AlgebraOfEncryption_v4

The Algebra of Encryption
25 July 2011
The Algebra of Encryption
1 Modular Arithmetic
Much of modern cryptography is based on modular arithmetic. We can think of modular
arithmetic as a cycle. When we reach the base number or modulus, we cycle back to zero. We
use modular arithmetic every day. For example, when we look at the clock we are using base 12.
If the current time is 9 am and an appointment is at 1 pm, we know that the appointment is four
hours away. Modular arithmetic tells us that 1 − 9 ≡ 4 π‘šπ‘œπ‘‘ 12. (Modular arithmetic, 2011)
1.1 Division Algorithm
The division algorithm roughly states “that any integer a can be “divided” by 𝑏 in such a way
that the remainder is smaller than 𝑏.” (Burton, 2007, p. 17) Mathematically, this can be
expressed as follows
π‘Ž = π‘šπ‘ + π‘Ÿ
Equation 1-1
Where π‘š is a multiplier and π‘Ÿ is a residue.
Example 1-1
13 = 1 ∗ 12 + 1, the multiplier is 1 and the residue is 1. Using modular arithmetic, we write
13 ≡ 1 π‘šπ‘œπ‘‘ 12.
Example 1-2
9 = 0 ∗ 12 + 9, in this case the multiplier is zero and the residue is equal to 9 or π‘Ž. Using
modular arithmetic, we write 9 ≡ 9 π‘šπ‘œπ‘‘ 12.
1.2 Addition
Addition follows the same rules that we are used to from normal arithmetic with the additional
step that the result is reduced by the modulus.
To add two numbers π‘Ž1 and π‘Ž2 we first express the numbers in the form of Equation 1-1.
π‘Ž1 = π‘š1 ∗ 𝑏 + π‘Ÿ1
π‘Ž2 = π‘š2 ∗ 𝑏 + π‘Ÿ2
Next we add and collect terms.
π‘Ž1 + π‘Ž2 = (π‘š1 + π‘š2 ) ∗ 𝑏 + (π‘Ÿ1 + π‘Ÿ2 )
Note that this remains in the form of Equation 1-1 but does not preclude the possibility that the
sum π‘Ÿ1 + π‘Ÿ2 could be greater than the modulus, thus causing a change to the multiplier.
Example 1-3
13 + 9 ≡ 10 π‘šπ‘œπ‘‘ 12
13 + 9 = (1 ∗ 12 + 1) + (0 ∗ 12 + 9) = (1 + 0) ∗ 12 + (1 + 9) = 1 ∗ 12 + 10
In this case, the multiplier is not affected.
Page 1 of 21
The Algebra of Encryption
25 July 2011
Example 1-4
9 + 9 ≡ 6 π‘šπ‘œπ‘‘ 12
9 + 9 = (0 ∗ 12 + 9) + (0 ∗ 12 + 9) = (0 + 0) ∗ 12 + (9 + 9) = 0 ∗ 12 + 18
In this case, the resulting residue is greater than the modulus and should be reduced. Add and
subtract the modulus, 12, and collect terms.
18 = 0 ∗ 12 + 18 + 1 ∗ 12 − 12 = (0 + 1) ∗ 12 + (18 − 12) = 1 ∗ 12 + 6
1.3 Subtraction
Modular subtraction is similar to modular addition. To subtract two numbers π‘Ž1 and π‘Ž2 we first
express the numbers in the form of Equation 1-1.
π‘Ž1 = π‘š1 ∗ 𝑏 + π‘Ÿ1
π‘Ž2 = π‘š2 ∗ 𝑏 + π‘Ÿ2
Next we subtract and collect terms.
π‘Ž1 − π‘Ž2 = (π‘š1 − π‘š2 ) ∗ 𝑏 + (π‘Ÿ1 − π‘Ÿ2 )
Again, the result remains in the form of Equation 1-1 but does not preclude the possibility that
the difference π‘Ÿ1 − π‘Ÿ2 could be less than the zero. Since we generally deal with positive
numbers, this causes a change to the multiplier.
Example 1-5
9 − 13 ≡ 8 π‘šπ‘œπ‘‘ 12
9 − 13 = (0 ∗ 12 + 9) − (1 ∗ 12 + 1) = (0 − 1) ∗ 12 + (9 − 1) = (−1) ∗ 12 + 8
In this case, the multiplier is not affected.
Example 1-6
13 − 9 ≡ 4 π‘šπ‘œπ‘‘ 12
13 − 9 = (1 ∗ 12 + 1) − (0 ∗ 12 + 9) = (1 − 0) ∗ 12 + (1 − 9) = 1 ∗ 12 + (−8)
In this case, the resulting residue is less than zero and should be adjusted. Add and subtract the
modulus, 12, and collect terms.
(−8) = 1 ∗ 12 + (−8) + (−1) ∗ 12 + 12 = (1 − 1) ∗ 12 + (−8 + 12) = 0 ∗ 12 + 4
1.4 Multiplication
Multiplication is merely repeated addition. As with addition and subtraction, the resulting
residue is generally adjusted to be less than the modulus and non-negative.
Example 1-7
4 ∗ 13 ≡ 4 π‘šπ‘œπ‘‘ 12
4 ∗ 13 = (1 ∗ 12 + 1) + (1 ∗ 12 + 1) + (1 ∗ 12 + 1) + (1 ∗ 12 + 1)
= (1 + 1 + 1 + 1) ∗ 12 + (1 + 1 + 1 + 1) = (4) ∗ 12 + 4
In this case, the multiplier is not affected.
Page 2 of 21
The Algebra of Encryption
25 July 2011
Example 1-8
13 ∗ 4 ≡ 4 π‘šπ‘œπ‘‘ 12
13 ∗ 4 = 13 ∗ (0 ∗ 12 + 4) = (13 ∗ 0) ∗ 12 + (13 ∗ 4) = 0 ∗ 12 + 52
In this case, the resulting residue should be adjusted.
52 = 4 ∗ 12 + 4
1.5 Division
Division is a little tricky. Normally we think of division as dividing one number into equal parts
countable to another. Thus the name. However, when we stick to Integers, we don’t always get
equal Integer parts.
We need to think of modular division a little differently. Generally, when we divide 𝑐 by 𝑑 we
use the following notation.
𝑐
=𝑒
𝑑
Equation 1-2
For modular division, we need to write this in a different way.
𝑐 = 𝑑 ∗ 𝑒 or 𝑑 ∗ 𝑒 = 𝑐
Equation 1-3
If trying to divide 𝑐 by 𝑑, we need to ask by what number, 𝑒, can we multiply 𝑑 such that the
result is congruent to 𝑐 modulo the modulus?
Example 1-9
10 ÷ 2 ≡ 5 π‘šπ‘œπ‘‘ 13
2 ∗ 5 = 10 = 0 ∗ 13 + 10
This is easy because we know we can multiply 2 by 5 and the result is 10.
Example 1-10
10 ÷ 4 ≡ 9 π‘šπ‘œπ‘‘ 13
In this case, 4 ∗ 9 = 36 = 2 ∗ 13 + 10. That is to say, we found a number, 9, that we can
multiply by 4 such that the result is congruent to 10 modulo 13. Exactly how we find the number
9 directly, without trial and error, is discussed in section 1.6 and 2.1.2.
1.6 Division by Multiplicative Inverse
Another way of accomplishing modular division is by using the multiplicative inverse of the
divisor. Re-writing Equation 1-2, we get the following equation for division.
𝑐 ∗ 𝑑−1 = 𝑒
Equation 1-4
But this begs the question, what is the multiplicative inverse in modular arithmetic?
Remembering back to regular arithmetic, we again think of multiplicative inverse in a different
way. We need to ask by what number, 𝑑−1 , can we multiply 𝑑 such that the result is congruent
to 1 modulo the modulus? This is expressed mathematically as follows.
Page 3 of 21
The Algebra of Encryption
25 July 2011
1 ≡ 𝑑 ∗ 𝑑 −1 π‘šπ‘œπ‘‘ π‘šπ‘œπ‘‘π‘’π‘™π‘’π‘ 
Equation 1-5
Expressed algebraically for modular arithmetic, we have the following.
1 = π‘š ∗ 𝑏 + 𝑑 ∗ 𝑑 −1
Equation 1-6
Where again, π‘š is the multiplier, 𝑏 is the modulus, 𝑑 is the number of interest, and 𝑑 −1 is the
Modular Multiplicative Inverse (MMI).
Example 1-11
(4)−1 ≡ 10 π‘šπ‘œπ‘‘ 13
1 = (−3) ∗ 13 + 4 ∗ 10.
Again, exactly how we find the number 10 directly, without trial and error, is discussed in
section 2.1.2.
Example 1-12
Going back to Example 1-10, we get the following.
10 ÷ 4 = 10 ∗ 4−1 ≡ 10 ∗ 10 π‘šπ‘œπ‘‘ 13 = 100 = 7 ∗ 13 + 9 ≡ 9 π‘šπ‘œπ‘‘ 13, which agrees with the
findings in Example 1-10.
2 Useful Functions
2.1 Euclidean Algorithm
The Euclidean algorithm is an important part of the algebra of encryption. It is generally thought
of as providing the Greatest Common Divisor (GCD) of two numbers. When the two numbers
are properly chosen, the Euclidean algorithm can also be used to directly determine the Modular
Multiplicative Inverse (MMI).
2.1.1 Greatest Common Divisor
“The Euclidean algorithm (also called Euclid’s algorithm) is an efficient method for computing
the greatest common divisor.” “The GCD of two numbers is the largest number that divides both
of them without leaving a remainder.” (Euclidean algorithm, 2011)
Figure 2-1 reproduces an example discussed in (Euclidean algorithm, 2011). We would like to
find the GCD of two numbers represented by lines AB and CD.
1. Start by comparing the smaller number to the larger number.
2. Find the quotient of the two numbers. In this case, the quotient refers to the greatest
integer less than or equal to 𝐴𝐡 ÷ 𝐢𝐷. In other words, how many times can we multiply
CD and still remain smaller than or equal to AB. In the figure, this quotient is 1.
3. Multiply the second number by the quotient and subtract from the first. In the figure, the
result, or residue, is AE.
4. Now compare the residue with the previous smaller number. In the figure, this is
comparing CD and AE. Repeat the above steps until the larger number is an integral
multiple of the smaller number. That is to say, there is no resulting residue. The GCD is
the last residue, in this case, CF.
Page 4 of 21
The Algebra of Encryption
25 July 2011
B
E
D
F
E
A
F
C
F
C
F
E
A
C
A
C
Figure 2-1: Euclidean Algorithm
Now we can add up the line lengths and verify that CF is the GCD of AB and CD.
𝐴𝐸 = 3 ∗ 𝐢𝐹
𝐢𝐷 = 2 ∗ 𝐴𝐸 + 𝐢𝐹 = 2 ∗ 3 ∗ 𝐢𝐹 + 𝐢𝐹 = 7 ∗ 𝐢𝐹
𝐴𝐡 = 𝐢𝐷 + 𝐴𝐸 = 7 ∗ 𝐢𝐹 + 3 ∗ 𝐢𝐹 = 10 ∗ 𝐢𝐹
Referring to Figure 2-2, it is easy to see that CF does indeed evenly divide both AB and CD.
B
E
A
10 * FC
D
F
C
7 * FC
E
F
C
F
C
F
A
E
C
F
A
C
F
C
F
C
F
C
F
C
F
C
F
C
Figure 2-2: Comparing the Results
2.1.2 Modular Multiplicative Inverse
By computing the Euclidian algorithm on a number of interest and the modulus, we can directly
compute the MMI of the number of interest. In these calculations, it is efficient to accumulate
the quotients at each step as coefficients of the two numbers. This is often referred to as the
Extended Euclidean algorithm.
If we put numbers to the lines in Figure 2-1, for example 50 and 35, we have the following
example.
Example 2-1
1. Start by writing the two numbers as below.
50 = 50 ( 1) + 35 ( 0)
35 = 50 ( 0) + 35 ( 1)
Page 5 of 21
The Algebra of Encryption
25 July 2011
2. Find the quotient of the two numbers.
q = int(50 / 35) = 1
3. Multiply the second equation through by the quotient and subtract from the first.
50 = 50 ( 1) + 35 ( 0)
35 = 50 ( 0) + 35 ( 1), q = 1
15 = 50 ( 1) + 35 ( -1)
4. Repeat steps 2 and 3 comparing the residues until the result is 0
50 = 50 ( 1) + 35 ( 0)
35 = 50 ( 0) + 35 ( 1), q = 1
15 = 50 ( 1) + 35 ( -1), q = 2
5 = 50 ( -2) + 35 ( 3), q = 3
0 = 50 ( 7) + 35 (-10)
The GCD is the last residue, in this case, 5. If we work this example again using the numbers 10
and 7, we will find that the GCD is 1. If two numbers have a GCD of 1, they are said to be
relatively prime or coprime. (Coprime, 2011)
Now, how does this find the MMI? If we return to Example 1-11, we wish to find the MMI of 4
modulo 13. If we compute the Extended Euclidian algorithm of 13 and 4 we have the following.
13 = 13 (
4 = 13 (
1 = 13 (
1) + 4 ( 0)
0) + 4 ( 1), q = 3
1) + 4 ( -3)
When searching for the MMI, we can stop when the residue is 1. Now compare our result with
Equation 1-6. (-3) is the MMI of 4 modulo 13. We prefer to deal with non-negative numbers, so
the result needs to be adjusted. We do this by adding and subtracting 13 * 4 and collecting
terms.
1 = 13 (1
) + 4 (-3
) + 13 (-4) + 4 (13)
1 = 13 (1 - 4) + 4 (-3 + 13)
1 = 13 (
-3) + 4 (
10)
Thus 10 is the MMI of 4 mod 13. This result agrees with our findings in Example 1-11.
Mentioned above is that we can stop searching for the MMI when the residue is 1. This is
because the next line would result in a residue of zero. When we arrive at a residue of zero but
the previous line does not have a residue of 1, the number of interest and the modulus are not
coprime and no MMI exists for that number of interest for that modulus. (Burton, 2007, pp. 7677)
2.2 Modular Exponentiation
Many encryption schemes employ modular exponentiation. When dealing with very large
numbers, such as in cryptography, efficient computing is essential. (Garrett, 2004, p. 123)
describes an algorithm entitled Fast Modular Exponentiation.
Page 6 of 21
The Algebra of Encryption
ο‚·
ο‚·
ο‚·
ο‚·
25 July 2011
Initiate X = base, E = exponent, Y = 1: x e ≡ y mod m.
If E is odd: replace Y by (X * Y) mod m and replace E = E - 1.
E is now even: replace X by (X * X) mod m and replace E = E / 2.
When E = 0: x e ≡ y mod m.
X keeps the current binary power of the base number. Y is the accumulator. Note how E is
parsed for its binary bit values.
1. Starting from the least significant bit, check if the bit is 1 (if E is odd).
2. If E is odd, accumulate the corresponding power of the base: Y = Y * X. The decrement
of E simply makes the division by 2 in the next step easier.
3. E is now even, update X to the next binary power of the base: X = X * X. Divide E by 2,
that is to say, right shift so the next binary bit is in the least significant bit position.
4. Loop to step 2 until E = 0.
Example 2-2
First let’s calculate 311 without a modulus.
𝐸 = 11 = 1 + 2 + 8.
π‘Œ = 311 = 31 ∗ 32 ∗ 38 = 3 ∗ 9 ∗ 6561 = 177147
Notes
X
E
1
Initialization
11
3 =3
E is odd
11 − 1 = 10
E is even
10 ÷ 2 = 5
32 = 9
E is odd
5−1=4
E is even
34 = 81
4÷2=2
8
E is even
2÷2=1
3 = 6561
E is odd
1−1=0
Y
1
3∗1=3
9 ∗ 3 = 27
6561 ∗ 9 ∗ 3 = 177147
Example 2-3
Now let’s calculate 311 π‘šπ‘œπ‘‘ 527
π‘Œ = 311 = 31 ∗ 32 ∗ 38 = 3 ∗ 9 ∗ 237 π‘šπ‘œπ‘‘ 527 = 75 π‘šπ‘œπ‘‘ 527
Notes
X
E
1
Initialization
11
3 =3
E is odd
11 − 1 = 10
2
E is even
10 ÷ 2 = 5
3 π‘šπ‘œπ‘‘ 527 = 9
E is odd
5−1=4
E is even
34 π‘šπ‘œπ‘‘ 527 = 81
4÷2=2
8
E is even
2÷2=1
3 π‘šπ‘œπ‘‘ 527 = 237
E is odd
1−1=0
Y
1
3 ∗ 1 π‘šπ‘œπ‘‘ 527 = 3
9 ∗ 3 = 27 π‘šπ‘œπ‘‘ 527
237 ∗ 9 ∗ 3 π‘šπ‘œπ‘‘ 527
= 75
You can verify that 177,147 = 75 π‘šπ‘œπ‘‘ 527.
Notice that everything happens the same with a modulus as without a modulus. The only
difference is in the size of the numbers - the calculation results are reduced modulo 527.
Page 7 of 21
The Algebra of Encryption
25 July 2011
Also notice the significant role of multiplication in this algorithm. We multiply 𝑋 ∗ 𝑋 for each
exponent bit position. We multiply 𝑋 ∗ π‘Œ when the exponent’s least significant bit is 1. In
Example 2-2 we dealt with larger numbers. In Example 2-3 the numbers were limited by the
modulus and remained smaller.
Consider multiplying two 4 digit binary numbers and two 2 digit binary numbers.
1111
x
1111
----------------1111
1111
1111
+
1111
----------------11100001
11
x
11
----------------11
+
11
----------------1001
The 4 digit multiplication involved the addition of 16 bits. The 2 digit multiplication involved
the addition of only 4 bits. Since the size of numbers cryptography deals with are usually larger
than a computer’s arithmetic logic unit can deal with, special Big Integer computational
packages such as Multiple Precision Integers and Rationals (MPIR) (MPIR home page) or Gnu
Multiple Precision (GMP) (The GNU Multiple Precision Arithmetic Library) are usually
employed. The smaller the modulus, the smaller the numbers we deal with, and the less time
involved in multiplying.
2.3 Chinese Remainder Theorem (CRT)
Chinese Remainder Theorem is frequently used in cryptography to reduce the calculation time
inherent in calculating with large numbers. This time reduction is accomplished by doing a few
extra calculations, but with much smaller numbers. (Chinese remainder theorem, 2011) Also, a
significant part of the calculations may be done once, in advance, and then used for subsequent
calculations.
This discussion follows (Stallings, 2011, pp. p 254-257). The example will use a modulus with
four factors.
2.3.1 Pre-calculations
Identify the Factors of M
Choose π‘š1 , π‘š2 , π‘š3 , and π‘š4 . The numbers must be coprime.
π‘š1 = 37
π‘š2 = 49 = 72
π‘š3 = 55 = 5 ∗ 11
π‘š4 = 64 = 26
Page 8 of 21
The Algebra of Encryption
25 July 2011
Notice that π‘š2 and π‘š4 are powers of prime numbers and π‘š3 is composite. Only π‘š1 is truly
prime in this example. The only requirement is that the chosen factors of M be coprime with
respect to each other.
𝑀 = π‘š1 ∗ π‘š2 ∗ π‘š3 ∗ π‘š4 = 37 ∗ 49 ∗ 55 ∗ 64 = 6,381,760
Calculate π‘΄π’Š
Calculate 𝑀𝑖 = 𝑀 ÷ π‘šπ‘– for each π‘šπ‘– .
𝑀1 = 𝑀 ÷ π‘š1 = 6,381,760
𝑀2 = 𝑀 ÷ π‘š2 = 6,381,760
𝑀3 = 𝑀 ÷ π‘š2 = 6,381,760
𝑀4 = 𝑀 ÷ π‘š4 = 6,381,760
÷ 37 = 172,480
÷ 49 = 130,240
÷ 55 = 116,032
÷ 64 = 99,715
Calculate π‘΄π’Š−𝟏 π’Žπ’π’… π’Žπ’Š
Use the Extended Euclidean Algorithm to calculate 𝑀𝑖−1 π‘šπ‘œπ‘‘ π‘šπ‘– for each π‘šπ‘– .
𝑀1−1 π‘šπ‘œπ‘‘ π‘š1 = 172,480−1 π‘šπ‘œπ‘‘ 37 ≡ 29
𝑀2−1 π‘šπ‘œπ‘‘ π‘š2 = 130,240−1 π‘šπ‘œπ‘‘ 49 ≡ 24
𝑀3−1 π‘šπ‘œπ‘‘ π‘š3 = 116,032−1 π‘šπ‘œπ‘‘ 55 ≡ 3
𝑀4−1 π‘šπ‘œπ‘‘ π‘š4 = 99,715−1 π‘šπ‘œπ‘‘ 64 ≡ 43
Calculate π‘¨π’Š
For convenience, define 𝐴𝑖 = 𝑀𝑖 ∗ 𝑀𝑖−1 π‘šπ‘œπ‘‘ 𝑀 for each π‘šπ‘– .
𝐴1 = 𝑀1 ∗ 𝑀1−1 π‘šπ‘œπ‘‘ 𝑀 = 172,480 ∗ 29 π‘šπ‘œπ‘‘ 6,381,760 ≡ 5,001,920
𝐴2 = 𝑀2 ∗ 𝑀2−1 π‘šπ‘œπ‘‘ 𝑀 = 130,240 ∗ 24 π‘šπ‘œπ‘‘ 6,381,760 ≡ 3,125,760
𝐴3 = 𝑀3 ∗ 𝑀3−1 π‘šπ‘œπ‘‘ 𝑀 = 116,032 ∗ 3 π‘šπ‘œπ‘‘ 6,381,760 ≡ 348,096
𝐴4 = 𝑀4 ∗ 𝑀4−1 π‘šπ‘œπ‘‘ 𝑀 = 99,715 ∗ 43 π‘šπ‘œπ‘‘ 6,381,760 ≡ 4,287,745
2.3.2 Addition
To add two numbers, complete the addition for each π‘šπ‘– , then combine the results.
As an example, we will add 735,839 and 826,277 mod M. Start by computing the residue for
each factor.
π‘₯ = 735,839
π‘₯1 = π‘₯ π‘šπ‘œπ‘‘ π‘š1 = 735,839 π‘šπ‘œπ‘‘ 37 = 20
π‘₯2 = π‘₯ π‘šπ‘œπ‘‘ π‘š2 = 735,839 π‘šπ‘œπ‘‘ 49 = 6
π‘₯3 = π‘₯ π‘šπ‘œπ‘‘ π‘š3 = 735,839 π‘šπ‘œπ‘‘ 55 = 49
π‘₯4 = π‘₯ π‘šπ‘œπ‘‘ π‘š4 = 735,839 π‘šπ‘œπ‘‘ 64 = 31
𝑦 = 826,277
𝑦1 = 𝑦 π‘šπ‘œπ‘‘ π‘š1 = 826,277 π‘šπ‘œπ‘‘ 37 = 30
𝑦2 = 𝑦 π‘šπ‘œπ‘‘ π‘š2 = 826,277 π‘šπ‘œπ‘‘ 49 = 39
𝑦3 = 𝑦 π‘šπ‘œπ‘‘ π‘š3 = 826,277 π‘šπ‘œπ‘‘ 55 = 12
𝑦4 = 𝑦 π‘šπ‘œπ‘‘ π‘š4 = 826,277 π‘šπ‘œπ‘‘ 64 = 37
Add for each π’Žπ’Š
Compute π‘₯ + 𝑦 = 𝑧𝑖 π‘šπ‘œπ‘‘ π‘šπ‘– for each π‘šπ‘– .
𝑧1 = π‘₯1 + 𝑦1 = 20 + 30 = 50 ≡ 13 π‘šπ‘œπ‘‘ 37
Page 9 of 21
The Algebra of Encryption
25 July 2011
𝑧2 = π‘₯2 + 𝑦2 = 6 + 39 = 45 ≡ 45 π‘šπ‘œπ‘‘ 49
𝑧3 = π‘₯3 + 𝑦3 = 49 + 12 = 61 ≡ 6 π‘šπ‘œπ‘‘ 55
𝑧4 = π‘₯4 + 𝑦4 = 31 + 37 = 68 ≡ 4 π‘šπ‘œπ‘‘ 64
Combine the results
Find the result of (π‘₯ + 𝑦) π‘šπ‘œπ‘‘ 𝑀 = (𝑧1 ∗ 𝐴1 + 𝑧2 ∗ 𝐴2 + 𝑧3 ∗ 𝐴3 + 𝑧4 ∗ 𝐴4 ) π‘šπ‘œπ‘‘ 𝑀
(735,839 + 826,277) π‘šπ‘œπ‘‘ 6,381,760
= (13 ∗ 5,001,920 + 45 ∗ 3,125,760 + 6 ∗ 348,096 + 4 ∗ 4,287,745) π‘šπ‘œπ‘‘ 6,381,760
≡ 1,562,116
2.3.3 Multiplication
To multiply two numbers, complete the multiplication for each π‘šπ‘– , then combine the results.
If we use the same x and y values as for addition, we can use the same residues for each factor.
Multiply for each π’Žπ’Š
Compute π‘₯ ∗ 𝑦 = 𝑧𝑖 π‘šπ‘œπ‘‘ π‘šπ‘– for each π‘šπ‘– .
𝑧1 = π‘₯1 ∗ 𝑦1 = 20 ∗ 30 = 600 ≡ 8 π‘šπ‘œπ‘‘ 37
𝑧2 = π‘₯2 ∗ 𝑦2 = 6 ∗ 39 = 234 ≡ 38 π‘šπ‘œπ‘‘ 49
𝑧3 = π‘₯3 ∗ 𝑦3 = 49 ∗ 12 = 588 ≡ 38 π‘šπ‘œπ‘‘ 55
𝑧4 = π‘₯4 ∗ 𝑦4 = 31 ∗ 37 = 1147 ≡ 59 π‘šπ‘œπ‘‘ 64
Combine the results
Find the result of (π‘₯ ∗ 𝑦) π‘šπ‘œπ‘‘ 𝑀 = (𝑧1 ∗ 𝐴1 + 𝑧2 ∗ 𝐴2 + 𝑧3 ∗ 𝐴3 + 𝑧4 ∗ 𝐴4 ) π‘šπ‘œπ‘‘ 𝑀
(735,839 ∗ 826,277) π‘šπ‘œπ‘‘ 6,381,760
= (8 ∗ 5,001,920 + 38 ∗ 3,125,760 + 38 ∗ 348,096 + 59 ∗ 4,287,745) π‘šπ‘œπ‘‘ 6381760
≡ 3,802,683
2.4 Euler’s Totient Function
Euler’s totient function, 𝛷(𝑛), identifies the number of integers, less than n, that are relatively
prime to n. A good treatment of Euler’s Totient function can be found in (Burton, 2007, pp. 131135).
(Stallings, 2011, pp. 249-250) presents Euler’s totient function as 𝛷(𝑝) = 𝑝 − 1 for prime p.
This is correct, but not good for a general definition of the function. (Burton, 2007, pp. 131-135)
gives a more versatile definition as 𝛷(π‘π‘˜ ) = π‘π‘˜ − π‘π‘˜−1 . It is easy to see that this version
degenerates to the previous version in the case of π‘˜ = 1.
To determine the totient of a composite number, we must know the prime factors of the number.
Given 𝑛 = 𝑝𝑖 ∗ π‘ž 𝑗 , 𝛷(𝑛) = 𝛷(𝑝𝑖 ) ∗ 𝛷(π‘ž 𝑗 ) = (𝑝𝑖 − 𝑝𝑖−1 ) ∗ (π‘ž 𝑗 − π‘ž 𝑗−1 ) (Burton, 2007, pp.
131-135). Again, if 𝑖 and 𝑗 = 1, then the equation degenerates to 𝛷(𝑛) = 𝛷(𝑝) ∗ 𝛷(π‘ž) =
(𝑝 − 1) ∗ (π‘ž − 1) as described by (Stallings, 2011, pp. 249-250).
Page 10 of 21
The Algebra of Encryption
25 July 2011
Example 2-4
To calculate 𝛷(21), the first form is adequate. First we must know the prime factors of 21,
namely 3 and 7.
𝛷(21) = (3 − 1) ∗ (7 − 1) = 2 ∗ 6 = 12
Therefore, the number of integers less than 21 relatively prime to 21 should count to 12.
1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are the 12 numbers less than 21 that are relatively prime to
21.
Example 2-5
To calculate 𝛷(20), the second form of the totient function is required. The prime factors of 20
are 22 and 5.
𝛷(20) = (22 − 21 ) ∗ (51 − 50 ) = (4 − 2) ∗ (5 − 1) = 2 ∗ 4 = 8
The 8 integers less than 20 relatively prime to 20 are 1, 3, 7, 9, 11, 13, 17, 19.
3 Exponentiation and Chinese Remainder Theorem
In section 2.3 we looked at addition and multiplication using CRT. We would like to take
advantage of the CRT and reduce the exponent.
Notice that reducing the exponent by the modulus does not result in congruence.
𝑏 𝑒 = 𝑏 π‘šπ‘›π‘›+π‘Ÿπ‘› β‰’ 𝑏 π‘Ÿπ‘› π‘šπ‘œπ‘‘ 𝑛
where 𝑏 is the base, π‘šπ‘› is the multiplier, and π‘Ÿπ‘› is the residue.
To demonstrate this, let
𝑒 = 131
𝑛 = 17
𝑏=3
𝑒 = 131 = π‘šπ‘› 𝑛 + π‘Ÿπ‘› = 7 ∗ 17 + 12
𝑏 𝑒 = 3131 = 10 π‘šπ‘œπ‘‘ 17
𝑏 π‘Ÿπ‘› = 312 = 4 π‘šπ‘œπ‘‘ 17
𝑏 𝑒 β‰’ 𝑏 π‘Ÿπ‘› π‘šπ‘œπ‘‘ 𝑛
To reduce the exponent correctly, we must employ Euler’s theorem. Euler’s theorem states that
if 𝑛 ≥ 1 and gcd(π‘Ž, 𝑛) = 1, then π‘Žπ›·(𝑛) ≡ 1 π‘šπ‘œπ‘‘ 𝑛. (Burton, 2007, p. 137)
𝑏 𝑒 = 𝑏 π‘šπ›· 𝛷(𝑛)+π‘Ÿπ›· ≡ 𝑏 π‘Ÿπ›· π‘šπ‘œπ‘‘ 𝑛
where 𝑏 is the base, π‘šπ›· is the multiplier, and π‘Ÿπ›· is the residue.
To demonstrate this, let
𝑒 = 131
𝑛 = 17, 𝛷(𝑛) = 16
𝑏=3
Page 11 of 21
The Algebra of Encryption
25 July 2011
𝑒 = 131 = π‘šπ›· 𝛷(𝑛) + π‘Ÿπ›· = 8 ∗ 16 + 3
𝑏 𝑒 = 3131 = 10 π‘šπ‘œπ‘‘ 17
𝑏 π‘Ÿπ›· = 33 = 10 π‘šπ‘œπ‘‘ 17
𝑏 𝑒 ≡ 𝑏 π‘Ÿπ›· π‘šπ‘œπ‘‘ 𝑛
We can always use the full exponent when conducting the calculations for each CRT modulus.
But to reduce the exponent, we must know 𝛷(𝑛) which requires we know the factors of 𝑛 if 𝑛 is
not prime.
4 Public Key Cryptography - RSA
Euler’s theorem is the heart of the RSA encryption and decryption method. (RSA, 2011).
If we choose two prime numbers 𝑝 and π‘ž we can form 𝑛 = 𝑝 ∗ π‘ž and determine 𝛷(𝑛). If we
then choose an encryption exponent 𝑒 so that 𝑔𝑑𝑐(𝑒, 𝛷(𝑛)) = 1, we can find a decryption
exponent 𝑑 such that 𝑑 ∗ 𝑒 ≡ 1 π‘šπ‘œπ‘‘ 𝛷(𝑛). The exponent 𝑑 is merely the MMI of 𝑒 π‘šπ‘œπ‘‘ 𝛷(𝑛),
and we know from section 2.1.2 how to find 𝑑. Note that 𝑑 ∗ 𝑒 = π‘š ∗ 𝛷(𝑛) + 1 for some
multiplier π‘š.
Now take a message expressed as a number 𝑀. Calculate the encrypted message by using the
encryption exponent.
𝐢 = 𝑀𝑒 π‘šπ‘œπ‘‘ 𝑛
To decrypt, use the decryption exponent. Calculate 𝐢 𝑑 π‘šπ‘œπ‘‘ 𝑛 = 𝑀.
𝐢 𝑑 = (𝑀𝑒 )𝑑 = π‘€π‘š∗𝛷(𝑛)+1 = π‘€π‘š∗𝛷(𝑛) ∗ 𝑀 = (𝑀𝛷(𝑛) )π‘š ∗ 𝑀
Taking note of Euler’s theorem, if the decryption calculations are made modulo n, we have
𝐢 𝑑 = (1)π‘š ∗ 𝑀 π‘šπ‘œπ‘‘ 𝑛 = 𝑀
Thus we have successfully decrypted the message, assuming 𝑔𝑐𝑑(𝑀, 𝑛) = 1 to satisfy the
requirements of Euler’s theorem. “In the unlikely event that M and n are not relatively prime, a
similar argument establishes that [𝐢 𝑑 ] ≡ 𝑀 π‘šπ‘œπ‘‘ 𝑝 and [𝐢 𝑑 ] ≡ 𝑀 π‘šπ‘œπ‘‘ π‘ž, which then yields the
desired congruence [𝐢 𝑑 ] ≡ 𝑀 π‘šπ‘œπ‘‘ 𝑛. We omit the details.” (Burton, 2007, p. 204)
RSA involves calculating modular exponentials. The example uses normal encryption and CRT
decryption. Note that CRT only benefits decryption because the factors of the modulus must be
known and they are part of the private key.
Let:
𝑝 = 17
π‘ž = 31
𝑒 = 11
message: 𝑀 = 3
Page 12 of 21
The Algebra of Encryption
25 July 2011
calculate 𝑛 = 𝑝 ∗ π‘ž = 17 ∗ 31 = 527
calculate 𝛷(𝑛) = (𝑝 − 1) ∗ (π‘ž − 1) = 16 ∗ 30 = 480
calculate 𝑑 = 𝑒 −1 π‘šπ‘œπ‘‘ 𝛷(𝑛) ≡ 131
4.1
CRT Pre-calculations
𝑃 = 𝑛 ÷ 𝑝 = 31
𝑃−1 π‘šπ‘œπ‘‘ 𝑝 ≡ 11
𝐴𝑝 = 𝑃 ∗ 𝑃−1 π‘šπ‘œπ‘‘ 𝑛 = 31 ∗ 11 π‘šπ‘œπ‘‘ 527 ≡ 341
𝑄 = 𝑛 ÷ π‘ž = 17
𝑄 −1 π‘šπ‘œπ‘‘ π‘ž ≡ 11
π΄π‘ž = 𝑄 ∗ 𝑄 −1 π‘šπ‘œπ‘‘ 𝑛 = 17 ∗ 11 π‘šπ‘œπ‘‘ 527 ≡ 187
𝑑𝑝 = 𝑑 π‘šπ‘œπ‘‘ 𝛷(𝑝) = 131 π‘šπ‘œπ‘‘ 16 ≡ 3
π‘‘π‘ž = 𝑑 π‘šπ‘œπ‘‘ 𝛷(π‘ž) = 131 π‘šπ‘œπ‘‘ 30 ≡ 11
See section 3 regarding how to reduce the exponent 𝑑 into 𝑑𝑝 and π‘‘π‘ž .
4.2
Encrypt
𝐢 = 𝑀𝑒 π‘šπ‘œπ‘‘ 𝑛 = 311 π‘šπ‘œπ‘‘ 527 ≡ 75 (See Example 2-3.)
4.3 Decrypt
Note the use of 𝑑𝑝 and π‘‘π‘ž in place of the normal decrypt exponent.
𝑀𝑝 = 𝐢 𝑑𝑝 π‘šπ‘œπ‘‘ 𝑝 = 753 π‘šπ‘œπ‘‘ 17
= 73 π‘šπ‘œπ‘‘ 17 ≡ 3
4.4
π‘€π‘ž = 𝐢 π‘‘π‘ž π‘šπ‘œπ‘‘ π‘ž = 7511 π‘šπ‘œπ‘‘ 31
= 1311 π‘šπ‘œπ‘‘ 31 ≡ 3
Combine the results
𝑀 = (𝑀𝑝 ∗ 𝐴𝑝 + π‘€π‘ž ∗ π΄π‘ž ) π‘šπ‘œπ‘‘ 𝑛 = (3 ∗ 341 + 3 ∗ 187) π‘šπ‘œπ‘‘ 527 ≡ 3
4.5 Conclusion
Decryption is accomplished using smaller exponents and smaller moduli. Multiplication is a
large part of calculating modular exponentials. When computing many exponentials using the
same private key, time savings becomes significant.
5 How to Share a Secret
(Shamir, November, 1979) describes how to share secret information such that the holders of a
share cannot individually obtain the secret. Only if a certain minimum number of share holders
collaborate can the secret information be identified.
A simple description of this method is to use a curve described by a polynomial function.
𝑓(π‘₯) = π‘Žπ‘‘ π‘₯ 𝑑 + π‘Žπ‘‘−1 π‘₯ 𝑑−1 β‹― π‘Ž1 π‘₯ + π‘Ž0
Equation 5-1
Typically, π‘Ž0 is the secret information, for example a secret key, and the other t coefficients in
the polynomial may be chosen at random. If two or more elements comprise the secret key, such
Page 13 of 21
The Algebra of Encryption
25 July 2011
as 𝑝, π‘ž, π‘Žπ‘›π‘‘ 𝑑 , necessary for CRT decryption of RSA, then more coefficients may be set and the
remainder chosen at random.
Basic algebra tells us that when we have 𝑑 + 1 unknowns - the 𝑑 + 1 coefficients, we need to
know 𝑑 + 1 points on the curve to identify all of the coefficients. We really only want the one
coefficient, π‘Ž0 , but even that cannot be determined without the required minimum number of
points from the curve.
Points on the curve - x and f(x) pairs, are the secret shares given to the trusted authorities. Many
more than 𝑑 + 1 secret shares may be given out. But, only if a minimum of 𝑑 + 1 trusted
authorities agree to provide their secret share and collaborate, can the secret information be
identified. The secret information - coefficient(s) of the polynomial, may be identified by any
linear algebra method for solving a system of simultaneous equations.
The x values may be as simple as indexes, incremented between one share holder to the next.
Only the value of f(x) must be held secret.
6 Paillier Cryptography
The cryptographic systems proposed by (Paillier, 1999) involve polynomial expansion of
exponentiation. Paillier proposed three systems, one will be discussed here. It is similar to RSA
cryptography.
6.1 Carmichael Function
In order to understand the algebra of Paillier cryptography, we need to understand the
Carmichael function. The Carmichael function, πœ†(𝑛), is similar to Euler’s totient function 𝛷(𝑛).
(Paillier, 1999, p. 2)
πœ†(𝑛) = π‘™π‘π‘š(𝑝 − 1, π‘ž − 1)
Equation 6-1
where 𝑛 = π‘π‘ž, 𝑝 and π‘ž are distinct primes, and lcm stands for Least Common Multiple.
The Carmichael function also has some useful properties for Paillier cryptography. For any
integer 𝑀 that is coprime with 𝑛:
πœ†
{ π‘€π‘›πœ† ≡ 1 π‘šπ‘œπ‘‘ 𝑛2
𝑀 ≡ 1 π‘šπ‘œπ‘‘ 𝑛
Equation 6-2
Which implies there exists some integer π‘Ž and 𝑏 such that
πœ†
{ π‘€πœ†π‘› = π‘Žπ‘›2+ 1
𝑀 = 𝑏𝑛 + 1
Equation 6-3
6.2 Preliminaries
Choose two safe prime numbers p and q, form 𝑛 = 𝑝 ∗ π‘ž, and determine πœ† = π‘™π‘π‘š(𝑝 − 1, π‘ž − 1).
Safe prime numbers are of the form 2𝑝 + 1, where p is also a prime. (Safe prime, 2010)
Page 14 of 21
The Algebra of Encryption
25 July 2011
Define the function
𝐿(𝑒) =
𝑒−1
𝑛
Equation 6-4
Note: that 𝑒 is usually an exponential π‘šπ‘œπ‘‘ 𝑛2 . The notation used is a little awkward
because only the exponential should be calculated π‘šπ‘œπ‘‘ 𝑛2. The division by 𝑛 cannot be
accomplished π‘šπ‘œπ‘‘ 𝑛2 because 𝑛 has no MMI π‘šπ‘œπ‘‘ 𝑛2. The numerator should be a
multiple of 𝑛, and the “normal” division should result in an integer with no residue.
Choose a generator value 𝑔 such that
𝑔𝑐𝑑(𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 ), 𝑛) = 1
Equation 6-5
Note: See section 6.12 regarding choosing values of 𝑔.
The public key is (𝑔, 𝑛). The private key is λ.
6.3 Encrypt
The plaintext message is π‘š < 𝑛. Choose a random number π‘Ÿ < 𝑛. Calculate the encrypted
message
𝑐 = π‘”π‘š π‘Ÿ 𝑛 π‘šπ‘œπ‘‘ 𝑛2
Equation 6-6
6.4 Decrypt
Plaintext
π‘š=
𝐿(𝑐 πœ† π‘šπ‘œπ‘‘ 𝑛2 )
π‘šπ‘œπ‘‘ 𝑛
𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 )
Equation 6-7
6.5
Explanation
The Generator g
Starting from the Carmichael function Equation 6-3.
𝑔 πœ† = 1 + π‘Žπ‘›
𝑔 πœ†π‘₯ = (1 + π‘Žπ‘›)π‘₯
Equation 6-8
If we use binomial expansion of the polynomial, we get (Binomial theorem, 2011)
π‘₯
(1 + π‘Žπ‘›)π‘₯ = 1π‘₯ + π‘₯ ∗ (1π‘₯−1 ) ∗ (π‘Žπ‘›)1 + ( ) ∗ (1π‘₯−2 ) ∗ 𝑛2 + β‹―
2
where
π‘₯
π‘₯!
( )=
𝑖
𝑖! (π‘₯ − 𝑖)!
Page 15 of 21
The Algebra of Encryption
25 July 2011
When we reduce modulo 𝑛2 , all of the polynomial terms of 𝑛2 and higher drop out. We are left
with
𝑔 πœ†π‘₯ = (1 + π‘Žπ‘›)π‘₯ = (1 + π‘₯π‘Žπ‘›) π‘šπ‘œπ‘‘ 𝑛2
Equation 6-9
The Decrypt Numerator
π‘πœ† − 1
(π‘”π‘š π‘Ÿ 𝑛 )πœ† − 1
π‘”π‘šπœ† π‘Ÿ π‘›πœ† − 1
𝐿(𝑐 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) =
π‘šπ‘œπ‘‘ 𝑛2 =
π‘šπ‘œπ‘‘ 𝑛2 =
π‘šπ‘œπ‘‘ 𝑛2
𝑛
𝑛
𝑛
Applying Equation 6-2 to π‘Ÿ π‘›πœ† .
𝐿(𝑐 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) ≡
π‘”π‘šπœ† (1) − 1
π‘šπ‘œπ‘‘ 𝑛2
𝑛
Applying Equation 6-9 to π‘”π‘šπœ†
(1 + π‘šπ‘Žπ‘›) − 1
π‘šπ‘Žπ‘›
𝐿(𝑐 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) ≡
π‘šπ‘œπ‘‘ 𝑛2 =
π‘šπ‘œπ‘‘ 𝑛2 = π‘šπ‘Ž π‘šπ‘œπ‘‘ 𝑛2
𝑛
𝑛
Equation 6-10
Note that we must divide by 𝑛 using normal division. 𝑛 has no multiplicative inverse π‘šπ‘œπ‘‘ 𝑛2.
The Decrypt Denominator
𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) =
(1 + π‘Žπ‘›) − 1
π‘”πœ† − 1
π‘šπ‘œπ‘‘ 𝑛2 =
π‘šπ‘œπ‘‘ 𝑛2 = π‘Ž π‘šπ‘œπ‘‘ 𝑛2
𝑛
𝑛
Equation 6-11
Again, we must divide by 𝑛 using normal division.
The Decrypt
Combining Equation 6-10 and Equation 6-11 into Equation 6-7, we get
𝐿(𝑐 πœ† π‘šπ‘œπ‘‘ 𝑛2 )
π‘šπ‘Ž π‘šπ‘œπ‘‘ 𝑛2
π‘š=
π‘šπ‘œπ‘‘
𝑛
=
π‘šπ‘œπ‘‘ 𝑛
π‘Ž π‘šπ‘œπ‘‘ 𝑛2
𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 )
See section 6.11 concerning pre-calculations. The decrypt equation can be written as
π‘š = [𝐿(𝑐 πœ† ) π‘šπ‘œπ‘‘ 𝑛2 ] ∗ πœ‡ π‘šπ‘œπ‘‘ 𝑛
where
−1
π‘”πœ† − 1
2
πœ‡=[
π‘šπ‘œπ‘‘ 𝑛 ] π‘šπ‘œπ‘‘ 𝑛
𝑛
6.6
Paillier Cryptography Example
Preliminaries
Let
𝑝 = 23
π‘ž = 59
𝑛 = 𝑝 ∗ π‘ž = 23 ∗ 59 = 1357
Page 16 of 21
The Algebra of Encryption
25 July 2011
𝑛2 = 1,841,449
πœ† = π‘™π‘π‘š(𝑝 − 1, π‘ž − 1) =
(𝑝 − 1)(π‘ž − 1)
22 ∗ 58
=
= 638
𝑔𝑐𝑑(𝑝 − 1, π‘ž − 1)
2
Choose 𝑔
𝑔 = 71
Check 𝑔 (see section 6.12.)
𝑔𝑐𝑑(𝑔, 𝑛) = 1
𝑔 ≠ π‘Žπ‘› + 1 for some integer π‘Ž.
Verify 𝑔
𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 = 71638 = 521,089
π‘”πœ† − 1
521,089 − 1
𝐿(𝑔 π‘šπ‘œπ‘‘ 𝑛 ) =
π‘šπ‘œπ‘‘ 𝑛2 =
π‘šπ‘œπ‘‘ 1,841,449 = 384
𝑛
1357
πœ†
2
𝑔𝑐𝑑(𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 ), 𝑛) = 𝑔𝑐𝑑(384, 1357) = 1
Pre-calculate πœ‡ (See section 6.11.)
−1
πœ‡ = [𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 )] π‘šπ‘œπ‘‘ 𝑛 = [384]−1 π‘šπ‘œπ‘‘ 𝑛 = 887
Encrypt
Let
π‘š = 1025
π‘Ÿ = 1019
𝑐 = π‘”π‘š π‘Ÿ 𝑛 π‘šπ‘œπ‘‘ 𝑛2 = 711025 ∗ 10191357 π‘šπ‘œπ‘‘ 1,841,449 = 1,593,818
Decrypt
Numerator:
𝐿(𝑐 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) =
π‘πœ† − 1
1,593,818638 − 1
π‘šπ‘œπ‘‘ 𝑛2 =
π‘šπ‘œπ‘‘ 1,841,449 = 70
𝑛
1357
Plaintext:
π‘š = 𝐿(𝑐 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) ∗ πœ‡ π‘šπ‘œπ‘‘ 𝑛 = 70 ∗ 887 π‘šπ‘œπ‘‘ 1357 = 1025
6.7 Blinding
Cryptographic blinding allows for a message to be multiplied by a specially treated random
number, while still allowing the message to be decrypted without knowledge of the random
number. (Blinding (cryptography), 2011)
Due to the properties of Paillier cryptography noted in Equation 6-2, any succession of blinding
factors may be applied to the ciphertext without affecting the successful decryption.
Page 17 of 21
The Algebra of Encryption
25 July 2011
To see this, apply a succession of π‘˜ blinding factors to the same message.
𝑐 = π‘”π‘š ∗ π‘Ÿ1𝑛 π‘Ÿ2𝑛 β‹― π‘Ÿπ‘˜π‘› π‘šπ‘œπ‘‘ 𝑛2
= π‘”π‘š ∗ π‘Ÿ 𝑛 π‘šπ‘œπ‘‘ 𝑛2
where π‘Ÿ = ∏π‘˜ π‘Ÿπ‘– . π‘Ÿ is still a random number and does not affect the successful decryption of the
message.
6.8 Blinding Example
We use the ciphertext from the example in section 6.6 and chose another random number.
𝑐1 = 1,593,818
π‘Ÿ2 = 951
𝑐2 = 𝑐1 π‘Ÿ2𝑛 π‘šπ‘œπ‘‘ 𝑛2 = 1,593,818 ∗ 9511357 π‘šπ‘œπ‘‘ 1,841,449 = 1,587,825
Decrypt
Numerator:
𝐿(𝑐 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) =
π‘πœ† − 1
1,587,825638 − 1
π‘šπ‘œπ‘‘ 𝑛2 =
π‘šπ‘œπ‘‘ 1,841,449 = 70
𝑛
1357
As we saw in the explanation in section 6.5, the decrypt numerator is unaffected by the blinding
of the added random number.
6.9 Additive Homomorphic Properties
Paillier cryptography includes an interesting homomorphic property in that the multiplication of
two ciphertexts is equivalent to the addition of the respective plaintexts. (Paillier, 1999, p. 13)
To see this, start with two messages π‘š1 and π‘š2 and encrypt.
𝑐1 = π‘”π‘š1 π‘Ÿ1𝑛 π‘šπ‘œπ‘‘ 𝑛2
𝑐2 = π‘”π‘š2 π‘Ÿ2𝑛 π‘šπ‘œπ‘‘ 𝑛2
Now multiply the two ciphertexts.
𝑐1 ∗ 𝑐2 = π‘”π‘š1 π‘Ÿ1𝑛 ∗ π‘”π‘š2 π‘Ÿ2𝑛 π‘šπ‘œπ‘‘ 𝑛2
= π‘”π‘š1 π‘”π‘š2 ∗ π‘Ÿ1𝑛 π‘Ÿ2𝑛 π‘šπ‘œπ‘‘ 𝑛2
= π‘”π‘š1 +π‘š2 ∗ (π‘Ÿ1 π‘Ÿ2 )𝑛 π‘šπ‘œπ‘‘ 𝑛2
= π‘”π‘š3 ∗ π‘Ÿ3𝑛 π‘šπ‘œπ‘‘ 𝑛2
where m3 = m1 + m2 and r3 = r1 ∗ r2 . r3 is a random number, and the product c1 ∗ c2 will
correctly decrypt as m1 + m2 .
6.10 Homomorphic Example
We use the ciphertext from the example in section 6.6 and section 6.8. These two ciphertext
represent the same plaintext, so the expected result is that the original message will be doubled.
𝑐3 = 𝑐1 ∗ 𝑐2 = 1,593,818 ∗ 1,587,825 π‘šπ‘œπ‘‘ 1,841,449 = 705,150
Page 18 of 21
The Algebra of Encryption
25 July 2011
Decrypt
Numerator:
π‘πœ† − 1
705,150638 − 1
2
𝐿(𝑐 π‘šπ‘œπ‘‘ 𝑛 ) =
π‘šπ‘œπ‘‘ 𝑛 =
π‘šπ‘œπ‘‘ 1,841,449 = 140
𝑛
1357
πœ†
2
Plaintext:
π‘š = 𝐿(𝑐 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) ∗ πœ‡ π‘šπ‘œπ‘‘ 𝑛 = 140 ∗ 887 π‘šπ‘œπ‘‘ 1357 = 693
Which is as expected since 2 ∗ 1025 π‘šπ‘œπ‘‘ 1357 = 693.
6.11 Pre-calculations
Some elements of Paillier cryptography can be pre-calculated.
Decryption
The decrypt denominator is actually calculated when 𝑔 is verified. The only additional precalculation is to find the MMI of the denominator.
−1
π‘”πœ† − 1
2
πœ‡=[
π‘šπ‘œπ‘‘ 𝑛 ] π‘šπ‘œπ‘‘ 𝑛
𝑛
Equation 6-12
Decryption then becomes
π‘š = [𝐿(𝑐 πœ† ) π‘šπ‘œπ‘‘ 𝑛2 ] ∗ πœ‡ π‘šπ‘œπ‘‘ 𝑛
Equation 6-13
Determine λ
Because p and q are safe primes, we have the following determination for λ.
𝑝 = 2𝑝′ + 1
π‘ž = 2π‘ž ′ + 1
where 𝑝′ and π‘ž′ are also primes.
This leads to the following pre-calculation for λ.
πœ† = π‘™π‘π‘š(𝑝 − 1, π‘ž − 1) =
=
(𝑝 − 1)(π‘ž − 1)
gcd(𝑝 − 1, π‘ž − 1)
(2𝑝′ )(2π‘ž ′ )
4𝑝′π‘ž′
=
′
′
gcd(2𝑝 , 2π‘ž )
2
= 2𝑝′π‘ž′
Equation 6-14
6.12 Observations
Choosing g with a common factor to n
The choosing of 𝑔, Equation 6-5, allows a vulnerability. If 𝑔 shares a factor with 𝑛, the division
of the numerator of 𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) by the denominator, 𝑛, does not always yield an integer.
(Paillier, 1999) never discusses that the division result should be verified to be an integer. If this
Page 19 of 21
The Algebra of Encryption
25 July 2011
goes un-noticed, and the result is truncated, the equality of Equation 6-5 may hold and the value
of 𝑔 will be accepted.
Example 6-1
𝑝 = 7 = 2 ∗ 3 + 1,
𝑝′ = 3
π‘ž = 11 = 2 ∗ 5 + 1,
π‘ž′ = 5
𝑛 = 𝑝 ∗ π‘ž = 77
𝑛2 = 5929
πœ† = 2𝑝′ π‘ž ′ = 2 ∗ 3 ∗ 5 = 30
𝑔 = 35 = 5 ∗ 7
𝑔𝑐𝑑(𝑔, 𝑛) = 7
𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 ) =
𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 − 1 3530 π‘šπ‘œπ‘‘ 5929 − 1 2597 − 1
=
=
= 33.7
𝑛
77
77
𝑔𝑐𝑑(𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 ), 𝑛) = 𝑔𝑐𝑑(33, 77) = 11
Example 6-2
Same as Example 6-1 except:
𝑔 = 22 = 2 ∗ 11
𝑔𝑐𝑑(𝑔, 𝑛) = 11
𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 − 1 2230 π‘šπ‘œπ‘‘ 5929 − 1 484 − 1
𝐿(𝑔 π‘šπ‘œπ‘‘ 𝑛 ) =
=
=
= 6.27
𝑛
77
77
πœ†
2
𝑔𝑐𝑑(𝐿(𝑔 πœ† π‘šπ‘œπ‘‘ 𝑛2 ), 𝑛) = 𝑔𝑐𝑑(6, 77) = 1
In Example 6-1, the choice of 𝑔 is rejected. In Example 6-2, the choice of 𝑔 is accepted.
The public key is (𝑔, 𝑛). If 𝑔 shares a factor with 𝑛, the astute adversary would be able to
employ the Euclid algorithm to factor n and thereby find the secret key πœ†.
Choosing g without Blinding
If one should choose 𝑔 = 1 + π‘Žπ‘›, for some integer π‘Ž, blinding is in fact necessary. Consider
encryption Equation 6-6 without the blinding factor π‘Ÿ 𝑛 .
𝑐 = π‘”π‘š = (1 + π‘Žπ‘›)π‘š
Following the same process as the derivation of Equation 6-9, we arrive at
𝑐 = (1 + π‘Žπ‘›)π‘š = (1 + π‘šπ‘Žπ‘›) π‘šπ‘œπ‘‘ 𝑛2
Because (𝑔, 𝑛) is the public key, the value of π‘Ž is known publicly. Thus π‘š can be easily
calculated from 𝑐. Thus Blinding is necessary if 𝑔 is chosen such that 𝑔 = 1 + π‘Žπ‘›.
Page 20 of 21
The Algebra of Encryption
25 July 2011
7 Works Cited
Binomial theorem. (2011, June 21). Retrieved July 10, 2011, from Wikipedia:
http://en.wikipedia.org/wiki/Binomial_expansion
Blinding (cryptography). (2011, June 3). Retrieved July 10, 2011, from Wikipedia:
http://en.wikipedia.org/wiki/Blinding_(cryptography)
Burton, D. M. (2007). Elementary Number Theory, Sixth Edition. New York, New York 10020:
McGraw-Hill Higher Education.
Chinese remainder theorem. (2011, July 2). Retrieved July 7, 2011, from Wikipedia:
http://en.wikipedia.org/wiki/Chinese_remainder_theorem
Coprime. (2011, June 25). Retrieved July 7, 2011, from Wikipedia:
http://en.wikipedia.org/wiki/Coprime
Euclidean algorithm. (2011, June 30). Retrieved July 7, 2011, from Wikipedia:
http://en.wikipedia.org/wiki/Euclid_algorithm
Garrett, P. (2004). The Mathematics of Coding Theory. Upper Saddle River, New Jersey:
Pearson Prentice Hall.
Modular arithmetic. (2011, July 5). Retrieved July 7, 2011, from Wikipedia:
http://en.wikipedia.org/wiki/Modular_arithmetic
MPIR home page. (n.d.). Retrieved July 9, 2011, from MPIR: http://www.mpir.org/
Paillier, P. (1999). Public-Key Cryptosystems Based on Composite Degree Residuosity Clases.
Advances in Cryptology - Eurocrypt '99 , pp. 223-238.
RSA. (2011, July 8). Retrieved July 8, 2011, from Wikipedia: http://en.wikipedia.org/wiki/RSA
Safe prime. (2010, August 24). Retrieved July 9, 2011, from Wikipedia:
http://en.wikipedia.org/wiki/Safe_prime
Shamir, A. (November, 1979). How to Share a Secret. Communications of the ACM , 612-613.
Stallings, W. (2011). Cryptography and Network Security, Principles and Practice, Fifth
Edition. Prentice Hall.
The GNU Multiple Precision Arithmetic Library. (n.d.). Retrieved July 9, 2011, from GNU:
http://gmplib.org/
Page 21 of 21