127_Inside PK Cryptography:Math and Implementation

Security IssuesEncryption, Non-repudiation secret  Concept by Ellis, Cocks and Williams  Popularly attributed to Diffie and Hellman  Algorithm by Rivest, Shamir and Adelman  Used ev

Inside PK Cryptography:

Math and Implementation

Sriram Srinivasan

(“Ram”)

sriram@malhar.net

Agenda

Security Issues

Encryption, Non-repudiation

secret

 Concept by Ellis, Cocks and Williams

 Popularly attributed to Diffie and Hellman

 Algorithm by Rivest, Shamir and Adelman

 Used everywhere: https, SSL, email, certificates.

Public Key Cryptography

 Consider a pair of magic pens

 Write with one, use the other to decode

 Symmetric: either can be used to encode

 You want to send a message to me

 You borrow one of my pens and write with it

 I decode it with my other pen

 Avoids problems of shared secrets

 Same tools for authentication, encryption

Mathematics

 Proof in two parts

 1 All numbers are expressible as products

of primes

 2 There is only one such product sequence per number

Fundamental Theorem proof

Let S = {x | x is not expressible as a product of primes}Let c = min{S} c cannot be prime

Let c = c1 c2

c1, c2 < c ⇒ c1, c2 ∉ S (because c is min{S})

∴ c1, c2 are products of primes ⇒ c is too

∴

Fundamental Theorem proof

GCD (Greatest Common

Divisor)

a,b

 Express a, b as products of primes

 Extract common prime factors

 gcd(18, 66) = gcd(2*3*3, 2*3*11) = 2*3 = 6

 Factoring is hard Not practical

r1r

r = a % b

Euclid’s algorithm

ab

 Proof that r1 divides a and b

Euclid’s algorithm proof

Euclid’s algorithm proof (contd)

 1 If d = min(ax+by) and d > 0, then d | a, d

| b

 2 d is the greatest divisor

GCD & Linear combination

GCD & Linear combination

 Second part of proof

 Any other divisor is smaller than d

Summary 1

products of prime numbers

ax+by linear combination

Modular/Clock Arithmetic

Modular Arithmetic (contd.)

Chinese Remainder Theorem

m-a = cp

Now, m-a is expressible as p1 p2 .p3

If m - a is divisible by both p and q,

p and q must be one of p1 , p2 , p3

⇒ m - a is divisible by pq

Multiplicative Inverse

gcd(a,b) = 1 = ax1+ by1, for some x1 and y1

ax1 = 1 – by1

ax1 = 1 + by2 (making y2 = -y1)

ax - 1 = by

Summary 2

arithmetic

Euler’s Totient function

Totient lemma #2: product

Which numbers ≤ pq share factors with pq?

Totient lemma #3: power

 φ (pk) = pk - pk-1 , if p is prime and k > 0

Only numbers that are a multiple of p have a

common factor with pk :

1.p, 2.p, 3.p, … pk-1 p and

The rest don’t share any factors, so are coprime

∴ φ(pk) = pk - pk-1

Totient lemma #4: product

Organize into a matrix of m columns, n rows

Totient lemma #4 (contd.)

Totient lemma #4 (contd.)

columns

No two cells in a column are congruent mod n

Because if im + r ≡ jm + r (mod n), im + r - jm - r = kn ⇒ n | (i - j), which is not possible because i - j < n

Because there are n (non-congruent) cells in each

column, label them as 0, 1, 2, … n-1 in some order.

⇒ φ (n) cells in each column coprime to n

Totient lemma #5

 If gcd(c,n) = 1 and x1,x2,x3 … xφ(n) are coprime

to n, then cx1,cx2,… cxφ(n) are congruent to

x1,x2,x3… in some order.

 1, 3, 5, 7 are coprime to 8.

 Multiply each with c=15, (also coprime to 8)

 {15, 45, 75, 105} ≡ {7, 5, 3, 1} (mod 8)

Totient lemma #5 (contd.)

cxi is not ≡ cxj (mod n) Because if cxi ≡ cxj (mod n) ⇒ c(xi - xj) = kn But gcd(c,n) = 1

⇒ n | (xi - xj), which is impossible because xi - xj < nRemember the old identity:

gcd(a,n) =1 and a ≡ b (mod n) ⇒ gcd(b,n) = 1

Let cxi ≡ b (mod n)

gcd(cxi, n) = 1 ⇒ gcd(b,n) = 1

∴ b must be one of xj

Euler’s Theorem

Consider x1, x2, … xφ (n) < n and coprime to n

Since a is also coprime to n, from previous result

ax1 ≡ xi (mod n), ax2 ≡ xj (mod n), … etc

Fermat’s little theorem

ap-1 ≡ 1 (mod p)

theory Whew!

Because φ(p) = p - 1

RSA Algorithm

 public key : encrypting key e and modulus n

 private key: decrypting key d and modulus n

 m treated as a number

 encrypted ciphertext, c = me (mod n)

 To decrypt, compute cd (mod n) Result is m

RSA Key Generation

 φ (n) = φ (p) φ (q) = (p - 1) (q - 1)

 ed ≡ 1 (mod φ(n))

RSA Key Generation

 φ (n) = φ (p) φ (q) = (p - 1) (q - 1)

RSA proof (contd.)

So, in both cases, med ≡ m (mod p)

Similarly, med ≡ m (mod q)

∴ med ≡ m (mod pq) (chinese remainder theorem)

≡ m (mod n)

∴ med (mod n) = m

 Creating a big random prime

RSA Implementation

SecureRandom r = new SecureRandom();

BigInteger p = new BigInteger(nbits, 100, r);

n = p.multiply(q);

phi = p.subtract(BigInteger.ONE)

Digital Signature

public key

RSA Deployment

factors Ensure d is large

 Never reuse n

Examples of RSA Attacks

of smart cards

Ellis / Diffie-Hellman Key

Exchange

and some integer, c < p gcd(p,c) = 1

chooses b a, b < p

Ellis / Diffie-Hellman Key

 “Cryptological Mathematics”, Robert Lewand

 “Twenty Years of Attacks on the RSA

Cryptosystem”, Dan Boneh

 “Concrete Mathematics”, Donald Knuth et al.

 "The Code Book", Simon Singh