Inside PK Cryptography: Math and Implementation

1
Inside PK CryptographyMath and Implementation

• Sriram Srinivasan (Ram)
• sriram_at_malhar.net

2
Agenda

• Introduction to PK Cryptography
• Essential Number Theory
• Fundamental Number Theorem
• GCD, Euclids algorithm
• Linear combinations
• Modular Arithmetic
• Eulers Totient Function
• Java implementation of RSA

3
Security Issues

• Authentication, Authorization, and Encryption,
  Non-repudiation
• Shared Secrets (e.g passwords, Enigma)
• Something shared, something (else) secret
• Concept by Ellis, Cocks and Williams
• Popularly attributed to Diffie and Hellman
• Algorithm by Rivest, Shamir and Adelman
• Used everywhere https, SSL, email, certificates.

4
Public Key Cryptography

• Consider a pair of magic pens.
• Write with one, use the other to decode.
• Symmetric either can be used to encode
• You want to send a message to me
• You borrow one of my pens and write with it.
• I decode it with my other pen.
• Avoids problems of shared secrets
• Same tools for authentication, encryption and
  non-repudiation.

5
Mathematics
6
Fundamental Theorem of Arithmetic

• All numbers are expressible as a unique product
  of primes
• 10 2 5, 60 2 2 3 5
• Proof in two parts
• 1. All numbers are expressible as products of
  primes
• 2. There is only one such product sequence
  per number

7
Fundamental Theorem proof

• First part of proof
• All numbers are products of primes

Let S x x is not expressible as a product of
primes Let c minS. c cannot be prime Let
c c1 . c2 c1, c2 lt c Þ c1, c2 Ï S (because c
is minS) \ c1, c2 are products of primes Þ c is
too \ S is an empty set
8
Fundamental Theorem proof

• Second part of proof
• The product of primes is unique

Let n p1p2p3p4 q1q2q3q4 Cancel common
primes. Now unique primes on both sides Now, p1
p1p2p3p4 Þ p1 q1q2q3q4 Þ p1 one of q1,
q2, q3, q4 Þ p1 qi which is a contradiction
9
GCD (Greatest Common Divisor)

• gcd(a,b) the greatest of the divisors of a,b
• Many ways to compute gcd
• Extract common prime factors
• Express a, b as products of primes
• Extract common prime factors
• gcd(18, 66) gcd(233, 2311) 23 6
• Factoring is hard. Not practical
• Euclids algorithm

10
Euclids algorithm
a
1
r a b
b
b
r1 b r
r1
r
2
r
r r1 0. \ gcd (a,b) r1
3
11
Euclids algorithm proof

• Proof that r1 divides a and b

r1 r b r1 r
r1 b
a qb r r1 b r1 r
r1 a
12
Euclids algorithm proof (contd)

• Proof that r1 is the greatest divisor

Say, c a and c b
c qb r
c r
c qb r1
c r1
13
Linear Combination

• ax by linear combination of a and b
• 12x 20y , -12,-8,-4,0,4,8,12,
• The minimum positive linear combination of a b
  gcd(a,b)
• Proof in two steps
• 1. If d min(axby) and d gt 0, then d a, d b
• 2. d is the greatest divisor.

14
GCD Linear combination (contd.)
Let S z ax by z gt 0 Let d minS
ax1 by1 Let a qd r. 0 lt r lt d r a - qd
a - q(ax1 by1) r a(1 - qx1) (-qy1)b If r
gt 0, r Î S But r lt d, which is a contradiction,
because d minS \ r 0 Þ d a
15
GCD Linear combination (contd.)

• Second part of proof
• Any other divisor is smaller than d

Let c a, c b, c gt 0 a cm, b cn d ax1
by1 c(mx1 ny1) Þ c d Þ d is the gcd
16
Summary 1

• All numbers are expressible as unique products of
  prime numbers
• GCD calculated using Euclids algorithm
• gcd(a,b) 1 Þ a b are mutually prime
• gcd(a,b) equals the minimum positive axby linear
  combination

17
Modular/Clock Arithmetic

• 100 and 1300 hours are the same
• 100 and 2500 hours are the same
• 1 º 13 (mod 12)
• a º b (mod n)
• n is the modulus
• a is congruent to b, modulo n
• a - b is divisible by n
• a n b n

18
Modular Arithmetic

• a º b (mod n), c º d (mod n)
• Addition
• a c º b d (mod n)
• Multiplication
• ac º bd (mod n)

a - b jn c - d kn a c - (b d) (j k) n
19
Modular Arithmetic (contd.)

• Power
• a º b (mod n) Þ ak º bk (mod n)
• Going n times around the clock
• a kn º b (mod n)

Using induction, If ak º bk (mod n), a . ak º b
. bk (mod n), by multiplication rule \ ak1 º
bk1 (mod n)
20
Chinese Remainder Theorem

• m º a (mod p), m º a (mod q) Þ m º a (mod pq)
  (p,q are primes)

m-a cp. Now, m-a is expressible as p1. p2 .p3
. . . If m - a is divisible by both p and q,
p and q must be one of p1 , p2 , p3 Þ m - a is
divisible by pq
21
GCD and modulus

• If gcd(a,n) 1, and a b (mod n),then gcd(b,n)
  1

a º b (mod n) Þ a b kn gcd(a,n) 1 ax1
ny1 1, for some x1 and y1 (b kn)x1 ny1 1
bx1 n(kx1 y1) bx1 ny2 1 gcd(b,n) 1
22
Multiplicative Inverse

• If a, b have no common factors, there exists ai
  such that a.ai º 1 (mod b)
• ai is called the multiplicative inverse

gcd(a,b) 1 ax1 by1, for some x1 and y1 ax1
1 by1 ax1 1 by2 (making y2
-y1) ax1 - 1 by2 ax1 º 1 (mod b) (x1 is the
multiplicative inverse)
23
Summary 2

• Modular arithmetic
• Addition, multiplication, power, inverse
• Chinese Remainder Theorem
• If m ? a (mod p) and m ? a (mod q),then m ? a
  (mod pq)
• Relationship between gcd and modular arithmetic
• gcd(a,b) 1 Þ aai º 1 (mod b)

24
Eulers Totient function

• f(n) Totient(n) Count of integers n
  coprime to n
• f(10) 4 (1, 3, 7, 9 are coprime to 10)
• f(7) 6 (1, 2, 3, 4, 5, 6 coprime to 10)
• f(p) p - 1, if p is a prime

25
Totient lemma 2 product

• f(pq) (p - 1)(q - 1) f(p) . f(q)
• if p and q are prime

Which numbers pq share factors with pq?
1.p, 2.p, 3.p, (q-1)p and 1.q, 2.q, 3.q,
(p-1)q and pq The rest are coprime to pq.
Count them. f(pq) pq - (p - 1) - (q - 1) - 1
(p - 1)(q - 1)
26
Totient lemma 3 power

• f(pk) pk - pk-1 , if p is prime and k gt 0

Only numbers that are a multiple of p have a
common factor with pk 1.p, 2.p, 3.p, pk-1
. p and The rest dont share any factors, so are
coprime \ f(pk) pk - pk-1
27
Totient lemma 4 product

• f(mn) f(m) . f(n)
• if m and n are coprime ( gcd(m,n) 1)

Organize into a matrix of m columns, n rows 1 2 3
r m m1 m2 m3 mr
2m 2m1 2m2 2m3 2mr 3m (n-1)m1 (n-1)m2
(n-1)m3 (n-1)mr nm
28
Totient lemma 4 (contd.)

• Step 1 Eliminate columns

If gcd(m,r) 1, gcd(m,kmr) 1 Þ All cells
under that rth column have no common factors
with m Þ Others have a common factor with mn, so
can be eliminated Þ f(m) columns survive
29
Totient lemma 4 (contd.)

• Step 2 Examine cells in remaining columns

No two cells in a column are congruent mod n
Because if im r º jm r (mod n), im r - jm
- r kn Þ n (i - j), which is not possible
because i - j lt n Because there are n
(non-congruent) cells in each column, label
them as 0, 1, 2, n-1 in some order. Þ f(n)
cells in each column coprime to n Þ f(n) f(m)
cells left that are coprime to both m and n
30
Totient lemma 5

• If gcd(c,n) 1 and x1,x2,x3 xf(n) are coprime
  to n, then cx1,cx2, cxf(n) are congruent to
  x1,x2,x3 in some order.
• 1, 3, 5, 7 are coprime to 8.
• Multiply each with c15, (also coprime to 8)
• 15, 45, 75, 105 º 7, 5, 3, 1 (mod 8)

31
Totient lemma 5 (contd.)
cxi is not º cxj (mod n). Because if cxi º
cxj (mod n) Þ c(xi - xj) kn . But gcd(c,n)
1 Þ n (xi - xj), which is impossible
because xi - xj lt n Remember the old identity
gcd(a,n) 1 and a º b (mod n) Þ gcd(b,n)
1 Let cxi º b (mod n) gcd(cxi, n) 1 Þ
gcd(b,n) 1 \ b must be one of xj
32
Eulers Theorem

• If gcd(a,n) 1, af(n) º 1 (mod n)

Consider x1, x2, xf(n) lt n and coprime to
n Since a is also coprime to n, from previous
result ax1 º xi (mod n), ax2 º xj (mod n),
etc. Þ af(n) x1x2x3xf(n) º x1x2x3xf(n) (mod
n) Þ af(n) x º x (mod n) where x x1x2x3xf(n)
Þ n x(af(n) - 1) But n doesnt divide x Þ n
(af(n) - 1) Þ af(n) º 1 (mod n)
33
Fermats little theorem

• Special case of Eulers theorem.
• If gcd(a,p) 1 and p is prime, ap-1 º 1
  (mod p)
• We now have all the essential number theory. Whew!

Because f(p) p - 1
34
RSA Algorithm

• Bob generates public and private keys
• public key encrypting key e and modulus n
• private key decrypting key d and modulus n
• Alice wants to send Bob a message m
• m treated as a number
• Alice encrypts m using Bobs public pen
• encrypted ciphertext, c me (mod n)
• Bob decrypts using his own private key
• To decrypt, compute cd (mod n). Result is m

35
RSA Key Generation

• Bob selects primes p, q computes n pq
• f(n) f(p) f(q) (p - 1) (q - 1)
• Select e, such that gcd(e, f(n)) 1
• Compute the decrypting key, d, where
• ed º 1 (mod f(n))
• Bob publishes public key info e, n
• Keeps private key d, n
• Important m lt n

36
RSA Key Generation

• Bob selects primes p, q computes n pq
• f(n) f(p) f(q) (p - 1) (q - 1)
• Select e, such that gcd(e, f(n)) 1
• Compute the decrypting key, d, where
• ed º 1 (mod f(n))
• Bob publishes public key pair e, n
• Keeps private key d, n

p 3, q 11 Þ n 33
f(n) (3 - 1)(11 - 1) 20
e 7
7d 1 (mod 20) Þ d (1 20k)/7 Þ d 3
Public key (7, 33) Private key (3, 33)
37
RSA algorithm

• Treat each letter or block as m (m lt n)
• n 33, e 7, d 3
• Encryption for each m compute cme (mod n)
• Decryption for each c, compute cd (mod n)

RSA Þ 18, 19, 1
187 33 Þ 6
197 33 Þ 6, 13
17 33 Þ 6, 13, 1
63 33 Þ 18
133 33 Þ 18, 19
13 33 Þ 18, 19, 1
38
RSA proof

• Prove c me (mod n) Þ cd(mod n) m

Review a º b (mod n) Þ ak º bk (mod n)
a lt n Þ a a (mod n)
gcd(a,n) 1 Þ af(n) º 1 (mod n) a (mod
p) º a (mod q) º m a (mod pq) f(pq)
f(p)f(q) ed º 1 (mod f(n) ) Þ ed 1 k f(n)
39
RSA proof (contd.)
c me (mod n) Þ c º me (mod n) cd º med (mod
n) Consider, med (mod p) and med (mod q) If p
m, med (mod p) 0 m (mod p) If not, med
(mod p) º m1kf (n) (mod p)
º m. mkf (p) f (q) (mod p) º m.
(mf (p)) kf (q) (mod p)
º m. (1) kf (q) (mod p) (by
euler) º
m (mod p)
40
RSA proof (contd.)
So, in both cases, med º m (mod p) Similarly,
med º m (mod q) \ med º m (mod pq)
(chinese remainder theorem) º m
(mod n) \ med (mod n) m
41
RSA Implementation

• Creating a big random prime
• n pq
• f(n) (p - 1) (q - 1)

SecureRandom r new SecureRandom() BigInteger p
new BigInteger(nbits, 100, r)
n p.multiply(q)
phi p.subtract(BigInteger.ONE)
.multiply(q.subtract(BigInteger.ONE))
42
RSA Implementation

• Select e coprime to f(n)
• Select d, such that ed º 1 (mod f(n))

e new BigInteger("3") while(phi.gcd(e).intValu
e() gt 1) e e.add(new BigInteger("2"))
d e.modInverse(phi)
43
RSA Implementation

• Encrypt/decrypt

BigInteger encrypt (BigInteger message)
return message.modPow(e, n) BigInteger
decrypt (BigInteger message) return
message.modPow(d, n)
44
Digital Signature

• med (mod n) mde (mod n)
• Bob encrypts his name using private key
• Alice, the recipient, decrypts it using Bobs
  public key

45
RSA Deployment

• If msg m gt n, m chop it up in blocks lt n
• p and q are usually 512 bits, e 65537.
• Ensure p - 1 doesnt have small prime factors.
  Ensure d is large
• Pad m with random bits
• Never reuse n
• Sign documents very carefully

46
Examples of RSA Attacks

• Exploiting algorithm parameter values
• Low e or d values
• Exploiting implementation
• Measuring time and power consumption of smart
  cards
• Exploiting random errors in hardware
• Exploiting error messages
• Social Engineering Blinding attack

47
Ellis / Diffie-Hellman Key Exchange

• RSA is slow in practice
• Encrypt AESs keys using RSA
• Alice and Bob agree publicly on a prime p, and
  some integer, c lt p. gcd(p,c) 1
• Alice chooses a privately, and Bob chooses b.
  a, b lt p

48
Ellis / Diffie-Hellman Key Exchange (contd)

• Alice computes Aca (mod p). Bob computes Bcb
  (mod p)
• They exchange these numbers.
• Alice computes Ba. Bob computes Ab
• Both of them compute cab (mod p)
• Both use this number as a key for AES.

49
References

• Cryptological Mathematics, Robert Lewand
• Twenty Years of Attacks on the RSA
  Cryptosystem, Dan Boneh
• http//crypto.stanford.edu/dabo
• pajhome.org.uk/crypt/index.html
• Concrete Mathematics, Donald Knuth et al.
• "The Code Book", Simon Singh