CRYPTOGRAPHY 11/16/2011 INDIAN INSTITUTE OF TECHNOLOGY DELHI Donkeshwaram Harahari, Srishti Bhaduri.
Page |1
CRYPTOGRAPHY A semester project report for
Master of Science in Mathematics
Submitted by
DONKESHWARAM HARAHARI (2010MAS7133) SRISHTI BHADURI (2010MAS7109)
Under the guidance of
Dr. R.K.Sharma
DEPARTMENT OF MATHEMATICS INDIAN INSTITUTE OF TECHNOLOGY DELHI November 16 , 2011
Page |1
CRYPTOGRAPHY A semester project report for
Master of Science in Mathematics
Submitted by
DONKESHWARAM HARAHARI (2010MAS7133) SRISHTI BHADURI (2010MAS7109)
Under the guidance of
Dr. R.K.Sharma
DEPARTMENT OF MATHEMATICS INDIAN INSTITUTE OF TECHNOLOGY DELHI November 16 , 2011
Page |2
CERTIFICATE
This is to certify that the dissertation entitled "Cryptography" which is being Donkeshwaram.Harahari(2010MAS7133) and Srishti submitted by Bhaduri(Entry no:2010MAS7109) for the award of the degree of Master of science in Mathematics, to the Indian Institute of Technology Delhi is a record of bonafide work carried out by them under my sustained guidance and supervision. This dissertation has reached the standard fulfilling the requirements of the regulations relating to the degree. The results embodied in the dissertation have not been submitted to any other university for the award of any degree or diploma.
Dr.R.K.Sharma Professor Department of mathematics Indian Institute of Technology Hauz Khas New Delhi-110016
Page |3
Acknowledgement We are grateful to Dr.R.K.Sharma for his constant motivation and guidance. We are highly obliged to him for constantly encouraging us by giving his critics on our work. His sincere efforts to make us see things from the right point of view have certainly been fruitful, as we consider ourselves to in a position, to have a fairly matured insight into the area of cryptography. Without his motivation and useful suggestions, this project would not have been possible.
Date: November 16, 2011
Srishti Bhaduri(2010MAS7109) Bhaduri(2010MAS7109) Donkeshwaram Donkeshwaram Harahari (2010MAS7133)
Page |4
Table of Contents
Abstract ................................................................................................................................................... 5 1. Meet Cryptography ............................................................................................................................6 1.1 Some Terminologies ...................................................................................................................... 6 1.2 Objective of Cryptography ............................................................................................................ 8 1.3 Classification…………………………………………………………………………………………………………………………...8 2. Historical Ciphers…………………………………… ..…………………………………………………………………………….. 16
2.1 History of Ciphers …………………………………………….……………………………………………………………………10 2.2 Some Historical Ciphers………………………………………………………………………………………………………….10 2.3 Inverse of a matrix over a Field……………………………………………………………………………………………….13
2.4 Chinese remainder theorem…………………..………………………………………………………………………………20 3. Prime number generation…………………………………………………………………… .………………………………... 23
3.1 Trial division…………………….……………………………………………………………………………..……………..………23 3.2 Fast powering algorithm…………………………………………………………………….………….………….…………..25 3.3 Fermat’s test…………………………………………………………………………..….……………..………….…….…………27 3.4 Rabin Miller’s test……………………………………………………….…………..………………………………..…………..29 4. Factorization……………………………………………………………………………………………………………………………33
4.1 RSA Cryptosystem………………………………………………………….………………..………..…………..………………33 4.2 Rabin Cryptosystem……………………………..…………………………..………………..……..……..……………………35 4.3 Trail division………………………………………….……………………………………………..……….……………………….37 4.4 Pollards p-1 Factorization algorithm…………………………………………………………..…………………..……..37 4.5 Fermats Factorization algorithm………………………………………………………………..…..……………………..39 5. Discrete logarithmic problem…………………………………………………………………………. .……………….…….42
5.1 Trivial brute-algorithm………………………………………………………………………………..….……….…………….43 5.2 Shanks Baby step-Giant step algorithm………………………………………….……………………………………..43
Page |5
Abstract Cryptography allows people to carry over the confidence found in the physical world to the electronic world, thus allowing people to do business electronically without worries of deceit and deception. A principle goal of Cryptography is to allow two people to exchange confidential information, even if they have never met and can communicate only via a channel that is being monitored by an adversary.
In this project we focussed on computer implementation of various algorithms uses in the field of Cryptography and we compared their efficiency (i.e., calculating the runtimes) for large values of data. At first we gave simple introduction to Cryptography. Next, we discussed about some of classical ciphers and algorithms for finding inverse of a matrix over any field and solving linear congruences. Then we discussed algorithms used for generating primes, prime factorisation and solving discrete logarithmic problems. We also discussed about some of the public key cryptosystems wherever it is necessary. We have done C++ coding for all algorithms discussed in this project.
Page |6
CHAPTER 1 MEET CRYPTOGRAPHY Cryptography is “ A branch of mathematics and computer science, cryptography is the study and practice of obscuring information”. Let‟s now have a look at the field of cryptography (Fig. 1.1). The first thing that we notice is that the most general term is cryptology and not cryptography. Cryptology splits into two main branches:
Fig. 1.1 Overview of the field of cryptology Cryptography is the science of secret writing with the goal of hiding the meaning of a message. Cryptanalysis is the science and sometimes art of breaking cryptosystems. Cryptanalysis is of central importance for modern cryptosystems without knowledge of this, we will never know whether we are really secure or not.
1.1 Some Terminologies: • • • • •
•
Plaintext: The message to be sent. Cipher text: The disguised message. Enciphering: The process of converting a plaintext to a cipher text. Deciphering: The process of getting the plaintext from the cipher text. Message Unit: A single letter, a pair of letters ( Diagraph), a triple of letters (trigraph), or a block of 50 letters, in which the text is broken depending on the cryptosystem. Entity (party): Someone or something which sends, receives, or manipulates information. An entity may be a person, a computer terminal, etc.
Page |7
•
•
•
•
•
•
Sender: An entity in a two-party communication which is the legitimate transmitter of information. Receiver: is an entity in a two-party communication which is the intended recipient of information. Adversary: is an entity in a two-party communication which is neither the sender nor receiver, and which tries to defeat the information security service being provided between the sender and receiver. Various other names are synonymous with adversary such as enemy, attacker, opponent, tapper, eavesdropper, intruder, and interloper. Channel: A channel is a means of conveying information from one entity to another. Enciphering Transformation: A function that takes a plaintext message unit to a cipher text message unit. It is a map f from the set P of all possible plaintext message units to the set C of all possible cipher text message units. It is also called as Encryption. . Deciphering Transformation: The map f text. It is also called as Decryption.
-1
which recovers the plain
-1
Note: Here we assume that f and f are 1-to-1 transformations.
-1
Cryptosystem: The system formed by ‘ f ’ and ‘ f ’ is called as Cryptosystem. This is also called as Cryptographic algorithm (Or Cipher). Key: An integer (large) which is used to encrypting or decrypting the message.
The very first step in designing a cryptosystem is to label all possible plaintext units and ciphertext units by means of mathematical objects from which the functions can easily be constructed. (E.g. Integers in some range).For instance, if our cryptosystem consists only of the alphabet A-Z, we can label the integers from 0-26, sequentially. And such labels are called Numerical Equivalents . In order, to make calculations in enciphering and deciphering easier and rapid, we take the set of the numerical equivalents (integers) as elements in { 0, 1, 2, ……, N -1} as Z/NZ, and operating the calculations under modulo N, where is the N base.
Page |8
1.2 Objectives of Cryptography: The main Objectives of Cryptography are: (1) privacy or confidentiality; (2) data integrity; (3) authentication; and (4) non-repudiation. 1. Confidentiality is a service used to keep the content of information from all but those authorized to have it. Secrecy is a term synonymous with confidentiality and privacy. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible. 2. Data integrity is a service which addresses the unauthorized alteration of data. To assure data integrity, one must have the ability to detect data manipulation by unauthorized parties. Data manipulation includes such things as insertion, deletion, and substitution. 3. Authentication is a service related to identification. This function applies to both entities and information itself. Two parties entering into a communication should identify each other. Information delivered over a channel should be authenticated as to origin, date of origin, data content, time sent, etc. For these reasons this aspect of cryptography is usually subdivided into two major classes: entity authentication and data origin authentication. Data origin authentication implicitly provides data integrity (for if a message is modified, the source has changed). 4. Non-repudiation is a service which prevents an entity from denying previous commitments or actions. When disputes arise due to an entity denying that certain actions were taken, a means to resolve the situation is necessary. For example, one entity may authorize the purchase of property by another entity and later deny such authorization was granted. A procedure involving a trusted third party is needed to resolve the dispute. A fundamental goal of cryptography is to adequately address these four areas in both theory and practice. Cryptography is about the prevention and detection of cheating and other malicious activities.
1.3 Classification: Cryptography itself splits into three main branches: I.
Symmetric (or Private-key) Algorithms
These are what many people assume cryptography is about: two parties have an encryption and decryption method for which they share a secret key. All
Page |9
cryptography from ancient times until 1976 was exclusively based on symmetric methods. Symmetric ciphers are still in widespread use, especially for data encryption and integrity check of messages. Examples : DES(Data Encryption standard),TDES(Triple Data Encryption Algorithm),AES(Advanced Encryption Standard process) and nearly all Classical ciphers like Caesar cipher, Vigenere cipher, Hill cipher, Affine transformation etc. II.
Asymmetric (or Public-Key) Algorithms:
In 1976 an entirely different type of Cipher was introduced by Whitfield Diffie, Martin Hellman and Ralph Merkle. In public-key cryptography, a user possesses a secret key as in symmetric cryptography but also a public key. Asymmetric algorithms can be used for applications such as digital signatures and key establishment, and also for classical data encryption. Examples: Diffie Hellmann Key-Exchange, Elgmal, Mussey Omura, RSA, Robin Cryptosystems. III.
Cryptographic Protocols:
Roughly speaking, crypto protocols deal with the application of cryptographic algorithms. Symmetric and asymmetric algorithms can be viewed as building blocks with which applications such as secure Internet communication can be realized. Example: The Transport Layer Security (TLS) scheme, which is used in every Web browser, is an example of a cryptographic protocol. In next chapter we will discuss about some classical (historical) Ciphers.
P a g e | 10
CHAPTER 2 HISTORICAL CIPHERS
2.1 History of Ciphers The history of cryptography begins thousands of years ago. Until recent decades, it has been the story of what might be called classic cryptography that is, of methods of encryption that use pen and paper, or perhaps simple mechanical aids. In the early 20th century, the invention of complex mechanical and electromechanical machines, such as the Enigma rotor machine, provided more sophisticated and efficient means of encryption; and the subsequent introduction of electronics and computing has allowed elaborate schemes of still greater complexity, most of which are entirely unsuited to pen and paper.
2.2 Some Historical Ciphers 2.2.1 Caesar Cipher One of the simplest examples of a substitution cipher is the Caesar cipher, which is said to have been used by Julius Caesar to communicate with his army. Caesar is considered to be one of the first persons to have ever employed encryption for the sake of securing messages. Caesar decided that shifting each letter in the message would be his standard algorithm, and so he informed all of his generals of his decision, and was then able to send them secured messages. Using the Caesar Shift (3 to the right), the message,
”RETURN TO ROME” would be encrypted as,
”UHWXUA WR URPH” In this example, ‟R‟ is shifted to ‟U‟, ‟E‟ is shifted to ‟H‟, and so on. Now, even if the enemy did intercept the message, it would be useless, since only Caesar‟s generals could read it.
2.2.2 Playfair Cipher
P a g e | 11
The Playfair cipher or Playfair square is a manual symmetric encryption technique and was the first literal digraph substitution cipher. The scheme was invented in 1854 by Charles Wheatstone, but bears the name of Lord Playfair who promoted the use of the cipher.The technique encrypts pairsof letters (digraphs), instead of single letters as in the simple substitution cipher. The Playfair cipher uses a 5 by 5 table containing a key word or phrase. Memorization of the keyword and 4 simple rules was all that was required to create the 5 by 5 table and use the cipher. To generate the key table, one would first fill in the spaces in the table with the letters of the keyword (dropping any duplicate letters), then fill the remaining spaces with the rest of the letters of the alphabet in order (usually omitting”Q” to reduce the alphabet to fit, other versions put both”I” and ”J” in the same space). The key can be written in the top rows of the table, from left to right, or in some other pattern, such as a spiral beginning in the upper-left-hand corner and ending in the centre. The keyword together with the conventions for filling in the 5 by 5 table constitutes the cipher key. To encrypt a message, one would break the message into digraphs (groups of 2 letters) such that, for example, ”Hello World” becomes ”HE LL OW OR LD”, and map them out on the key table. The two letters of the digraph are considered as the opposite corners of a rectangle in the key table. Note the relative position of the corners of this rectangle. Then apply the following 4 rules, in order, to each pair of letters in the plaintext:
1. If both letters are the same (or only one letter is left), add an ”X” after the first letter. Encrypt the new pair and continue. Some variants of Playfair use
”Q” instead of ”X”, but any uncommon monograph will do.
2. If the letters appear on the same row of your table, replace them with the letters to their immediate right respectively (wrapping around to the left side of the row if a letter in the original pair was on the right side of the row). 3. If the letters appear on the same column of your table, replace them with the letters immediately below respectively (wrapping around to the top side of the column if a letter in the original pair was on the bottom side of the column). 4. If the letters are not on the same row or column, replace them with the letters on the same row respectively but at the other pair of corners of the rectangle defined by the original pair. The order is important the first letter of the encrypted pair is the one that lies on the same row as the first letter of the plaintext pair.
P a g e | 12 st
To decrypt, use the INVERSE (opposite) of the last 3 rules, and the 1 as-is (dropping any extra”X”s (or ”Q”s) that don‟t make sense in the final message when finished).
2.2.3 Hill Cipher and Affine ciphers Here we are going to introduce matrix version of Hill cipher. Why because 1*1 Matrix is nothing but an element which is special case. Let each diagraph correspond to a vector, i.e. a pair of integers
with x and y considered modulo N. For example if we have the 26 letter alphabet in our cryptosystem, then the diagraph NO would correspond to 13 14 Numerous Ciphers are possible to be implemented when dealing with Matrix Enciphering, like, Affine, Hill etc. The mappings used are: Hill: C=AP Affine: C=AP + B Where A and B are known as the enciphering keys and A is invertible in Z/NZ. Example of Hill Transformation:
Enciphering the Plaintext, digraph.
“NOANSWER”, taking the message unit as
The numerical equivalent is: 13
0
18
4
14 13 22 17
P a g e | 13
We have the mapping as C=AP Let A, the key, be taken as 2
7
3
8
Hence, our ciphered text is
C = AP =
=
2
7
13
0
3
8
14 13 22 17
16
13
24 7
21
0
16
18
4
8
i.e. the coded message is “ QVNAYQHI” Now, for decryption, we rearrange the mapping and and get -1
P=A C in the case of Hill Transformation and -1
-1
P= A C-A B in case of Affine Transformation.
Since, we deal with inverses of a matrix in decryption to a large extent, our project begins with writing a code in C++ language, to determine the inverse of a matrix in a finite field.
2.3 Inverse of a matrix over a finite field We used gauss Jordan method for finding inverse so the algorithm for this is: Algorithm 2.3.1:
•
•
Input the order of the matrix and the matrix itself from the user.
The user chooses the option out of „finite field‟ or „real line‟.
P a g e | 14
•
•
•
•
•
Formation of an Identity matrix of the same order. In the case of finite field, the user will the asked to enter the value for p as in Zp. We check if there is any zero element in the diagonal, we change it to a positive or negative number using elementary column operations. Simultaneously we check, for all zero columns and rows, in which case, it displays the determinant zero and terminates the program Else, we use the Gauss Jordan Elimination method to change the given matrix in its diagonal form using the following elementary row operations. Ri
Ri – Rk *
aik akk
where, the matrix is A = aij
n xn
k = step index i •
•
•
•
•
•
=1,2,3…….. k -1, k+1,…..n
Simultaneously apply the above transformations on the identity matrix of the same order, n. We multiply the diagonal of the matrix A to get the determinant. In case, the option of the finite field, we do all the calculations under modulo. We check the condition, whether the determinant, thus evaluated, is coprime with p or not.
If no, we display that the inverse doesn‟t exist and the program terminates.
P a g e | 15
•
If yes, we divide each row by it‟s respective diagonal elem ents, simultaneously, applying the same on the identity matrix.
•
The identity thus found is the required inverse.
•
In case of finite field, all operations are done under modulo p
C source code : #include #define MAX 10 void pivoting(); int checkzeros(); //------------------------------------------------------------------------// MAIN FUNCTION FOR FINDING INVERSE OF A MATRIX : //------------------------------------------------------------------------int main() { int det(); float rem(int,float); float a[MAX][MAX],value; int i,j,N,u,p; printf("Enter order of the matrix [A] : "); scanf("%d",&N); //inputting the values of matrix for(i=0;i
P a g e | 16
for(j=0;j
P a g e | 17
{ for(j=0;j
P a g e | 18
//-----------------------------------------------------------------------// Function to check zero elements in rows of the Matrix: //------------------------------------------------------------------------int checkzeros(float a[][MAX],int N) { int i,j,k,T,U; for(i=0;ip%b) : //-----------------------------------------------------------------------float rem(int a,float b) { if(b>0&&a>b) return b; else if(b>0&&ab) return (gcd(a%b,b)); if(b>a) return (gcd(b%a,a)); } //---------------------------------------------------------// Function for poviting //---------------------------------------------------------void pivoting(float a[][MAX],int N,float I[][N],int k) {
P a g e | 19
int l,m,index=0; float max,temp; for (l=0;l
Runtime(operational count): Number of divisions:
In each step for elementary transformations we have no. of divisions = n – 1 No. of steps = n So, No. of divisions in total n steps = n(n-1) After getting the diagonal matrix, we have n divisions again. 2 Hence, total no. of divisions = n(n-1)+n = n No. of multiplications:
In the any of the step, we multiply n times in each row n-1 times. Hence, total number of multiplication in each step = n(n-1) No. of such steps = n 2 Hence, total no. of multiplications are = n (n-1) Therefore, 2 2 3 Operational count= n + n (n-1) = n 3 So worse time complexity is O(n ),which is polynmial time complexity.
Now we are going to give algorithm for finding inverse an element over moduli.
P a g e | 20
2.4 Chinese Remainder Theorem The Chinese remainder theorem describes the solutions to a system of simultaneous linear congruence‟s. The simple st situation is a system of two congruence‟s, x ≡ a (mod m) and x ≡ b (mod n), with gcd(m, n) = 1, in which case the Chinese remainder theorem says that there is a unique solution modulo mn. The first recorded instance of a problem of this type appears in a Chinese mathematical work from the late third or early fourth century. It actually deals with the harder problem of three simultaneous congruence‟s. Theorem 2.4.1 Let m1 ,m2 , . . . , mk be a collection of pairwise relatively prime integers.This means that gcd(m ,m i j) = 1 for all i ≠ j. Let a1 , a2 , . . . , ak be arbitrary integers. Then the system of simultaneous congruences
x ≡ a1 (mod m1 ), x ≡ a2 (mod m3 ), . . . , x ≡ a k (mod mk ) has a solution x = c. Further, if x = c and x = c' are both solutions, then
c ≡ c'(mod m1m2. . .mk ). Proof . Suppose
that for some value of ı we have already managed to find a solution x = ci to the first ı simultaneous congruences, x ≡ a1 (mod m1), x ≡ a 2, . . . , x ≡ a i (mod mi) For example, if i = 1, then c 1 = a1 works. We are going to explain how to find a solution to one more congruence,
x ≡ a1 (mod m1), x ≡ a 2, . . . , x ≡ a i+1 (mod mi+1) The idea is to look for a solution having the form, xi = ci + m1m2. . .miy. Notice that this value of x still satisfies all of the congruences, so we need merely choose y so that it also satisfies x ≡ ai+1 (mod mi+1). In other words, we need to find a value of y satisfying
P a g e | 21
ci + m1m2. . .miy ≡ ai+1 (mod mi+1) Since gcd ( mi+1 , m1m2. . . mi ) = 1 , this is possible. This completes the proof of existence. So by using above theorem we done C++ code for solving linear equations which can be solve by Chinese remainder theorem :
C++ source code: //-----------------------------------------------------------------// PROGRAMME FOR SOLVING LINEAR CONGRUANCE EQUATIONS OF THE FORM : // x=a1(mod m1),x=a2(mod m2),...........,x=ak(mod mk) //---------------------------------------------------------- ------#include #include using namespace std; //-----------------------------------------------------------// function for finding gcd of two elements //-----------------------------------------------------------int gcd(int a,int b) { if (a==0) return b; if(b==0) return a; if(a>b) return (gcd(a%b,b)); if(b>a) return (gcd(b%a,a)); } //-----------------------------------------------------------// FUNCTION FOR FINDING MODULAR INVERSE OF AN ELEMENT //-----------------------------------------------------------int inverse(int a,int b)// here a-->modulus,b-->element { int gcd,x=0,y=1,k=a; int u=1, v=0, m, n, q, r; gcd = b; while (a!=0) { q=gcd/a; r=gcd%a; m=x-u*q; n=y-v*q; gcd=a; a=r; x=u; y=v; u=m; v=n; } while(y<0) { y=k+y; } return y; } //-------------------------------------------------------// MAIN FUNCTION STARTS HERE //-------------------------------------------------------int main() {
P a g e | 22
int k; cout<<"TO SOLVE LINEAR CONGRUANCE EQUATIONS OF THE FORM :\n"<>k; int m[k],a[k],i,n=1; //n=m1*m2*.....*mk for(i=0;i>a[i]>>m[i]; if(i>0) { if(gcd(m[i-1],m[i])!=1) { cout<<"\nChinese Remainder Theorem is not applicable for this problem.\n\n"; return 1; } } n=n*m[i]; } int sol=0,B=1; for(i=0;i
Next we will discuss about the concept primality testing which is useful in Public key cryptography.
P a g e | 23
CHAPTER 3 PRIME NUMBER GENERATION
In many Public key Cryptosystems, large random prime numbers are used. They are produced by generating random numbers of the right size and by testing whether those random numbers are prime. In this chapter, we explain how we efficiently decide whether a given positive integer is a prime number. The fallowing are commonly used algorithms:
3.1 Trail division: Let n be a positive integer. We want to know whether n is a prime number. This algorithm is based on the fallowing theorem without proof:
If n is a composite positive integer, then n has a prime divisor p which is less than or equal to √n.
The above theorem suggests the fallowing algorithm to test whether n is prime. Algorithm 3.1.1:
1. Input: n 2. Let m is prime ≤√n Loop starts m=2 to √n If m is divisor of n then return composite Else m=next prime ≤√n 3. Loop ends 4. Return n is prime. Running Time:
In the worst case, trial division is a laborious algorithm. If it starts from two and works up to the square root of n, the algorithm requires
Trial divisions, where π (x) denotes the prime-counting function, the number of primes less than x.
P a g e | 24
If n is large, then trial division becomes very inefficient. The trial division is 6. typically used for the numbers ≤10 Note: It is also possible to test whether n is divisible by any odd, +ve integer m ≤√n. It requires
trial divisions. C++ Source code: //-------------------------------------------------// TRIAL DIVISION ALGORITHM FOR PRIMALITY TESTING //-------------------------------------------------#include using namespace std ; #include #include int
main()
{ int n,q; cout<<”enter the Number : ”;
cin>>n; int i=2; do { if(n%i==0) goto l1; i++; }while(i<=int(sqrt(n))); cout<
Output is: Enter the number 37
P a g e | 25
37 is a prime number.
3.2 Fast powering algorithm(Modular exponentiation) : In many Cryptosystems we reach to the point to computing large powers of numbers over moduli the fallowing algorithm is very usefull for this purpose: Sequential steps of The algorithm are : Step 1. Compute the binary expansion of A as 2 3 r + Ar .2 with A0 , . . . , A r ∈ {0 , 1 }, A = A0+ A1 .2+ A2.2 + A3.2 +·· · where we may assume that Ar = 1. 2 i Step 2. Compute the powers (g ) (mod N ) for 0 ≤ i ≤r by successive squaring, a0 g 2 2 a1 ≡ a0 ≡ g 2 2 2 a2 ≡ a1 ≡ ( g ) 2 2 3 a3 ≡ a2 ≡ (g ) ... ... ... 2 2 r ar ≡ ar-1 ≡ (g )
(mod N ) (mod N ) (mod N ) (mod N )
(mod N ).
Each term is the square of the previous one, so this requires r multiplications. A
Step 3. Compute g (mod N ) using the formula
Note that the quantities a0 , a1 , . . . , a r were computed in Step 2. Thus the above product can be computed by looking up the values of the ai’s whose exponent Ai is 1 and then multiplying them together. This requires at most another r multiplications.
P a g e | 26
The simple psuedocode for the above algorithm is : Algorithm 3.2.1(Modular exponentiation) Input: Positive integers N , g, and A. 1. Set a = g and b = 1. 2. Loop while A > 0. 3. If A ≡ 1 (mod 2), set b = b ・ a (mod N ). 2 4. Set a = a (mod N ) and A = [ A/ 2]. 5. If A > 0, continue with loop at Step 2. A 6. Return the number b, which equals g (mod N ). Running Time:
It takes at most 2 r multiplications modulo N to compute g . Since A ≥ 2 , we A see that it takes at most 2 log 2( A) multiplications modulo N to compute g . Thus 1000 even if A is very large, say A ≈ 2 , it is easy for a computer to do the A approximately 2000 multiplications needed to calculate 2 modulo N . A
r
C++ source code is: // ------------------------------------------------------------// FAST POWERING ALGORITHM (OR) SQUARE AND MULTIPLY ALGORITHM //-------------------------------------------------------------// Calculating (g^A)mod N #include #include using namespace std; int main() { int g,A,N,b=1; cout<>g>>A>>N; while(A>0) { if((A-1)%2==0)//if A=1(mod 2) { b=b*g; b=b%N;//b=b*g(mod N) } g=g*g; g=g%N;//g=g^2(mod N) A=ceil(A/2);//A=[A/2] } cout<
P a g e | 27
3.3 Fermats test : Let n be a positive integer. We want to know whether n is a prime number. This algorithm is based on the fallowing theorem without proof: Theorem 3.3.1(Fermat‟s
Little Theorem)
Let p be a prime number. Then gcd(a,p)=1.
p
a
≡
a (mod p)
for every integer a with
From above theorem we have: Def: Let n be an odd integer and if a is an integer such that gcd (a, n) = 1 and n-1 a ≠ 1 (mod n) Then n is not prime. Such a number 'a' is called a compositeness witness for n.
It suggests the fallowing algorithm to test whether n is prime. Algorithm 3.3.1:
1. Input: n, a value to test for primality; 2. a=2, k=n-1 3. Loop starts if a
As we know that worse case time complexity for computing g (mod N) is O (2log2 A). So worse case Time complexity for this algorithm is O (2log2(n-1)!).
P a g e | 28
C++ Source code is: //-----------------------------------------------// PRIMALITY TESTING(FERMATS TEST) // NOTE:Potential witness is taken as "2" //-----------------------------------------------#include #include using namespace std; //-----------------------------------------------// FUNCTION FOR MODULAR EXPONENTIATION //-----------------------------------------------int mod_power(int g,int A,int N) { int b=1; while(A>0) { if((A-1)%2==0)//if A=1(mod 2) { b=b*g; b=b%N;//b=b*g(mod N) } g=g*g; g=g%N;//g=g^2(mod N) A=ceil(A/2);//A=[A/2] } return b; } //--------------------------------------// MAIN FUNCTION STARTS HERE //--------------------------------------int main() { int N; cout<>N; if(N%2==0) { cout<<" '"<
";
Here in this algorithm there is a drawback that is, we are not able to decide whether given number is prime or not. It is because of carmical numbers. “Composite numbers having no witness are called Carmical numbers” Example: 561 is a Carmical number i.e., a
≡a(mod 561) for every integer a.
561
P a g e | 29
3.4 Rabin-Miller Test: This test(for Compositeness) is better than fermats test which is also works for Carmical numbers. The following property of prime numbers is used to formulate the Miller – Rabin test , which has the agreeable property that every composite number has a large number of witnesses.
Let p be an odd prime and write k p − 1 = 2 q with q odd. Let a be any number not divisible by p. Then one of the following two conditions is true:
(i)
q
a is congruent to 1 modulo p.
So by using above theorem we define, Definition(Rabin-Miller witness):
Let n be an odd number and write n − 1 = 2kq with q odd. An integer a satisfying gcd (a, n) = 1 is called a Miller – Rabin witness for ( the compositeness of) n if both of the following conditions are true:
It suggests the fallowing algorithm to test whether n is prime. Algorithm 3.4.1: Input: A odd Integer n>3 to be tested, integer a as potential witness and k , a parameter that determines the accuracy of the test Output: composite if n is composite, otherwise probably prime 1. If n is even or 1 < gcd (a, n) < n, return Composite. k 2. Write n−1 = 2 q with q odd. 3. LOOP: repeat k times: q 4. Pick a random integer a in the range [2, n − 2] and Set a = a (mod n). 5. If a ≡ 1 (mod n), then do next LOOP 6. Loop i = 0, 1, 2,. . . k−1
P a g e | 30
7. If a ≡ −1 (mod n) , then do next LOOP 2 8. Set a = a mod n. 9. Increment i and loop again at Step 6. 10. Return Composite. 11.Return probably prime
By given theorem below answer the question that for which values of a we will run The algorithm instead of running the test using a bunch of randomly selected values of a. Let n be an odd composite number. Then at least 75% of the numbers a between 1 and n − 1 are Miller – Rabin witnesses for n.
Consider now Bob‟s (a user ) quest to identify large prime numbers. He takes his potentially prime number n and he runs the Miller – Rabin test on n for (say)10 different values of a. If any a value is a Miller – Rabin witness for n, then Bob knows that n is composite. But suppose that none of his a values is a Miller – Rabin witness for n. Above Theorem says that if n were composite, then each time Bob tries a value for a, he has at least a 75% chance of getting a witness. Since Bob found no witnesses in 10 tries, it is reasonable to conclude 10 that the probability of n being composite is at most (25%) ,which is −6 approximately 10 . And if this is not good enough, Bob can use 100 different values of a, and if none of them proves n to be composite, then the probability 100 −60 that n is actually composite is less than (25%) ≈ 10 .
Runtime : Using modular exponentiation for each iteration we need at most 2log2(n) multiplication for each iteration. So, The running time of this algorithm is O(k log2 n), where k is the number of different values of a we test; thus this is an efficient, polynomial-time algorithm.
C++ source code:
//-----------------------------------------------// PRIMALITY TESTING(ROBIN MILLER TEST) // NOTE:Potential witness is taken as "2" //-----------------------------------------------#include #include using namespace std;
P a g e | 31
// FUNCTION FOR FINDING POWERS OF A NUMBER OVER MODULI. int mod_power(int g,int A,int N) { int b=1; while(A>0) { if((A-1)%2==0)//if A=1(mod 2) { b=b*g; b=b%N;//b=b*g(mod N) } g=g*g; g=g%N;//g=g^2(mod N) A=ceil(A/2);//A=[A/2] } return b; } //MAIN FUNCTION STARTS HERE int main() { int N; cout<>N; if(N%2==0) { cout<<"\n '"<
";
P a g e | 32
Drawback: The algorithm is efficient with polynomial time complexity but it it not able to decide whether the given large random number is prime 100%.Only it gives 25% probability that the number is prime. But The algorithm also works for Carmichael Numbers where as Fermats test does not work for them.
P a g e | 33
CHAPTER 4 FACTORING
In number theory , integer factorization or prime factorizationis the decomposition of a composite number into smaller non-trivial divisors, which when multiplied together equals the original integer. When the numbers are very large, no efficient integer factorization algorithm is known. Based on the difficulty of factorisation problem we have some public key cryptographic algorithms those are: 1. RSA cryptosystem 2. Rabin cryptosystem
4.1 RSA Cryptosystem: The RSA crypto scheme, sometimes referred to as the Rivest – Shamir – Adleman algorithm (Published in 1978), is currently the most widely used asymmetric cryptographic scheme, even though elliptic curves and discrete logarithm schemes are gaining ground. Before going to explain about RSA we mention some theorems without proof: (Euler’s Formula for pq): Let p and q be distinct primes and let g = gcd( p−1 , q−1). Then ( p−1)(q−1) /g ≡ 1 (mod pq) for all a satisfying gcd(a, pq) = 1. a In particular, if p and q are odd primes, then ( p−1)(q−1) / 2 a ≡ 1 (mod pq) for all a satisfying gcd(a, pq) = 1
Let p be a prime and let e ≥ 1 be an integer satisfying gcd(e,p−1)= 1. Then e has an inverse modulo p − 1, say de ≡ 1 (mod p−1).
P a g e | 34 e
Then the congruence
x
≡ c (mod p)
has the unique solution
x ≡ c d (mod p).
The RSA public key cryptosystem relies on the difficulty of solving equations of the form e x ≡ c (mod N), where now the quantities e, c, and N are known and x is the unknown.
Let p and q be distinct primes and let e ≥ 1 satisfy gcd(e, (p − 1)(q − 1))
= 1.
So, e can have an inverse modulo (p − 1) (q − 1), say
de ≡ 1 (mod (p − 1)(q − 1)). Then the congruence e
x
≡ c (mod pq)
has the unique solution x ≡ c d (mod pq). The RSA public key cryptosystem relies on the difficulty of solving equations of the form e
x
≡ c (mod N )
Where now the quantities e, c, and N are known and x is the unknown. In other words, the security of RSA relies on the assumption that it is difficult to take eth roots modulo N . But if N is a prime then by theorem4.1.2 it is easy to solve this problem. th It is easy to take e roots if the modulus is a prime p. The situation for a composite modulus N looks similar, but there is a crucial difference. If we know th how to factor N , then it is again easy to compute e roots. The theorem 4.1.3 above explains how to do this if N = pq is a product of two primes.
P a g e | 35
Let Alice wants send message to Bob through insecure communication transmitter then RSA algorithm as given below,
Bob
Alice Key Creation
Choose secrete primes p and q Choose encryption exponent e with gcd(e,( p-1)(q-1))=1. Publish N=pq and e
Encryption Choose plaintext m Use Bobs public key ( N,e) to compute e c≡m (mod N ) Send coiphertext c to Bob.
Decryption Compute d satisfying ed ≡1(mod ( p-1)(q-1)) d Compute m'≡ c (mod N ) Then m' equals the plaintext m.
The security of RSA depends on the following dichotomy:
• Setup: Let p and q be large primes, let N = pq, and let e and c be integers. • Problem: Solve the congruence xe ≡ c (mod N) for the variable x. •
Easy: Bob, who knows the values of p and q, can easily solve for x as described in Theorem 4.1.3.
• Hard: Eve, who does not know the values of p and q, cannot easily find x. • Dichotomy: Solving xe ≡ c (mod N) is easy for a person who possesses certain extra information, but it is apparently hard for all other people.
4.2 Rabin Cryptosystem The Rabin cryptosystem also based on the difficulty of factoring integers. For this the problem in hand is solving 2
c=m (mod N )
P a g e | 36
Where N= pq, and p,q≡3(mod 4). But if we know p,q values, it easy to solve above equation as given in next Theorem 4.2.1 and using Chinese remainder theorem.
Let p be a prime satisfying p≡3(mod 4).Let a be an integer s.t. the congruence 2
x
≡ a(mod p)
Has a solution. The solution is, x= a
(p+1)/4
(mod p).
Now we Rabin cryptosystem as given below, Bob
Alice
Key creation Chooses randomly two large secrete primes p and q s.t. p,q≡3(mod 4). Publish N= pq. Encryption
Using public key of Bob, Chooses plaintext m ɛ {0,1,....,N-1}. 2 Compute c≡m (mod N). Send cipher text c to Bob. Decryption
Compute the plaintext m from c extracting square roots of c. Compute, (p+1)/4 m p=c (mod p) and (q+1)/4 m p=c (mod q) Now uses Chinese remainder theorem and computes, m (mod pq) i.e.(mod N).
P a g e | 37
Advantage: The Rabin cryptosystem has the advantage that the problem(Finding square roots over composite moduli) on which it relies has been proved to be as hard as integer factorization, which is not currently known to be true of the RSA problem.
Disadvantage: It has the disadvantage that each output of the Rabin function can be generated by any of four possible inputs (i.e., four possible square roots of output); For each output (i.e., ciphertext), extra complexity is required on decryption to identify which of the four possible inputs was the true plaintext. So, the security of above cryptosystems is depend on the problem factoring the integers so to enhance the security we should know about algorithms developed for factorisation.
4.3 Trail division We discussed the trail division method for primality testing. The same method can also be used for factorisation. But as we know, running time is very high so it is not efficient algorithm for factorisation.
4.4 Pollards p-1 factorisation algorithm This method is not useful for all numbers; there are certain types of numbers for which it is quite efficient. Pollard‟s method demonstrates that there are insecure RSA moduli that at first glance appear to be secure. This alone warrants the study of Pollard‟s method. Algorithm 4.4.1 Input: Integer N to be factored. Output: a non-trivial factor of N or failure 1. Set a = 2 (or some other convenient value). 2. Loop j = 2 , 3 , 4 , . . . up to a specified bound n. j 3. Set a = a mod N . 4. Compute d = gcd(a − 1 ,N ). 5. If 1 < d < N then success, return d . 6. Increment j and loop again at Step 2.
P a g e | 38
7. Return failure.
NOTE: We can observe in the algorithm that in each iteration we are nothing j! but calculating the value a (mod N).But as shown in the algorithm it is j equivalent to calculate a (mod N) in each iteration. So finally we are only n! calculating a (mod N) in Total algorithm. Runtime:
The fast exponentiation algorithm gives a method k for computing a (mod N ) in at most 2log2 k steps, where each step is a multiplication modulo N . Stirling‟s formula ln(n!) = n ln(n) − n + ½ ln(2πn) + O(1 /n) n
says that if n is large, then n! is approximately equal to (n/e) . So we can n! compute a (Mod N ) in 2n log2(n) steps. Thus it is feasible to compute n! a (mod N) for reasonably large values of n. So time complexity for this algorithm is O (2n log2(n) ). C++ source code is: //---------------------------------------------------------// POLLARDS P-1 FACTORISATION METHOD //---------------------------------------------------------#include #include using namespace std; //----------------------------------------//FUNCTION FOR FINDING GCD OF TWO NUMBERS //----------------------------------------int gcd(int a,int b) { if((a<0)||(b<0)) { cout<<"Error"; return 0; } if (a==0) return b; if(b==0) return a; if(a>b) return (gcd(a%b,b)); if(b>a) return (gcd(b%a,a)); } //---------------------------------------------------// FUNCTION FOR FAST POWERING //----------------------------------------------------
P a g e | 39
int mod_power(int g,int A,int N) { int b=1; while(A>0) { if((A-1)%2==0)//if A=1(mod 2) { b=b*g; b=b%N;//b=b*g(mod N) } g=g*g; g=g%N;//g=g^2(mod N) A=ceil(A/2);//A=[A/2] } return b; } //-----------------------------------------------// MAIN FUNCTION STARTS HERE //------------------------------------------------int main() { int N,a=2,B,i;//B->bound cout<<"Enter the number to be factored : "; cin>>N; for(i=2;i1&&d
4.5 Fermat’s factorisation algorithm Consider an odd positive integer n, and suppose that n = ab where a and b are integers. (Note that since n is odd, both a and b must be odd.) Now, note that we can write n as the difference of two squares 2 2 n = s - t if we have s = (a + b)/2 , and t = (a - b)/2. Note that both s and t are integers, since both a and b are odd. Similarly, if we have an odd positive integer n that is the difference of two squares, say 2 2 n = x -y then we can factor this integer into n = cd where c = (x + y), and d = (x -y).
P a g e | 40
Thus, we can approach the problem of factoring an odd positive integer n by looking for squares whose difference is n, rather than looking directly for factors of n. That is, we look for integer solutions of the equation 2 2 n = x -y . We can do this by rewriting the previous equation in this way: 2 2 Y = x - n. 2 and search for perfect squares of the form x -n. We can do this sequentially; we start with m, the smallest integer greater than the square root of n, and look for perfect squares in the sequence 2 2 2 m -n, (m + 1) -n, (m + 2) -n, . . . This search is guaranteed to end, since m will have to go no further than m = (n + 1)/2 , since: 2 2 ((n + 1)/2) -n = ((n-1)/2) and all the terms are integers. To see that the previous equation is true, note that 2 2 2 2 ((n + 1)/2) -((n-1)/2) = (n + 2n + 1)/4 -(n - 2n + 1)/4 = 4n/4 = n. (However, if we do go this far, note that we have only obtained the trivial factorization n = n 1). ۰
Algorithm 4.5.1 Input: Integer N to be factored. Output: a non-trivial factor of N 1. Set i =smallest integer >square root of N 2. Set k = (N+1)/2 3. Loop, Maximum k repetitions 2 4. Calculate T=i – N 5. If T is perfect square then Return ( i+square_root(T ), i-square_root(T ) ) 6. Increment i (i.e. i=i+1) and loop again at STEP 3
Runtime :
Hopefully we can see how inefficient this method of factoring can be. It can be even worse than the trial division method, for trial division never has to test more than √n integers, but with the Fermat method it may be necessary to search as many as (n + 1)/2-√n integers before the procedure is guaranteed to terminate. As the integer n gets larger, the quantity (n + 1)/2-√n becomes much larger than √n. So worse time complexity for this algorithm is О((n + 1)/2-√n) . The Fermat factorization method is most efficient when the two factors of n, say 2
2
n = ab = x - y = (x + y)(x - y)
P a g e | 41
are close together (thereby making x and y close together). This keeps the search of the sequence 2 2 2 m -n, (m + 1) -n, (m + 2) -n, . . . relatively short. C++ Source Code: //-------------------------------------------------------------------// FERMATS FACTORISATION METHOD(Via Difference of Squares) //-------------------------------------------------------------------#include #include using namespace std; int main() { int N,T,i=floor(sqrt(N)); cout<<"Enter the number to be factored : "; cin>>N; while(i<=(N+1)/2) { T=(i*i)-N; int K=sqrt(T); if(K==sqrt(T)) { cout<<"Factors of '"<
P a g e | 42
CHAPTER 5 DISCRETE LOGARITHMIC PROBLEM
Many of the most commonly used cryptography systems are based on the assumption that the discrete log is extremely difficult to compute; the more difficult it is, the more security it provides a data transfer. One way to increase the difficulty of the discrete log problem is to base the cryptosystem on a larger group. In this chapter we discuss Algorithms solving Discrete logarithm problems and some cryptosystems based on this problem. Theorem 5.0 (Primitive Root Theorem) Let p be a prime number. Then there exists an element g ɛ F p whose powers * give every element of F p , i.e., 2 3 * p−2 F p = {1 , g, g , g , . . . , g }. Elements with this property are called primitive roots of F p or generators * * of F p . They are the elements of F p having order p − 1. *
By above theorem, we can guarantee the solution to the below given problem: Definition (Discrete logarithm problem)
Let g be a primitive root for F p and let h be a nonzero element of F p. The Discrete Logarithm Problem (DLP) is the problem of finding an exponent x such that x g ≡ h (mod p). The number x is called the discrete logarithm of h to the base g and is denoted by logg(h). We can define DLP over a Group as follows: “Let G be a group whose group law we denote by the symbol *. The Discrete Logarithm Problem for G is to determine, for any two given elements g and h in G, an integer x satisfying g *g* g * . . .* g( x times)= h. ” * There are faster ways to solve the DLP in F p , some of which are very fast but work only for some primes, while others are less fast, but work for all primes. We mention them here,
P a g e | 43
1. Shanks Baby step-Giant step algorithm 2. Pollards ρ (rho) algorithm 3. Pohling Hellmann algorithm 4. Index calculus algorithm The Pohlig – Hellman algorithm shows that if p− 1 factors entirely into a product of small primes, then the DLP is quite easy. For arbitrary primes, the shanks baby giant step algorithm described in solves the DLP in O(√ p log p) steps, which is much faster than O( p),but still exponential. Even better is the index calculus algorithm solves the DLP in c√(log p)(log log p) ) steps, O (e so it is a sub exponential algorithm. Maximum fastest algorithm for solving DLP is only sub exponential so we consider DLP with large p as a hard problem. This hardness gives the security to the cryptosystems based on DLP.
5.1 Trivial brute-force algorithm N
Let G be a group and let g ∈ G be an element of order N and note that g = e and that no smaller positive power of g is equal to the identity element e. 5.1.1 Algorithm
Simply make a list of the values g for x = 0, 1, 2, . . . N −1. Note that each successive value may be obtained by multiplying the previous value by g. x If a solution to g = h exists, then h will appear in your list. x
Runtime:
By using above algorithm the discrete logarithm problem x g =h can be solved in O (N) steps, where each step consists of multiplication by g.
5.2 Shanks Baby step-Giant step algorithm This algorithm is due to shanks. It is an example of a collision, or meet* in-the-middle, algorithm. Shanks‟s algorithm works in any group, not just F p . It is the just improvement of above brute force algorithm.
P a g e | 44
Let G be a group and let g ɛ G be an element of order N ≥ 2. The following x algorithm solves the discrete logarithm problem g = h . 5.2.1 Algorithm Input: Order of the group N , g and h. 1. Let n = 1+[√N], so in particular, n > √N. 2. Let x=qn+r , 0≤ r
δ = gn and Ğ={ δ q :q=1,2,3,..........n} 5. Find a match between the two lists, say q and r . 6. Then Return qn+r
δ q= hg-r for particular values of
Runtime: For creating two lists takes approximately 2n multiplications. Assuming that a match exists, we can find a match in a small multiple of log(n) steps using sorting and searching algorithms. So step5 takes O (log n) steps. Hence total Running time for The algorithm is O (n log (n)) =O (√ N log (N)).
C++ source code : //--------------------------------------------------------------// DLP (DESCRETE LOGARITHMIC PROBLEM) // // SHANKS BABY STEP-GIANT STEP ALGORITHM // //--------------------------------------------------------------#include #include using namespace std; //-----------------------------------------------------------// FUNCTION FOR FINDING INVERSE //-----------------------------------------------------------int inverse(int a,int b) { int gcd,x=0,y=1,k=a; int u=1, v=0, m, n, q, r; gcd = b;
P a g e | 45
while (a!=0) { q=gcd/a; r=gcd%a; m=x-u*q; n=y-v*q; gcd=a; a=r; x=u; y=v; u=m; v=n; } while(y<0) { y=k+y; } return y; } //--------------------------------------------------------// FUNCTION FOR FINDING POWERS OF A NUMBER OVER MODULI. //--------------------------------------------------------int mod_power(int g,int A,int N) { int b=1; while(A>0) { if((A-1)%2==0)//if A=1(mod 2) { b=b*g; b=b%N;//b=b*g(mod N) } g=g*g; g=g%N;//g=g^2(mod N) A=ceil(A/2);//A=[A/2] } return b; } //-------------------------------------------------------// MAIN FUNCTION STARTS HERE //-------------------------------------------------------int main() { int n,m,g,l,i; //n->order of field,m->[root of(n)]+1 and DLP is:g^x=l // INPUT: cout<<"\n Enter the order of finite field(Fp*) : "; cin>>n; cout<<"\n Enter the generator of the field : "; cin>>g; cout<<"\n Enter the element of the field for which you want to find dlog : "; cin>>l; // m=[sqrt(n)]+1 and x=q*m+r,0<=r
P a g e | 46
if(B[i]==1) { cout<
This algorithm is slower algorithm.The public key cryptosystems depend upon DLP are: 1. Diffie Hellmann key exchange 2. ElGamal Cryptosystem 3. Mussey Omura Cryptosystem. We will discuss above Crypto systems after discussing the more efficient algorithms to solve DLP.