi be the product of n1 n2 ni-1 ni+1 nk , the product excluding ni. 146 > ( 146 mod 5, 146 mod 13, 146 mod 4) = ( 1, 3 , 2 ). m1 = n2 n3 = 13 * 4 = 52 m2 = n1 n3 = 5 * 4 = 20 m3 = n1 n2 = 5 * 13 = 65

Calculate coefficients ci = mi (mi-1 mod ni ) , the product excluding ni. m2-1ni-1 ni+1 146 > ( 146 mod 5, 146 mod 13, 146 mod 4) = ( 1, 3 , 2 ). m1 = n2 n3 = 13 * 4 = 52, 52* x mod 5 = 1? x=3 for 52*3 mod 5 = 106 mod 5 = 1. So c1 = 52*3 = 106 So m2 = n1 n3 = 5 * 4 = 20 m3 = n1 n2 = 5 * 13 = 65

Calculate coefficients ci = mi (mi-1 mod ni ) , the product excluding ni. m2-1ni-1 ni+1 146 > ( 146 mod 5, 146 mod 13, 146 mod 4) = ( 1, 3 , 2 ). m1 = n2 n3 = 13 * 4 = 52, 52* x mod 5 = 1? x=3 for 52*3 mod 5 = 106 mod 5 = 1. So c1 = 52*3 = 106 So m2 = n1 n3 = 5 * 4 = 20 m3 = n1 n2 = 5 * 13 = 65

If n = n1 * n2 *nk where the ni s are pair-wise relatively prime then for all integers x and a, x = a (mod ni ) for all i =1 to k if and only if x = a (mod n).

` ` ` `

1. Select two very large prime numbers p and q, p q. 2. Let n = p*q 3. Select a small odd integer e that is relatively prime to J (n). J =(p-1)(q-1) (n) Suppose p = 13 and q = 19. (p-1) = 12 and (q-1) = 18. (n)= 12*18=216. Find a small odd integer relatively prime to 216. J n= 13* 19 = 247

Repeatedly divide 216 by primes to get its factorization Divide by 2: 2 into 216 = 2*108, 108= 2*54, 54 = 2*27 So 216 = 23 * 27 Repeatedly Divide 27 by 3: 27 = 33. So 216 = 23 33 . Pick any odd integer relatively prime to 216. For example can pick e = 11. So the pair (e=11, n = 247 ) is the RSA public key

Repeatedly divide 216 by primes to get its factorization Divide by 2: 2 into 216 = 2*108, 108= 2*54, 54 = 2*27 So 216 = 23 * 27 Repeatedly Divide 27 by 3: 27 = 33. So 216 = 23 33 . Pick any odd integer relatively prime to 216. For example can pick e = 5. So the pair (e=5, n = 247 ) is the RSA public key

Publish the pair (e=5, n = 247 ) is the RSA public key

` ` `

4. Use Extended-Euclid to find the inverse of the public key e in the set Z* J(n) .
Call Extended-Euclid(e,

J (n) )

Call Extended-Euclid(5, 216 )

Solve ax = 1 mod 216 for x See next slide for spreadsheet output x from Extended_Euclid is the private key d d is 173

` `

Private key pair = < d, n> = < 173, 247> Keep <173, 247> secret

Extended-Euclid to Calculate Inverse of e =5 for J (n) = 216

-43 + 216 = 173

Positive inverse

a 5 216 5 1

b 216 5 1 0

floor(a/b) 0 43 5

d 1 1 1 1

x -43 1 0 1

y 1 -43 1 0 173

Encrypts messages sent between two communicating locations Eavesdroppers who overhear messages should not be able to de-crypt them Parties who communicate can append an unforgeable signature to the end of the electronic message

RSA system based upon the ease in finding very large prime numbers and the difficulty in factoring the product of two prime numbers.

Each participant has both a public and a private ( secret ) key Traditionally, the two participants are called Alice and Bob. Their public and private keys are denoted by PA and SA for Alice and PB and SB for Bob.

Each participant creates both their public and private key Each keeps their secret key secrete, but can reveal their public key to anyone or publish it in a public directory. The public and private keys can be applied to any message Let denote the set of all permissible messages by D.

The public and private keys specify a one-to-one function of D to itself. The function corresponding to Alice s public key is denoted by PA() . The function corresponding to Alice s private key is denoted SA() . The corresponding functions for Bob are PB() and SB().

` `

These functions form a matched pair in that they are specified as inverses of one another. M= SA(PA(M)) for any message M. M= SB(PB(M)) for any message M.

It is essential that no one but Alice be able to compute SA in any practical amount of time. The privacy of mail sent that is encrypted and sent to Alice and the authenticity of Alice signature is based on the assumption that only Alice can compute SA.
Alice must keep her secret key secret even everyone knows her public key PA and they can compute her public key efficiently.

Bob
encrypt M M Plain-text PA

Communication channel C=PA (M)

Alice
decrypt SA M =S (PA (M) )

eavesdropper C the encoded text Cipher-text

Bob encrypts a message sent to Alice Alice encrypts a message sent to her using Alices public key obtained from a using her secret key directory

` `

Transformation of plaintext message M

Associated with the public key ( e, n ).

Transformation is P(M) = Me (mod n) Transformation of cipher-text message C

Associated with the private key ( d, n ).

` `

Transformation is S(C) = Cd (mod n)

Assume the pair (e=5, n = 247 ) is the RSA public key and < 173, 247> is the RSA private key. Assume the plaintext message M is the character a whose integer (ASCII) value in decimal is 97. Encrypt the character a. The cipher text message is: C = P(M) = 975 (mod 247) = 8587340257 (mod 247) = 184. Decrypt the message S(C) =184173 (mod 247) = 6.508537038405599006539868283061e+391 mod 247 = 97 which was the original message a that was sent.

Given: 1st prime number p = 11 2nd prime number q = 29 Public key e = 3 Find the Private key d? Calculate: n = p * q = 11 * 29 = 319

J (n) = (p 1) * (q 1)

= 10 * 28 = 280

To calculate the secret key d, solve the Extended-Euclid-Algorithm for a = and for b = the Public key e = 3 . From below the Secret key d = 187

J (n) = 280

a
3 3 1

b
280 1 0

floor(a/b)
0 3

d
1 1 1

y 1
1 0

Inverse in problem 31.7-1

-93
0 1

187

= 280 + (-93) = 187 The smallest positive integer in the class

With the Public key e = 3 and the Secret key d = 187 and n = 319 the encoding and decoding of Message M = 100 can proceed. Encode (Encrypt) M = 100: M e mod n = (100) 3 mod 319 = 1000000 mod 319 = 254 The encoded (encrypted) value sent is C = 254.

With the Public key e = 3 and the Secret key d = 187 and n = 319 the encoding and decoding of Message M = 100 can proceed. Decode (Decrypt ) C = 254: C d mod n = (254) 187 mod 319 = 5.0571403642522761487477741975759e+449 mod 319 = 100 The Original Message M = 100 is re-constructed.

The same results can be obtained by executing the RSAProblemSetAnswers class in the RSASecurityAlgorithmNetBFall06 NetBeans Project

Executing the RSAProblemSetAnswers class also gives many other public key, private key pairs that will work. Do the encrypt, decrypt calculation with the pair <e=197,d=253>. Then run it through RSAProblemSetAnswers to check that it works.

The utility of the RSA technique depends of the efficiency of doing the exponentiation say184173.

To encode or decode messages, fast modular exponentiation is necessary. Computation form ab mod n

Consider computing 722 . Convert exponent b=22 to binary Its binary representation is as follows:

i bi

4 1

3 0

2 1

1 1

0 0

Consider computing 722 . Convert exponent b=22 to binary Its binary representation is as follows:

i bi

4 1

3 0

2 1

1 1

0 0

22 represented as a base two number is:

1* 24 + 0* 23 + 1* 22 + 1* 21 + 0* 20.

Consider computing 722 . Convert exponent b=22 to binary Its binary representation is as follows:

i bi

4 1

3 0

2 1

1 1

0 0

Raise 7 to this exponent

1* 24 + 0* 23 + 1* 22 + 1* 21 + 0* 20 7

Raise 7 to this exponent

1* 24 + 0* 23 + 1* 22 + 1* 21 + 0* 20 7 = 24 0 22 21 0 7 *7 *7 *7 *7 = 716 *1 *74 * 72 *1 Total # multiplications is 15 + 1 + 1 + 3 +1 + 1 + 1 = 23

Consider exponent as a polynomial of degree 4 in x for x = 2 a =1, b=0, c=1, d=1, e =0 a* x4 + b* x3 + c* x2 + d* x1 + e Factor x repeatedly ( ( ( ax + b)x + c)x +d)x + e

Consider exponent as a polynomial of degree 4 in x for x = 2 a =1, b=0, c=1, d=1, e =0 Raise 7 to this power x ( ( ( a*x + b)*x + c)*x +d) *x + e 7 ( ( ( a*x * b )*x + c)*x +d) *x + e ( ( ( 7 ax * 7b 1+0+1+0+ )x * 7c )x *7d )x * 7e =

Consider exponent as a polynomial of degree 4 in x for x = 2 a =1, b=0, c=1, d=1, e =0 Raise 7 to this power x ( ( ( a*x + b)*x + c)*x +d) *x + e 7 ( ( ( a*x * b )*x + c)*x +d) *x + e ( ( ( 7 2 * 70 1+0+1+0+ )2 * 71 )2 *71 )2 * 70 =

Consider exponent as a polynomial of degree 4 in x for x = 2

a* x4 + b* x3 + c* x2 + d* x1 + e Factor x repeatedly ( ( ( ax + b)x + c)x +d)x + e

Consider computing 722 . Convert exponent b=22 to binary Its binary representation is as follows:

i bi

4 1

3 0

2 1

1 1

0 0

Raise 7 to this exponent

1* 24 + 0* 23 + 1* 22 + 1* 21 + 0* 20 7

Convert exponent b to binary For example let b = 560. Its binary representation is as follows:

i bi

9 1

8 0

7 0

6 0

5 1

4 1

3 0

2 0

1 0

0 0

i bi

9 1

8 0

7 0

6 0

5 1

4 1

3 0

2 0

1 0

0 0

Represented as a base two number 560 is: 1 * 29 + 0* 28 + 0* 27 + 0* 26 + 1* 25 + 1* 24 + 0* 23 + 0* 22 + 0* 21 + 0* 20. Reduce the number of multiplications by creative factoring Using Horners Method

i bi

9 1

8 0

7 0

6 0

5 1

4 1

3 0

2 0

1 0

0 0

Represented as a base two number 560 is: 1 * 29 + 0* 28 + 0* 27 + 0* 26 + 1* 25 + 1* 24 + 0* 23 + 0* 22 + 0* 21 + 0* 20. Reduce the number of multiplications by creative factoring Horners Method ( ( ( ( ( ( ( (1 *2 + 0)*2 + 0 )* 2 + 0)* 2 + 1)*2 + 1)*2+ 0)*2 +0)* 2 + 0)* 2 + 0

Modular exponentiation raises a to the power below mod n: ( ( ( ( ( ( ( (1 *2 + 0)*2 + 0 )* 2 + 0)* 2 + 1)*2 + 1)*2+ 0)*2 +0)* 2 + 0)* 2 + 0 a mod n

Consider evaluating a(1*2 + 0) a1 = a a(1*2) = a2. a(1*2 + 0) = a2 a0 = a2 * 1 = a2

( ( ( ( ( ( ( (1 *2 + 0)*2 + 0 )* 2 + 0)* 2 + 1)*2 + 1)*2+ 0)*2 +0)* 2 + 0)* 2 + 0

Consider evaluating a(1*2 + 0)*2 + 1 a1 = a a(1*2) = a2. a(1*2 + 0) = a2 a0 = a2 a (1*2 + 0) * 2 = (a2 )2 = a4 a (1*2 + 0) * 2 + 1 = a4 * a = a5

The mod can be done after every multiplication instead of at end. Prevents the product from growing too large to be held in a word of the machine. Start problem on page 880 in book. a=7, b = 560, n = 561
( ( ( ( ( ( ( (1 *2 + 0)*2 + 0 )* 2 + 0)* 2 + 1)*2 + 1)*2+ 0)*2 +0)* 2 + 0)* 2 + 0

71 mod 561 = 7 mod 561 = 7 72 = 49 mod 561 = 49 72 70 mod 561 = 49 (49)2 mod 561 = 2401 mod 561 = 157

The mod can be done after every multiplication instead of at end. Prevents the product from growing too large to be held in a word of the machine. Start problem on page 880 in book. a=7, b = 560, n = 561
( ( ( ( ( ( ( (1 *2 + 0)*2 + 0 )* 2 + 0)* 2 + 1)*2 + 1)*2+ 0)*2 +0)* 2 + 0)* 2 + 0

71 mod 561 = 7 mod 561 = 7 72 = 49 mod 561 = 49 72 70 mod 561 = 49 (49)2 mod 561 = 2401 mod 561 = 157 (157)2 mod 561 = 526 (526)2 mod 561 = 103 (103)*2 mod 561 = 206

The mod can be done after every multiplication instead of at end. Prevents the product from growing too large to be held in a word of the machine. Start problem on page 880 in book. a=7, b = 560, n = 561
( ( ( ( ( ( ( (1 *2 + 0)*2 + 0 )* 2 + 0)* 2 + 1)*2 + 1)*2+ 0)*2 +0)* 2 + 0)* 2 + 0

(206)2 mod 561 = 361 361*2 mod 561 = 161 (161)2 mod 561 = 115 (115)2 mod 561 = 322 (322)2 mod 561 = 460 (460)2 mod 561 = 103 Not Correct

It is essential that no one but Alice be able to compute SA in any practical amount of time. The privacy of mail sent that is encrypted and sent to Alice and the authenticity of Alice signature is based on the assumption that only Alice can compute SA.
Alice must keep her secret key secret even everyone knows her public key PA and can compute it efficiently.

Evaluation of 7560 mod 561 pages 879-880 Kormen

( ( ( ( ( ( ( (1 *2 + 0)*2 + 0 )* 2 + 0)* 2 + 1)*2 + 1)*2+ 0)*2 +0)* 2 + 0)* 2 + 0

Consider evaluating a(1*2 + 0)*2 + 1 a1 = a a(1*2) = a2. a(1*2 + 0) = a2 a0 = a2 a (1*2 + 0) * 2 = (a2 )2 = a4 a (1*2 + 0) * 2 + 1 = a4 * a