Systems and Network Security (NETW-1002) Dr. Mohamed Abdelwahab Saleh GUC, IET-Networks Department Spring 2017

1

Mathematical Background

We present here some mathematical material needed to understand cryptographic systems that will be presented later.

1.1

Euler’s Totient Function

For any natural number n, Euler’s totient function φ(n) is defined as the count of natural numbers smaller than n that are relatively prime to n. If p is a prime, then φ(p) = p − 1, this is because p, as a prime, does not share any common factor with any number smaller than it. Another situation is when we have a number n that is the product of two primes p and q; n = pq. In this case, the numbers smaller than n that are not relatively prime to n are exactly the ones that are either: (1) 0 or (2) contain p in their factorization or (3) contain q in their factorization. The numbers that contain p in their factorization are not those that contain q in their factorization since p and q are two different primes. All other numbers not satisfying any of these conditions will be relatively prime to n. The numbers smaller than pq that contain p in their factorization are {p, 2p, . . . , (q − 1)p}, their count is q − 1. Similarly, the numbers smaller than pq that contain q in their factorization are {q, 2q, . . . (p − 1)q}, their count is p − 1. So, now we can count the numbers smaller than pq that are not relatively prime to pq, the count is 1 + (q − 1) + (p − 1). Finally, the count of numbers smaller than pq that are relatively prime to pq is φ(pq) = pq − [1 + (q − 1) + (p − 1)] = (p − 1)(q − 1). So, we have: If p and q are primes, and n = pq:

1.2

φ(n) = (p − 1)(q − 1)

(1)

Groups

A group is a tuple hG, f i, where G is a set and f : G × G → G is a function (operation) defined over the set. The function f , as shown by its definition, maps a pair of elements in G into an element that is also in G. For two elements g1 ∈ G and g2 ∈ G, f (g1 , g2 ) may be written as g1 · g2 , in which case, the group is called multiplicative, or it may be written as g1 + g2 , in which case, the group is called additive. A group has the following properties: i. Associativity of f : For any three elements g1 , g2 , and g3 in G, f (g1 , f (g2 , g3 )) = f (f (g1 , g2 ), g3 ), this means that the order of the operation does not matter. In a multiplicative group, this property is expressed as: g1 · (g2 · g3 ) = (g1 · g2 ) · g3 . Similarly, in an additive group, we write: g1 + (g2 + g3 ) = (g1 + g2 ) + g3 . ii. Identity element: There exists an identity element e, such that, for any g ∈ G, f (e, g) = f (g, e) = g. In a multiplicative group, the identity element is denoted by 1, and this property is expressed as: 1 · g = g · 1 = g. In an additive group, the identity element is denoted by 0, and we write: 0 + g = g + 0 = g.

1

iii. Existense of inverses: For each element g ∈ G, there exists an inverse g −1 , such that f (g, g −1 ) = f (g −1 , g) = e. In a multiplicative group, this is written as: g · g −1 = g −1 · g = 1. In an additive group, the inverse is written −g, and this property is expressed as g + (−g) = (−g) + g = 0 It is important to note that 1 and 0 are just notations for the identity element, they are NOT NECESSARILY the numbers 1 and 0. In addition to the previous properties, a group can also have the following property: iv. Commutativity of f : for any two elements g1 and g2 in G, f (g1 , g2 ) = f (g2 , g1 ), this means that the order of the two elements in the pair is not important for f . In a multiplicative group, this property is expressed as g1 · g2 = g2 · g1 , and in an additive group, this property is expressed as: g1 + g2 = g2 + g1 . A group that satitifies the commutativity propoerty is called a commutative group or an abelian group. In the following, unless otherwise noted, we will deal with abelian groups. Example 1.1. : Zn The group of integers modulo-n. This is the group of integers modulo a positive integer n, in this case G = {0, 1, . . . , n − 1}. Any integer is congruent to a single element a ∈ G. The group operation f is addition modulo-n, and e = 0. This group is also called a complete residue system, since the elements of G are ALL the remainders (residues) when dividing by n. The additive inverse of any g ∈ G is computed as −g = n − g. For instance consider Z8 , so, G = {0, 1, 2, 3, 4, 5, 6, 7} and −(1) = 7, i.e., the additive inverse of 1 is 7, since 1 + 7 = 8 = 0 mod 8. Example 1.2. : Z∗n The group of integers less than n that are relatively prime to n. For a particular positive integer n, this group contains the numbers that are less than n and relatively prime to n. This group is also called a reduced residue system. It is a residue systems since it contains residues (remainders of division by n). It is reduced since NOT ALL residues of division by n are included, but only those that are relatively prime to n. By definition of Euler’s totient function, the count of elements in this group is φ(n). We can therefore write the set of elements as G = {g1 , g2 , . . . , gφ(n) }. Also, since each element gi is relatively prime to n, each element will have a multiplicative inverse gi−1 mod n. The group operation can therefore be multiplication modulo-n, since the multiplication of two elements gi , gj that are relatively prime to n will produce an element gk that is also relatively prime to n, i.e., if gi ∈ G, gj ∈ G, and gk = gi · gj mod n, the gk ∈ G. The identity element e = 1, and the multiplicative inverse can be computed using the multiplication table or the extended Euclid’s alogorithm. Please note that for any prime p, Zp contains the numbers {0, 1, . . . , p − 1}, whereas Z∗p contains the numbers {1, 2, . . . , p − 1} since 0 is not relatively prime to p.

1.3

Euler’s Theorem

Euler’s theorem states that, for two relatively prime integers g and n, where g < n: Theorem 1.1. Euler’s theorem. g 1+kφ(n) = g mod n In other words, g 1

mod φ(n)

= g 1 mod n. This also means that g kφ(n) = 1 mod n.

Proof 1.1. Proof of Euler’s theorem. Since g < n and gcd(g, n) = 1, then g ∈ Z∗n . Let all elements in Z∗n be written as g1 , g2 , . . . , gφ(n) . For all elements gi that are in Z∗n , we have: g · gi mod n ∈ Z∗n , this is because the multiplication of two numbers relatively prime to n will produce a number relatively prime to n. If we perform modulo-n multiplications, we will have: (g · g1 ) · (g · g2 ) . . . · (g · gφ(n) ) g

φ(n)

multiply both sides by

· g1 · g2 . . . · gφ(n)

g1−1

·

g2−1

... ·

g1 · g2 . . . · gφ(n)

=

g1 · g2 . . . · gφ(n)

=

1(mod n)

−1 gφ(n) ,

g φ(n) 2

=

Finite Fields1

1.4

When presenting arithmetic modulo-n, we saw that an integer 0 < i < n has a multiplicative inverse modulon if and only if i and n are relatively prime. So, if n is a prime, all integers 0 < i < n will have multiplicative inverses. Moreover, addition modulo-n and multiplication modulo-n are defined over these elements as usual. In this case, we call the set {0, 1, . . . , n − 1} a finite field. It is finite, since the number of elements is finite. It is a field since a field F is defined as a set S together with two operations · : S × S → S and + : S × S → S, with the following properties: • Associativity of · and +: For all a, b, and c in S, we have (a + b) + c = a + (b + c) and (a · b) · c = a · (b · c) • Identity elements: There exists two elements 0 and 1 such that for any element a in S, we have a+0 = a and a · 1 = a • Inverse elements: For any element a in S we have an additive inverse −a such that a + (−a) = 0 and for any element a = 6 0, we have a multiplicative inverse a−1 , such that a · a−1 = 1 • Commutativity: For all elements a and b in S, we have a · b = b · a and a + b = b + a • Distributive law: For all elements a, b, and c in S, we have a · (b + c) = a · b + a · c • No zero divisors: If a and b are elements in S such that a 6= 0, b 6= 0, and a · b = 0, we call a and b zero divisors. A field does not have zero divisors, therefore for all elements a and b in S, if a · b = 0, then either a = 0, or b = 0. A field F is written as F = hS, ·, +i. The set {0, 1, . . . , p − 1}, where p is a prime, together with multiplication modulo-p and addition modulo-p, constitutes a finite field. It is written as GF(p). The notation is ´ an acronym from Galois Field, in honor of the French mathematician Evariste Galois.

2

Asymmetric Cryptographic Systems

Asymmetric cryptographic systems implement the ideas of asymmetric cryptography. They consist of algorithms that perform one or more of the tasks of asymmetric cryptography, i.e., encryption and decryption, key exchange, and digital signatures.

2.1

RSA Cryptographic System

The main idea of the RSA cryptographic system stems from two theorems: (1) a1+kφ(n) = a mod n, and (2) for n = pq where p and q are primes, φ(n) = (p − 1)(q − 1). So, we can proceed as follows: i. Find three integers e, d, and n = pq such that ed = 1 mod φ(n), i.e., ed = 1 + kφ(n). ii. In this case, aed = a mod n. We can consider ae to be the encryption of a, i.e., encryption is exponentiation by e. The decryption will be exponentiation by d, since (ae )d = a. In other words, if we encrypt a by e, then decrypt the encrypted value by d, we obtain a again. This satisfies two basic requirements of asymmetric cryptography, namely that the encryption and decryption keys are different, and that encrypting a message with an encryption key then decrypting its cipher text with the corresponding decryption key will return the same message. As in asymmetric cryptography, the encryption key e will be public and the decryption key d private. The RSA algorithm is explained by the following steps: i. Choose two primes p and q. ii. Compute n = pq and φ(n) = (p − 1)(q − 1). 1 For

your information only

3

iii. Choose the encryption e such that 1 < e < φ(n) and gcd(φ(n), e) = 1. iv. Compute the decryption key d, where d = e−1 mod φ(n). v. To encrypt a message m < n compute me mod n. vi. To decrypt a cipher text c = me compute cd , where e and d are a key pair, i.e., ed = 1 mod φ(n). A key pair (e,d) will belong to a certain agent A that needs to communicate over the network. The values e and n are made public, whereas the values p, q, φ(n), and d remain private. Now we have to make sure that it is “difficult” to get the value of decryption key d knowing e and n. To get d from e, we have to know φ(n) and in order to know φ(n), we have to factor n into its two prime factors p, and q. Factoring large integers is a “complex” procedure [2]. By “complex” here we mean that there does not exist a deterministic algorithm that can perform factoring and whose running time increases as a polynomial in the size of the input data, i.e., the number to be factored. Since such an efficient algorithm does not exist, it will be time-consuming to try to factor n. Moreover, we can think of other ways that an attacker can use in order to break the security of RSA. For instance, is it possible to compute φ(n) knowing only n, i.e, without factoring? Also, is it possible to compute d knowing only e and n, i.e., without knowing φ(n)? Finally, is it possible to compute m knowing only me and n, i.e., compute the eth root modulo-n? All of these problems are not known to be easier than factoring [1]. Example 2.1 We consider a very simple, and hence insecure, example just for clarification purposes. We choose p = 17 and q = 11, hence we compute n = pq = 187. So, φ(n) = 16 × 10 = 160. Now, we choose e = 7, we notice that 1 < e < 160 and gcd(160, 7) = 1. In this case, d = 23 since 23 × 7 = 161 = 1 mod 160. Now suppose we want to encrypt a message m = 88, so we compute 887 mod 187. In this example, the numbers are somewhat small, so we can compute 887 without risking to exceed the maximum size for integers on computers. However, this is not always the case, since we have to deal with much larger numbers. Moreover, exponentiation to large integers is a time-consuming process on computers. Therefore, we have to think of ways to reduce the complexity of computations. This will be shown below. 887 mod 187

= = = = = = = =

[88 · 88 · 88 · 88 · 88 · 88 · 88] mod n [(884 ) · (882 ) · (88)] mod 187 [(884 ) mod 187 · (882 ) mod 187 · 88] mod 187 [((882 ) mod 187)2 · (882 ) mod 187 · 88] mod 187 [(77)2 · 77 · 88] mod 187 [(77)2 mod 187 · 77 · 88] mod 187 [132 · 77 · 88] mod 187 11

So the encryption of 88 is 11. Now, to decrypt, we need to compute (11)23 mod 187.We have: 1123 mod 187

=

88

 During encryption and decryption in RSA, we need to compute the value of numbers raised to exponents, where both the numbers and exponents are large. This computation has two consequences: • We need large memory to store large values for variables and intermediate results of computation. • The computation amy take a large amount of time. For instance to compute xe mod-n, we need to preform e modular multiplications. Alternatively, we can perform the computation as ≈ n/2 squarings and ≈ n/2 multiplications. We will discuss the computational aspects of the RSA algorithm in a following section. 4

2.2

RSA for Signatures and Key Exchange

We saw how to use the RSA algorithm for encryption and decryption. The algorithm can also be used for signatures and key exchange. In RSA, to sign a message m by an agent A that has a public key eA and a private key dA , A has to compute the signature sA (m) = mdA . So, only A can compute this signature, since dA is private. In order to verify that m was signed by A, any other agent B, having m and the signature sA (m) can compute (sA (m))eA , if this value is m, then the signature is verified. Of course, the verification can be done by anyone since the public key of A is not kept secret. The signing and verification procedures work in RSA, since for any key pair (e,d), we have (me )d = (md )e = m. The RSA algorithm can also be used to exchange symmetric keys. If agent A wants to share a symmetric key K with agent B, he can just encrypt K by the public key of B and send the encrypted key to B. Only B will be able to decrypt the message and know K. This is done since symmetric cryptography is less computationally intensive than RSA. So, RSA is used to encrypt short messages, i.e., in this case it is the key K, and then K can be used to encrypt long messages using a symmetric cryptographic system.

References [1] A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. [2] D. Stinson. Cryptography: Theory and Practice. Discrete Mathematics and Its Applications. Chapman & Hall/CRC, 2005.

5