Introduction to Modern Cryptography

Lecture 5

• Number Theory: 1 .Quadratic residues.

2 .The discrete log problem. • Intro to Public Key Cryptography• Diffie & Hellman Key Exchange

Course Summary - Math Part (Previous lectures)

• Euclid gcd ; extended gcd.

• The ring Zm.• Finite groups: Lagrange theorem (if G is finite and H is a sub-group then |H| divides |G|)• Finite fields arythmetic - GF(pk).• Primitive elements in finite fields (generators of the multiplicative group with pk-1 elements)

• The birthday paradox.

Course Summary - Crypto Part (first 4 lectures)

• Introduction• Stream & Block Ciphers• Block Ciphers Modes (ECB,CBC,OFB)• Advanced Encryption Standard (AES)• Message Authentication Codes (based on CBC and on cryptographic hashing)

The Birthday Paradox: Wrap Up

•Let R be a finite set of size r .•Pick k elements of R uniformly

and independently.•What is the probability of getting

at least one collision ?

The Birthday Paradox (cont.)•Consider the event Ek: No Collision after k elements.

Prob(Ek)=1(1- 1/r)(1- 2/r)… (1- (k-1)/r) < exp(-1/r) exp(-2/r) … exp(-(k-1)/r)

= exp(-(1+2+…+(k-1) )/r) = exp(-(k(k-1) )/2r)

~ exp(-k2/2r)

For k=r1/2 , Prob(Ek)<0.607,

thus

Prob(Collisionk)>0.393For k=1.2r1/2 ,

Prob(Ek)<0.487, thus

Prob(Collisionk)>0.513

plot({exp(-x),1-x},x=0..0.5);

Application to Cryptographic HashingLet H:D --> R, R of size r.Suppose we can get k random images under H.

If k2 is larger than r then the probabilityof a collision, 1-exp(-k2/2r), is large.

Thus a necessary condition for avoiding collisionsis that r is so large that it is infeasible to generater2 hash values.

This leads to requiring that message digests be at least

160 bits long (2160/2 = 280 is large enough).

Back to Number Theory

Fermat “Little” Theorem•Let if G be a finite group with m

elements. Let a be an element of G. Then am=1 (the unit element of G) .

Example

G=Zp*, the multiplicative group

of Zp. The polynomial xp-1-1 has p-1

roots, so xp-1-1 = a 0 (x-a).

> factor (x^6-1);

(x-1()+1x()x2+ +1x()x2- +1x)

> factor (x^6-1) mod 7; (x+6()+1x()+4x()+2x()+5x)

(+3x)x + x + 1) (x - x

Quadratic Residues• Definition: An element x is a quadratic

residue modulo n if there exists y such that y2x mod n

• Claim: if p is prime there are exactly (p-1)/2 quadratic residues in Zp*• Claim: if p is prime, and g is a generator

of the multiplicative group, the quadratic residues are all the even powers of g

g0, g2,…,g2i, … , gp-3

Quadratic Residues in Zp (cont.)

• The quadratic residues (QR) form a subgroup of Zp*.

• x(p-1) -1 = (x(p-1)/2 -1) (x(p-1)/2+1 ). • Thus x(p-1)/2 -1 has (p-1)/2 roots in Zp .

Quadratic Residues in Zp (cont.)Claim: an element x in Zp is a quadratic

residue if and only if x(p-1)/21 mod pProof Sketch: • Suppose x=y2 (x is a QR), then x(p-1)/2 -1 =0.

• Suppose x(p-1)/2=1. Let x=gi where g is primitive element. Then gi (p-1)/2 =1. Since g has order p-1, p-1 must divide i (p-1)/2 ,

implying i even, x a QR.

Testing Quadratic Residues• Efficient O(log3p) algorithm in Zp (p prime)

• Applies the repeated squaring idea.

• For composite m (esp. m=pq), no efficient algorithm for testing quadratic residues is known. Problem believed to

be computationally hard (but not NPC).

One-Way Functions

• A function f: DR is called one-way if:– Computing f(x) is “easy”

– Computing f-1(y) for almost all the images is “hard”

• Given the “real-world” definition of “hard” a one-way function may be a single function (e.g. SHA-1)

• Given the theoretical definition, we refer to a family of one-way functions

Example

• The Domain is all the pairs of prime numbers.• The function is f(p,q) = pq• Multiplication is easy – naïve algorithm is O(n2)• Factoring is difficult – simple algorithm is O(2n/2).

NFS and ECM are better but not polynomial. •The function f(p,q) = pq maintains length

The Chinese Remainder Theorem

• Given – x mod p– x mod q

• Compute x mod pq• If gcd(p,q)=1 take ((x mod p) (q-1 mod p) q + (x mod q) (p-1 mod q) p) mod pq• x mod 3 = 2, x mod 5 = 3, 1/3 mod 5 = 2, 1/5 mod 3 = ½

mod 3 = 2• (x mod p) (q-1 mod p) q = 2 * 2 * 5 = 20• (x mod q) (p-1 mod q) p = 3 * 2 * 3 = 18, 38 mod 15 = 8

Quadratic Residues mod n

• An element x is a quadratic residue modulo n if there exists y such that y2x mod n

• If x is a quadratic residue then so is –x mod n• If p is prime there are exactly (p-1)/2 quadratic

residues• If p is prime, and g is a generator of the

multiplicative group, the quadratic residues are even powers of g.

The four different square roots modulo pq

• Let x be a quadratic residue modulo pq• Then, x mod p is a quadratic residue and so is x

mod q• x mod p has two roots mod p: y and p - y• x mod q has two roots mod q: z and q - z• Using the Chinese remainder theorem, we get four

root modulo pq: A, B, pq – A, pq – B• (y,z) -> A, (p - y, q - z) -> pq – A• (y, q - z) -> B, (p – y, z) -> pq – B• gcd(A - B,np) = p

Factoring Idea: square roots

• Compute x2 mod np• Extract y = square root of x2 mod np• If y = x or y = np - x then useless• If not, x2 mod np = y2 mod np

– then gcd(x - y, np) = p or gcd(x - y,np) = q

• The square root extraction algorithm does not “know” if we started with x, np - x, y, or np - y

Pollards rho (ρ) method

• Imagine the following process mod p:

• x0 – random

• xi+1 = xi2+1 mod p

• After p1/2 steps, we’ll find xi, xj such that xi = xj mod p. What this means is that the function f(x) = x2+1 mod p loops.

Pollards rho (ρ) method • Imagine the following process mod pq: • x0 – random• xi+1 = xi

2+1 mod pq• This will loop only after (pq)1/2 steps (modulo pq)• However, modulo p (or q) it will loop after p1/2 (or

q1/2) steps• Given two values xi, xj, such that xi=xj mod p but xi

<> xj mod pq, we have that gcd(xi - xj, pq) = p• Repeat:

– x = x2 + 1 mod pq– y = (y2 +1)2 + 1 mod pq– If gcd(x - y, pq) > 1 then found factor

More complex factoring ideas• A number is smooth with respect to the set of

primes ≤ L if all prime factors are ≤ L • If a smooth number has all powers even then it is

easy to extract a square root• Major idea:

– Generate quadratic residues, one of whose roots is known

– Compute a product of these quadratic residues which is smooth and has all powers even

– Now, you have a 2nd root of this product, use it for factoring

Quadratic Sieve Factoring• Determine a limit L• Generate random values x2 mod pq• Check them for smoothness, discard if not• This process can be done entirely distributed• Collect all smooth quadratic residues• Solve a set of linear equations over GF(2)

– This can be done if the matrix is singular, i.e., if we have sufficiently many smooth quadratic residues

– How many smooth quadratic residues are required?

Discrete Log (DL)

• Let G be a group and g an element in G.• Let y=gx and x the minimal non negative integer satisfying the equation.• x is called the discrete log of y to base g.• Example: y=gx mod p in the multiplicative

group of Zp

Discrete Log in Zp

A candidate for One Way Function• Let y=gx mod p in the multiplicative group of Zp

• Exponentiation takes O(log3p) steps• Standard discrete log is believed to be

computationally hard.• x gx is easy (efficiently computable).• gx x believed hard (computionally

infeasible).

• x gx is a one way function.• This is a computation based notion.

Public-Key Cryptography

The New Era (1976-present)

Classical, Symmetric Ciphers•Alice and Bob share the same secret key

KA,B.

•KA,B must be secretly generated and exchanged prior to using the unsecure channel .

Alice Bob

Diffie and Hellman (76)“New Directions in Cryptography”

Split the Bob’s secret key K to two parts:•KE , to be used for encrypting messages

to Bob.•KD , to be used for decrypting messages

by Bob.KE can be made public

( public key cryptography , assymetric cryptography)

“New Directions in Cryptography”•The Diffie-Hellman paper (IEEE IT, vol. 22, no. 6,

Nov. 1976) generated lots of interest in crypto research in academia and private industry.

•Diffie & Hellman came up with the revolutionary idea of public key cryptography, but did not have a proposed implementation (these came up 2 years later with Merkle-Hellman and Rivest-Shamir-Adelman).

•In their 76 paper, Diffie & Hellman did invent a method for key exchange over insecure communication lines, a method that is still in use today.

Public Exchange of Keys

• Goal: Two parties (Alice and Bob) who do not share any secret information, perform a protocol and derive the same shared key.

• Eve who is listening in cannot obtain the new shared key if she has limited computational resources.

Diffie-Hellman Key Exchange• Public parameters: A prime p, and an element

g (possibly a generator of the multiplicative group Zp* )

• Alice chooses a at random from the interval [1..p-2] and sends ga mod p to Bob.• Bob chooses b at random from the interval [1..p-2] and sends gb mod p to Alice. • Alice and Bob compute the shared key gab

mod p : Bob holds b, computes (ga)b= gab. Alice holds a, computes (gb)a= gab.

DH Security

• DH is at most as strong as DL in Zp.• Formal equivalence unknown, though

some partial results known.• Despite 25 years effort, still considered

secure todate.

• Computation time is O(log3p).

Properties of Key Exchange

• Necessary security requirement: the shared secret key is a one way function of the public and transmitted information.

• Necessary “constructive” requirement: an appropriate combination of public and private pieces of information forms the shared secret key efficiently.

• DH Key exchange by itself is effective only against a passive adversary. Man-in-the-middle attack is lethal.

Security Requirements

• Is the one-way relationship between public information and shared private key sufficient?

• A one-way function may leak some bits of its arguments.

• Example: gx mod p• Shared key may be compromised • Example: gx+y mod p

Security Requirements (cont.)

• The full requirement is: given all the communication recorded throughout the protocol, computing any bit of the shared key is hard

• Note that the “any bit” requirement is especially important

Other DH Systems

• The DH idea can be used with any group structure

• Limitation: groups in which the discrete log can be easily computed are not useful

• Example: additive group of Zp

• Currently useful DH systems: the multiplicative group of Zp and elliptic curve systems

Key Exchange in Systems

• VPN usually has two phases– Handshake protocol: key exchange between parties sets symmetric

keys

– Traffic protocol: communication is encrypted and authenticated by symmetric keys

• Automatic distribution of keys- flexibility and scalability

• Periodic refreshing of keys- reduced material for attacks, recovery from leaks