1 / 59

15-251

15-251. Some. Great Theoretical Ideas in Computer Science. for. Modular Arithmetic and the RSA Cryptosystem. Lecture 17 (March 18, 2008). p-1. 1.  p. Public Key Cryptography. -----BEGIN PGP PRIVATE KEY BLOCK----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

britain
Télécharger la présentation

15-251

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 15-251 Some Great Theoretical Ideas in Computer Science for

  2. Modular Arithmetic and the RSA Cryptosystem Lecture 17 (March 18, 2008) p-1 1 p

  3. Public Key Cryptography -----BEGIN PGP PRIVATE KEY BLOCK----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com lQHNBEOedR4RBAC6bfed3ULzOwVF/BouyO8kfs8wkOmk3vaMF6+6JyeEJqyImaVh pVhU7lst6QtXTyAF734FtClM/9Dq9Dn7GDoO3E9+nGVO7wJ1OT+X4lgkoiM68WWG eioT958Hg0zq0KquHUBFM+Kldc+nr0e0Q6uCgwIYM7oH60/WX8e2WnvycwCgzba0 kRzxNtmw9w9IEQUk9pa2CK8D/2FjRxtEDN6nY7/l1wUrkMjI/uXYnsNWwrIAbwHp qhUZQYst27XpwNplAmI6YuS+3O+L4vgURj1hVcnNG+2bZXjbt4Fg3RLhrTV/jiuL ohBayAAdZZ4+72Cja1+18xp700GVTF96jYc8dIoxNx1AgHzQUffj3GnscAzo7ud3 HyYHA/9sI6Gijh/ubr1qTzHwZPdilDjfnEyQwR6+forUUegwCO0YawsC2lG6F7MG q3RHnJSwI3DiH/gY5bYk3XxhinkKxqk54DiL6vrHIw/E9J6RazY+ocicLRZ+6XjO JPXpK8s2v64pH5gyrsfANwSTTyECPx/hp2G+0BW/mtMU+JqFPP8DAwKvgRN08aTW 1WAW5/ak/URD4OAOT6OXlyg4YwhaJodb9vfwck4V8bnNLVNhbXBsZSBTZWN1cmVC bGFja2JveCBQR1Aga2V5PGluZm9AZWxkb3MuY29tPp0DJgRDnnWkEAgAxIwIsmEC mLGfQMH6GfNqn8XG9/bvT/nL/m7TjUVv1JGrKDASbASsPlYLnDel4opyp24Azu5x nQ0/QlsOifmXjINcWzNtWcJkW3rBamP1Vw6ZhxN8e1ARRrxwOn42V/yn/HoMFH0O Hhm2M5r8W/rOxo4dPdKPmRPdMaPVMndgM8WcOGPJ6TbMb4g9hphb+E4o3glI6fhP 41GZy57wWdKY9DnQ3W2PGoFaFAlQdyAtekzOmixp2/jXpq4+br9Yd088Unp2sw4Z 56j8sAbTk7NFpcTUSxsnFXpiGr0WkV+qfDyYTBvEnFXIteiThAWYzJgge6Tb6qzL 1XjD5uR1z2FgTwACAgf/fGBkVe8yETYwARrcn0xXv991AEvA4wlNI0/gygJKXxTV 0wTImdsOnsKsxtTCKdchSCFRuGYsBPzc7lUsPKk4jNkAv1EZELhqHkZTC51tEPxA m3/i8iAYFz2rTPfZkrjBJ2xP6ChRqmj0BTcZjo3bzRwjlUMTejGaR9BQDqB9A59z 2rCBn6nz9f6F+1oZ62gThjS6WUbUbhBKCwvfntFsXFrpXWHr5Apv+5zbxteTdHr0 1x3NRl0RzvzJ4wQ4WsVFiZFI3l7HykRd37XE+hSvRSr2iWqE/PdR7alxAswc5LET GCH//3xzP1/7Au3XLUaD4LaFoXY1bIBui2Srmu1kcP8DAwIYqvVK6L5Df2CejmTt hiA1DBnNck4dF7gPOaYku6Rfw27EOvhWmdZ1pp13uw2Tm6SEBoG7rkq1a01UWEjs PhUPkfxhVT6qHd4Bs3EOGSh7sNFsv8IbbAyP3rPOtbt3m9t02xEzKl5ZOqD85EZC HYK/l6lLD8pUX2dJQqZwTN4lkdl99HOf7XYPxHvCmbh1S1CgTM3H2wc5M7QROMhr -----END PGP PRIVATE KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com mQGiBEOedR4RBAC6bfed3ULzOwVF/BouyO8kfs8wkOmk3vaMF6+6JyeEJqyImaVh pVhU7lst6QtXTyAF734FtClM/9Dq9Dn7GDoO3E9+nGVO7wJ1OT+X4lgkoiM68WWG eioT958Hg0zq0KquHUBFM+Kldc+nr0e0Q6uCgwIYM7oH60/WX8e2WnvycwCgzba0 kRzxNtmw9w9IEQUk9pa2CK8D/2FjRxtEDN6nY7/l1wUrkMjI/uXYnsNWwrIAbwHp qhUZQYst27XpwNplAmI6YuS+3O+L4vgURj1hVcnNG+2bZXjbt4Fg3RLhrTV/jiuL ohBayAAdZZ4+72Cja1+18xp700GVTF96jYc8dIoxNx1AgHzQUffj3GnscAzo7ud3 HyYHA/9sI6Gijh/ubr1qTzHwZPdilDjfnEyQwR6+forUUegwCO0YawsC2lG6F7MG q3RHnJSwI3DiH/gY5bYk3XxhinkKxqk54DiL6vrHIw/E9J6RazY+ocicLRZ+6XjO JPXpK8s2v64pH5gyrsfANwSTTyECPx/hp2G+0BW/mtMU+JqFPM0tU2FtcGxlIFNl Y3VyZUJsYWNrYm94IFBHUCBrZXk8aW5mb0BlbGRvcy5jb20+wkkEEBECABMCmQEF AkOedaQJEKl84ZsqNet0AAAROgCggFcJOrmvNvpdmADv0iEzVUVci+gAoJDD9wbm WOq7M06k4rSOZSj2me0GuQINBEOedaQQCADEjAiyYQKYsZ9AwfoZ82qfxcb39u9P +cv+btONRW/UkasoMBJsBKw+VgucN6XiinKnbgDO7nGdDT9CWw6J+ZeMg1xbM21Z wmRbesFqY/VXDpmHE3x7UBFGvHA6fjZX/Kf8egwUfQ4eGbYzmvxb+s7Gjh090o+Z E90xo9Uyd2AzxZw4Y8npNsxviD2GmFv4TijeCUjp+E/jUZnLnvBZ0pj0OdDdbY8a gVoUCVB3IC16TM6aLGnb+Nemrj5uv1h3TzxSenazDhnnqPywBtOTs0WlxNRLGycV emIavRaRX6p8PJhMG8ScVci16JOEBZjMmCB7pNvqrMvVeMPm5HXPYWBPAAICB/98 YGRV7zIRNjABGtyfTFe/33UAS8DjCU0jT+DKAkpfFNXTBMiZ2w6ewqzG1MIp1yFI IVG4ZiwE/NzuVSw8qTiM2QC/URkQuGoeRlMLnW0Q/ECbf+LyIBgXPatM99mSuMEn bE/oKFGqaPQFNxmOjdvNHCOVQxN6MZpH0FAOoH0Dn3PasIGfqfP1/oX7WhnraBOG NLpZRtRuEEoLC9+e0WxcWuldYevkCm/7nNvG15N0evTXHc1GXRHO/MnjBDhaxUWJ -----END PGP PUBLIC KEY BLOCK-----

  4. Public Key Cryptography Secret M Private Key Public Key P EP[M]

  5. The RSA Cryptosystem Rivest, Shamir, and Adelman (1978) RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site.

  6. Pick secret, random large primes: p,q “Publish”: n = p*q (n) = (p) (q) = (p-1)*(q-1) Pick random e  Z*(n) “Publish”: e Compute d = inverse of e in Z*(n) Hence, e*d = 1 [ mod (n) ] “Private Key”: d Mumbo jumbo… More Mumbo jumbo…

  7. But how does it all work? What is φ(n)? What is Zφ(n)*? … Why do all the steps work? To understand this, we need a little number theory...

  8. MAX(a,b) + MIN(a,b) = a+b n|m means that: m is an integer multiple of n. (We say that “n dividesm”.)

  9. Greatest Common Divisor: GCD(x,y) = greatest k ≥ 1 such that k|x and k|y Least Common Multiple: LCM(x,y) = smallest k ≥ 1 such that x|k and y|k Fact: GCD(x,y) × LCM(x,y) = x × y You can use MAX(a,b) + MIN(a,b) = a+b to prove the above fact.

  10. Modulus (a mod n) means: the remainder when a is divided by n If a = dn + r with 0 ≤ r < n Then r = (a mod n)and d = (a div n)

  11. Modular Equivalence a  b [mod n]  (a mod n) = (b mod n)  n|(a-b) Written as a n b, and spoken “a and b are equivalent modulo n” Example: 31  81 [mod 2] 31 2 81

  12. n is an Equivalence Relation In other words, it is: Reflexive: a n a Symmetric: (a n b)  (b n a) Transitive: (a n b and b n c)  (a n c) n induces a partition of Z into n classes a and b are said to be in the same “residue class” or “congruence class” when a n b

  13. a n b  n|(a-b) “a and b are equivalent modulo n” Define Residue class [i] = the set of all integers that are congruent to i modulo n Residue Classes Mod 3: [0] = { …, -6, -3, 0, 3, 6, ..} [1] = { …, -5, -2, 1, 4, 7, ..} [2] = { …, -4, -1, 2, 5, 8, ..} [-6] = { …, -6, -3, 0, 3, 6, ..} [7] = { …, -5, -2, 1, 4, 7, ..} [-1] = { …, -4, -1, 2, 5, 8, ..}

  14. Fact: equivalence mod n implies equivalence mod any divisor of n. If (x n y) and (k|n) then: x k y Example: 10 6 16  10 3 16 Proof: x n y  n|(x-y)  k|(x-y)  x k y

  15. Fundamental lemma of plus, minus, and times mod n: If (x n y) and (a n b), then: 1. x + a n y + b 2. x - a n y – b 3. x * a n y * b When doing plus, minus, and times modulo n, you can at any time replace a number with a number in the same residue class modulo n What is (249)(504) mod 251? When working mod 251: (-2)(2) = -4 = 247

  16. A Unique Representation System Modulo n: We pick exactly one representative from each residue class. We do all our calculations using these representatives.

  17. Unique Representation System Modulo 3 Finite set S = {0, 1, 2} + and * defined on S:

  18. Unique Representation System Modulo 3 Finite set S = {0, 1, -1} + and * defined on S:

  19. Perhaps The Most Convenient Set of Representatives The reduced system modulo n: Zn = {0, 1, 2, …, n-1} Define operations +n and *n: a +n b = (a+b mod n) a *n b = (a*b mod n)

  20. The Reduced System Modulo 2 Z2 = {0, 1} Two binary, associative operators on Z2:

  21. The Reduced System Modulo 2 Z2 = {0, 1} Two binary, associative operators on Z2:

  22. The Reduced System Z4 = {0,1,2,3}

  23. The Reduced System Z6 = {0,1,2,3,4,5} An operator has the permutation property if each row and each column has a permutation of the elements. For every n, +n on Zn has the permutation property

  24. What about multiplication?Does *6 on Z6 have the permutation property? NO!

  25. What about *8 on Z8? 0 3 6 1 4 7 2 5 0 4 0 4 0 4 0 4 Which rows have the permutation property?

  26. A visual way to understand multiplication and the “permutation property”.

  27. 0 7 1 2 6 5 3 4 The multiples of c modulo n is the set: {0, c, c +n c, c +n c +n c, ….} = {kc mod n | 0 ≤ k ≤ n-1} There are exactly 8 distinct multiples of 3 modulo 8: Hit all numbers  row 3 has the “permutation property”

  28. 0 7 1 2 6 5 3 4 There are exactly 2 distinct multiples of 4 modulo 8

  29. 0 7 1 2 6 5 3 4 There is exactly 1 distinct multiple of 8 modulo 8

  30. 0 7 1 2 6 5 3 4 There are exactly 4 distinct multiples of 6 modulo 8

  31. There number of distinct multiples of c modulo n is: LCM(n,c)/c = n/GCD(c,n) Hence only those values of c with GCD(c,n) = 1 have the permutation property for *n on Zn

  32. Theorem: There are exactly k = n/GCD(c,n) = LCM(c,n)/c distinct multiples of c modulo n, and these are: { c*i mod n | 0 ≤ i < k } Proof: Clearly, c/GCD(c,n) ≥ 1 is a whole number n 0 ck = cn/GCD(c,n) = n(c/GCD(c,n)) So there are at most k multiples of c mod n: c*0, c*1, c*2, …, c*(k-1) Also, k = all the factors of n missing from c  cx n cy  n|c(x-y)  k|(x-y)  x-y ≥ k Hence, there are exactlyk multiples of c.

  33. Fundamental lemma of plus, minus, and times mod n: If (x n y) and (a n b), then: 1. x + a n y + b 2. x - a n y – b 3. x * a n y * b

  34. Is there a fundamental lemma of division modulo n? cx n cy  x n y ? Of course not! If c=0[mod n], cx n cy for all x and y. Canceling the c is like dividing by zero.

  35. Let’s Fix That! Repaired fundamental lemma of division modulo n? if c  0 [mod n], thencx n cy  x n y ? 6*3 10 6*8, but not 3 10 8 2*2 6 2*5, but not 2 6 5 This also doesn’t work!

  36. When Can’t I Divide By c? Theorem: There are exactly n/GCD(c.n) distinct multiples of c modulo n Corollary: If GCD(c,n) > 1, then the number of multiples of c is less than n Corollary: If GCD(c,n) > 1 then you can’t always divide by c. Proof: There must exist distinct x,y < n such that c*x=c*y (but xy). Hence can’t divide.

  37. Fundamental lemma of division modulo n: if GCD(c,n)=1, then ca n cb  a n b ca n cb  n|(cb-ca) Proof:  n|c(b-a)  n|(b-a) (because GCD(c,n)=1)  a n b

  38. Fundamental lemma of division modulo n: if GCD(c,n)=1, then ca n cb  a n b Consider the set: Zn* = {x  Zn | GCD(x,n) =1} Multiplication over this set Zn*will have the cancellation property

  39. Z6 = {0, 1,2,3,4,5} Z6* = {1,5}

  40. Z12* = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11}

  41. Z5* = {1,2,3,4} = Z5 \ {0} For all primes p, Zp* = Zp \ {0}, since all 0 < x < p satisfy gcd(x,p) = 1

  42. Euler Phi Function (n) Define (n) = size of Zn* (number of 1 ≤ k < n that are relatively prime to n) If p is prime, then (p) = p-1

  43. Z12* = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} (12) = 4

  44. Theorem: if p,q distinct primes then: f(pq) = (p-1)(q-1) Proof: # of integers from 1 to pq: pq # of multiples of q up to pq: p # of multiples of p up to pq: q # of multiples of both p and q up to pq: 1 f(pq) = pq – p – q + 1 = (p-1)(q-1)

  45. Additive Inverse The additive inverse of a  Zn is the unique b  Zn such that a +n b n 0. We denote this inverse by “–a” It is trivial to calculate: “-a” = n-a

  46. Multiplicative Inverse The multiplicative inverse of a  Zn* is the unique b  Zn*such that a *n b n 1 We denote this inverse by “a-1” or “1/a” The unique inverse of “a”must exist because the “a” row contains a permutation of the elements and hence contains a unique 1.

  47. Efficient Algorithm To Compute a-1 From a and n Run Extended Euclidean Algorithm on the numbers a and n It will give two integers r and s such that ra + sn = gcd(a,n) = 1 Taking both sides modulo n, we obtain: ra n 1 Output r, which is the inverse of a

  48. Fundamental Lemmas Until Now If (x n y) and (a n b), then: 1. x + a n y + b 2. x - a n y – b 3. x * a n y * b For a,b,c in Zn* then ca n cb  a n b

  49. NO! If (a n b) then xan xb ? (2 3 5) , but it is not the case that: 223 25

  50. Euler’s Theorem: a  Zn*, a(n)n 1 Fermat’s Little Theorem: p prime, a  Zp* ap-1p 1

More Related