Euler’s Theorem

• The multiplicative group for Zn, denoted with Z*n, is the subset of
elements of Zn relatively prime with n
• The totient function of n, denoted with I(n), is the size of Z*n
• Example
Z*10 { 1, 3, 7, 9 } I(10) 4
• If p is prime, we have
Z*p {1, 2, …, (p1)} I(p) p1
Euler’s Theorem
For each element x of Z*n, we have xI(n) mod n 1
• Example (n 10)
3I(10) mod 10 34 mod 10 81 mod 10 1
 7I(10) mod 10 74 mod 10 2401 mod 10 1
 9I(10) mod 10 94 mod 10 6561 mod 10 1

11/22/2010 Cryptography 39

RSA Cryptosystem
• Setup: • Example
– n pq, with p and q primes „ Setup:
– e relatively prime to Š p 7, q 17
I(n) (p  1) (q  1) Š n 7˜17 119
– d inverse of e in ZI(n) Š I(n) 6˜16 96
• Keys: Š e 5
– Public key: KE (n, e) Š d 77
– Private key: KD d „ Keys:
Š public key: (119, 5)
• Encryption: Š private key: 77
– Plaintext M in Zn
„ Encryption:
– C = Me mod n Š M 19
• Decryption: Š C 195 mod 119 = 66
– M = Cd mod n „ Decryption:
Š C 6677 mod 119 = 19

11/22/2010 Cryptography 40
 Complete RSA Example
• Setup: • Encryption
„ C M3 mod 55
– p 5, q 11
– n 5˜11 55 • Decryption
„ M C27 mod 55
– I(n) 4˜10 40
– e 3
– d 273˜27 81 2˜40 + 1)

M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2
M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16
M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54

11/22/2010 Cryptography 41

Security
• Security of RSA based on • In 2005, a team of researchers
difficulty of factoring factored the RSA-640 challenge
– Widely believed number using 30 2.2GHz CPU years
– Best known algorithm takes • In 2004, the prize for factoring RSA-
exponential time 2048 was $200,000
• RSA Security factoring • Current practice is 2,048-bit keys
challenge (discontinued) • Estimated resources needed to
factor a number within one year
• In 1999, 512-bit challenge
factored in 4 months using Length PCs Memory
35.7 CPU-years (bits)
– 160 175-400 MHz SGI and Sun 430 1 128MB
– 8 250 MHz SGI Origin 760 215,000 4GB
– 120 300-450 MHz Pentium II 1,020 342u106 170GB
– 4 500 MHz Digital/Compaq 1,620 1.6u1015 120TB
11/22/2010 Cryptography 42
 Correctness
• We show the correctness of the • Thus, we obtain
RSA cryptosystem for the case (Me)d mod n 
when the plaintext M does not Med mod n 
divide n   MkI(n)1 mod n 
• Namely, we show that  MMkI(n) mod n
(Me)d mod n M M (MI(n))k mod n 
• Since ed mod I(n) 1, there is M (MI(n) mod n)k mod n 
an integer k such that M (1)k mod n 
ed kI(n)1 M mod n 
• Since M does not divide n, by   M
Euler’s theorem we have • Proof of correctness can be
extended to the case when the
  MI(n) mod n 1 plaintext M divides n

11/22/2010 Cryptography 43

Algorithmic Issues
• The implementation of the • Setup
RSA cryptosystem requires –Generation of random
various algorithms numbers with a given number
of bits (to generate candidates
• Overall p and q)
–Representation of integers of –Primality testing (to check
arbitrarily large size and that candidates p and q are
arithmetic operations on prime)
them
–Computation of the GCD (to
• Encryption verify that e and I(n) are
–Modular power relatively prime)
• Decryption –Computation of the
multiplicative inverse (to
–Modular power compute d from e)

11/22/2010 Cryptography 44
 Modular Power
• The repeated squaring algorithm • Example
speeds up the computation of a –318 mod 19 (18 010)
modular power ap mod n
–Q1 31 mod 19 3
• Write the exponent p in binary
–Q2 32 mod 19)30 mod 19 = 9
p pb1 pb2 … p1 p0
–Q3 92 mod 19)30 mod 19 =
• Start with 81 mod 19 = 5
Q1 apb1 mod n –Q4 52 mod 19)31 mod 19 =
• Repeatedly compute (25 mod 19)3 mod 19 =
Qi ((Qi1)2 mod n)apbi mod n 18 mod 19 = 18
• We obtain –Q5 182 mod 19)30 mod 19 =
(324 mod 19) mod 19 =
Qb ap mod n
17˜19 + 1 mod 19 = 1
• The repeated squaring algorithm
performs O (log p) arithmetic p5 - i 1 0 0 1 0
operations 2p5 - i 3 1 1 3 1
Qi 3 9 5 18 1
11/22/2010 Cryptography 45

Modular Inverse
Theorem • Given positive integers a and b, the
Given positive integers a and extended Euclid’s algorithm
b, let d be the smallest computes a triplet (d,i,j) such that
positive integer such that – d gcd(a,b)
d ia + jb – d ia + jb
for some integers i and j. • To test the existence of and compute
We have the inverse of x  Zn, we execute the
extended Euclid’s algorithm on the
d gcd(a,b) input pair (x,n)
• Example • Let (d,i,j) be the triplet returned
– a 21 – d ix + jn
– b 15 Case 1: d 1
– d 3 i is the inverse of x in Zn
– i 3, j 4
Case 2: d!1
– 3 3˜21 + (4)˜15 
 6360 3 x has no inverse in Zn

11/22/2010 Cryptography 46
 Pseudoprimality Testing
• The number of primes less than or equal to n is about n ln n
• Thus, we expect to find a prime among O(b) randomly generated numbers
with b bits each
• Testing whether a number is prime (primality testing) is a difficult
problem, though polynomial-time algorithms exist
• An integer nt2 is said to be a base-x pseudoprime if
– xn1 mod n 1 (Fermat’s little theorem)
• Composite base-x pseudoprimes are rare:
– A random 100-bit integer is a composite base-2 pseudoprime with probability
less than 10-13
– The smallest composite base-2 pseudoprime is 341
• Base-x pseudoprimality testing for an integer n:
– Check whether xn1 mod n 1
– Can be performed efficiently with the repeated squaring algorithm

11/22/2010 Cryptography 47

Randomized Primality Testing

• Compositeness witness function Algorithm RandPrimeTest(n, k)
witness(x, n) with error probability q for a Input integer n,confidence
random variable x parameter k and composite
Case 1: n is prime witness function witness(x,n)
witness(x, n) false always with error probability q
Case 2: n is composite
Output an indication of
witness(x, n) true in most cases,false
with small probability q1
whether n is composite or prime
with probability 2k
• Algorithm RandPrimeTest tests whether n
is prime by repeatedly evaluating t m klog2(1q)
witness(x, n) for i m 1 to t
• A variation of base- x pseudoprimality x m random()
provides a suitable compositeness if witness(x, n) true
witness function for randomized primality return “n is composite”
testing (Rabin-Miller algorithm) return “n is prime”
11/22/2010 Cryptography 48
 Cryptographic Hash Functions

11/22/2010 Cryptography 49

Hash Functions
• A hash function h maps a plaintext x to a fixed-length value x = h(P) called
hash value or digest of P
– A collision is a pair of plaintexts P and Q that map to the same hash value,
h(P) = h(Q)
– Collisions are unavoidable
– For efficiency, the computation of the hash function should take time
proportional to the length of the input plaintext
• Hash table
– Search data structure based on storing items in locations associated with
their hash value
– Chaining or open addressing deal with collisions
– Domain of hash values proportional to the expected number of items to be
stored
– The hash function should spread plaintexts uniformly over the possible hash
values to achieve constant expected search time

11/22/2010 Cryptography 50
 Cryptographic Hash Functions
• A cryptographic hash function satisfies additional properties
– Preimage resistance (aka one-way)
• Given a hash value x, it is hard to find a plaintext P such that h(P) = x
– Second preimage resistance (aka weak collision resistance)
• Given a plaintext P, it is hard to find a plaintext Q such that h(Q) = h(P)
– Collision resistance (aka strong collision resistance)
• It is hard to find a pair of plaintexts P and Q such that h(Q) = h(P)
• Collision resistance implies second preimage resistance
• Hash values of at least 256 bits recommended to defend against brute-
force attacks
• A random oracle is a theoretical model for a cryptographic hash function
from a finite input domain P to a finite output domain X
– Pick randomly and uniformly a function h: Po X over all possible such
functions
– Provide only oracle access to h: one can obtain hash values for given plaintexts,
but no other information about the function h itself
11/22/2010 Cryptography 51

Birthday Attack
• The brute-force birthday attack aims at finding a collision for a hash function h
– Randomly generate a sequence of plaintexts X1, X2, X3,…
– For each Xi compute yi = h(Xi) and test whether yi = yj for some j < i
– Stop as soon as a collision has been found
• If there are m possible hash values, the probability that the i-th plaintext does
not collide with any of the previous i 1 plaintexts is 1  (i1)/m
• The probability Fk that the attack fails (no collisions) after k plaintexts is
Fk = (11/m) (12/m) (13/m) … (1k1)/m)
• Using the standard approximation 1x | ex
Fk | e(1/m + 2/m + 3/m + … + (k1)/m) = ek(k1)/2m
• The attack succeeds/fails with probability ½ when Fk = ½ , that is,
ek(k1)/2m = ½
k | 1.17 m½
• We conclude that a hash function with b-bit values provides about b/2 bits of
security
11/22/2010 Cryptography 52
 Message-Digest Algorithm 5 (MD5)
• Developed by Ron Rivest in 1991
• Uses 128-bit hash values
• Still widely used in legacy applications although considered insecure
• Various severe vulnerabilities discovered
• Chosen-prefix collisions attacks found by Marc Stevens, Arjen
Lenstra and Benne de Weger
– Start with two arbitrary plaintexts P and Q
– One can compute suffixes S1 and S2 such that P||S1 and Q||S2 collide
under MD5 by making 250 hash evaluations
– Using this approach, a pair of different executable files or PDF
documents with the same MD5 hash can be computed

11/22/2010 Cryptography 53

Secure Hash Algorithm (SHA)

• Developed by NSA and approved as a federal standard by
NIST
• SHA-0 and SHA-1 (1993)
– 160-bits
– Considered insecure
– Still found in legacy applications
– Vulnerabilities less severe than those of MD5
• SHA-2 family (2002)
– 256 bits (SHA-256) or 512 bits (SHA-512)
– Still considered secure despite published attack techniques
• Public competition for SHA-3 announced in 2007
11/22/2010 Cryptography 54