The Algebra of Encryption 25 July 2011 The Algebra of Encryption 1 Modular Arithmetic Much of modern cryptography is based on modular arithmetic. We can think of modular arithmetic as a cycle. When we reach the base number or modulus, we cycle back to zero. We use modular arithmetic every day. For example, when we look at the clock we are using base 12. If the current time is 9 am and an appointment is at 1 pm, we know that the appointment is four hours away. Modular arithmetic tells us that 1 − 9 ≡ 4 πππ 12. (Modular arithmetic, 2011) 1.1 Division Algorithm The division algorithm roughly states “that any integer a can be “divided” by π in such a way that the remainder is smaller than π.” (Burton, 2007, p. 17) Mathematically, this can be expressed as follows π = ππ + π Equation 1-1 Where π is a multiplier and π is a residue. Example 1-1 13 = 1 ∗ 12 + 1, the multiplier is 1 and the residue is 1. Using modular arithmetic, we write 13 ≡ 1 πππ 12. Example 1-2 9 = 0 ∗ 12 + 9, in this case the multiplier is zero and the residue is equal to 9 or π. Using modular arithmetic, we write 9 ≡ 9 πππ 12. 1.2 Addition Addition follows the same rules that we are used to from normal arithmetic with the additional step that the result is reduced by the modulus. To add two numbers π1 and π2 we first express the numbers in the form of Equation 1-1. π1 = π1 ∗ π + π1 π2 = π2 ∗ π + π2 Next we add and collect terms. π1 + π2 = (π1 + π2 ) ∗ π + (π1 + π2 ) Note that this remains in the form of Equation 1-1 but does not preclude the possibility that the sum π1 + π2 could be greater than the modulus, thus causing a change to the multiplier. Example 1-3 13 + 9 ≡ 10 πππ 12 13 + 9 = (1 ∗ 12 + 1) + (0 ∗ 12 + 9) = (1 + 0) ∗ 12 + (1 + 9) = 1 ∗ 12 + 10 In this case, the multiplier is not affected. Page 1 of 21 The Algebra of Encryption 25 July 2011 Example 1-4 9 + 9 ≡ 6 πππ 12 9 + 9 = (0 ∗ 12 + 9) + (0 ∗ 12 + 9) = (0 + 0) ∗ 12 + (9 + 9) = 0 ∗ 12 + 18 In this case, the resulting residue is greater than the modulus and should be reduced. Add and subtract the modulus, 12, and collect terms. 18 = 0 ∗ 12 + 18 + 1 ∗ 12 − 12 = (0 + 1) ∗ 12 + (18 − 12) = 1 ∗ 12 + 6 1.3 Subtraction Modular subtraction is similar to modular addition. To subtract two numbers π1 and π2 we first express the numbers in the form of Equation 1-1. π1 = π1 ∗ π + π1 π2 = π2 ∗ π + π2 Next we subtract and collect terms. π1 − π2 = (π1 − π2 ) ∗ π + (π1 − π2 ) Again, the result remains in the form of Equation 1-1 but does not preclude the possibility that the difference π1 − π2 could be less than the zero. Since we generally deal with positive numbers, this causes a change to the multiplier. Example 1-5 9 − 13 ≡ 8 πππ 12 9 − 13 = (0 ∗ 12 + 9) − (1 ∗ 12 + 1) = (0 − 1) ∗ 12 + (9 − 1) = (−1) ∗ 12 + 8 In this case, the multiplier is not affected. Example 1-6 13 − 9 ≡ 4 πππ 12 13 − 9 = (1 ∗ 12 + 1) − (0 ∗ 12 + 9) = (1 − 0) ∗ 12 + (1 − 9) = 1 ∗ 12 + (−8) In this case, the resulting residue is less than zero and should be adjusted. Add and subtract the modulus, 12, and collect terms. (−8) = 1 ∗ 12 + (−8) + (−1) ∗ 12 + 12 = (1 − 1) ∗ 12 + (−8 + 12) = 0 ∗ 12 + 4 1.4 Multiplication Multiplication is merely repeated addition. As with addition and subtraction, the resulting residue is generally adjusted to be less than the modulus and non-negative. Example 1-7 4 ∗ 13 ≡ 4 πππ 12 4 ∗ 13 = (1 ∗ 12 + 1) + (1 ∗ 12 + 1) + (1 ∗ 12 + 1) + (1 ∗ 12 + 1) = (1 + 1 + 1 + 1) ∗ 12 + (1 + 1 + 1 + 1) = (4) ∗ 12 + 4 In this case, the multiplier is not affected. Page 2 of 21 The Algebra of Encryption 25 July 2011 Example 1-8 13 ∗ 4 ≡ 4 πππ 12 13 ∗ 4 = 13 ∗ (0 ∗ 12 + 4) = (13 ∗ 0) ∗ 12 + (13 ∗ 4) = 0 ∗ 12 + 52 In this case, the resulting residue should be adjusted. 52 = 4 ∗ 12 + 4 1.5 Division Division is a little tricky. Normally we think of division as dividing one number into equal parts countable to another. Thus the name. However, when we stick to Integers, we don’t always get equal Integer parts. We need to think of modular division a little differently. Generally, when we divide π by π we use the following notation. π =π π Equation 1-2 For modular division, we need to write this in a different way. π = π ∗ π or π ∗ π = π Equation 1-3 If trying to divide π by π, we need to ask by what number, π, can we multiply π such that the result is congruent to π modulo the modulus? Example 1-9 10 ÷ 2 ≡ 5 πππ 13 2 ∗ 5 = 10 = 0 ∗ 13 + 10 This is easy because we know we can multiply 2 by 5 and the result is 10. Example 1-10 10 ÷ 4 ≡ 9 πππ 13 In this case, 4 ∗ 9 = 36 = 2 ∗ 13 + 10. That is to say, we found a number, 9, that we can multiply by 4 such that the result is congruent to 10 modulo 13. Exactly how we find the number 9 directly, without trial and error, is discussed in section 1.6 and 2.1.2. 1.6 Division by Multiplicative Inverse Another way of accomplishing modular division is by using the multiplicative inverse of the divisor. Re-writing Equation 1-2, we get the following equation for division. π ∗ π−1 = π Equation 1-4 But this begs the question, what is the multiplicative inverse in modular arithmetic? Remembering back to regular arithmetic, we again think of multiplicative inverse in a different way. We need to ask by what number, π−1 , can we multiply π such that the result is congruent to 1 modulo the modulus? This is expressed mathematically as follows. Page 3 of 21 The Algebra of Encryption 25 July 2011 1 ≡ π ∗ π −1 πππ ππππ’ππ’π Equation 1-5 Expressed algebraically for modular arithmetic, we have the following. 1 = π ∗ π + π ∗ π −1 Equation 1-6 Where again, π is the multiplier, π is the modulus, π is the number of interest, and π −1 is the Modular Multiplicative Inverse (MMI). Example 1-11 (4)−1 ≡ 10 πππ 13 1 = (−3) ∗ 13 + 4 ∗ 10. Again, exactly how we find the number 10 directly, without trial and error, is discussed in section 2.1.2. Example 1-12 Going back to Example 1-10, we get the following. 10 ÷ 4 = 10 ∗ 4−1 ≡ 10 ∗ 10 πππ 13 = 100 = 7 ∗ 13 + 9 ≡ 9 πππ 13, which agrees with the findings in Example 1-10. 2 Useful Functions 2.1 Euclidean Algorithm The Euclidean algorithm is an important part of the algebra of encryption. It is generally thought of as providing the Greatest Common Divisor (GCD) of two numbers. When the two numbers are properly chosen, the Euclidean algorithm can also be used to directly determine the Modular Multiplicative Inverse (MMI). 2.1.1 Greatest Common Divisor “The Euclidean algorithm (also called Euclid’s algorithm) is an efficient method for computing the greatest common divisor.” “The GCD of two numbers is the largest number that divides both of them without leaving a remainder.” (Euclidean algorithm, 2011) Figure 2-1 reproduces an example discussed in (Euclidean algorithm, 2011). We would like to find the GCD of two numbers represented by lines AB and CD. 1. Start by comparing the smaller number to the larger number. 2. Find the quotient of the two numbers. In this case, the quotient refers to the greatest integer less than or equal to π΄π΅ ÷ πΆπ·. In other words, how many times can we multiply CD and still remain smaller than or equal to AB. In the figure, this quotient is 1. 3. Multiply the second number by the quotient and subtract from the first. In the figure, the result, or residue, is AE. 4. Now compare the residue with the previous smaller number. In the figure, this is comparing CD and AE. Repeat the above steps until the larger number is an integral multiple of the smaller number. That is to say, there is no resulting residue. The GCD is the last residue, in this case, CF. Page 4 of 21 The Algebra of Encryption 25 July 2011 B E D F E A F C F C F E A C A C Figure 2-1: Euclidean Algorithm Now we can add up the line lengths and verify that CF is the GCD of AB and CD. π΄πΈ = 3 ∗ πΆπΉ πΆπ· = 2 ∗ π΄πΈ + πΆπΉ = 2 ∗ 3 ∗ πΆπΉ + πΆπΉ = 7 ∗ πΆπΉ π΄π΅ = πΆπ· + π΄πΈ = 7 ∗ πΆπΉ + 3 ∗ πΆπΉ = 10 ∗ πΆπΉ Referring to Figure 2-2, it is easy to see that CF does indeed evenly divide both AB and CD. B E A 10 * FC D F C 7 * FC E F C F C F A E C F A C F C F C F C F C F C F C Figure 2-2: Comparing the Results 2.1.2 Modular Multiplicative Inverse By computing the Euclidian algorithm on a number of interest and the modulus, we can directly compute the MMI of the number of interest. In these calculations, it is efficient to accumulate the quotients at each step as coefficients of the two numbers. This is often referred to as the Extended Euclidean algorithm. If we put numbers to the lines in Figure 2-1, for example 50 and 35, we have the following example. Example 2-1 1. Start by writing the two numbers as below. 50 = 50 ( 1) + 35 ( 0) 35 = 50 ( 0) + 35 ( 1) Page 5 of 21 The Algebra of Encryption 25 July 2011 2. Find the quotient of the two numbers. q = int(50 / 35) = 1 3. Multiply the second equation through by the quotient and subtract from the first. 50 = 50 ( 1) + 35 ( 0) 35 = 50 ( 0) + 35 ( 1), q = 1 15 = 50 ( 1) + 35 ( -1) 4. Repeat steps 2 and 3 comparing the residues until the result is 0 50 = 50 ( 1) + 35 ( 0) 35 = 50 ( 0) + 35 ( 1), q = 1 15 = 50 ( 1) + 35 ( -1), q = 2 5 = 50 ( -2) + 35 ( 3), q = 3 0 = 50 ( 7) + 35 (-10) The GCD is the last residue, in this case, 5. If we work this example again using the numbers 10 and 7, we will find that the GCD is 1. If two numbers have a GCD of 1, they are said to be relatively prime or coprime. (Coprime, 2011) Now, how does this find the MMI? If we return to Example 1-11, we wish to find the MMI of 4 modulo 13. If we compute the Extended Euclidian algorithm of 13 and 4 we have the following. 13 = 13 ( 4 = 13 ( 1 = 13 ( 1) + 4 ( 0) 0) + 4 ( 1), q = 3 1) + 4 ( -3) When searching for the MMI, we can stop when the residue is 1. Now compare our result with Equation 1-6. (-3) is the MMI of 4 modulo 13. We prefer to deal with non-negative numbers, so the result needs to be adjusted. We do this by adding and subtracting 13 * 4 and collecting terms. 1 = 13 (1 ) + 4 (-3 ) + 13 (-4) + 4 (13) 1 = 13 (1 - 4) + 4 (-3 + 13) 1 = 13 ( -3) + 4 ( 10) Thus 10 is the MMI of 4 mod 13. This result agrees with our findings in Example 1-11. Mentioned above is that we can stop searching for the MMI when the residue is 1. This is because the next line would result in a residue of zero. When we arrive at a residue of zero but the previous line does not have a residue of 1, the number of interest and the modulus are not coprime and no MMI exists for that number of interest for that modulus. (Burton, 2007, pp. 7677) 2.2 Modular Exponentiation Many encryption schemes employ modular exponentiation. When dealing with very large numbers, such as in cryptography, efficient computing is essential. (Garrett, 2004, p. 123) describes an algorithm entitled Fast Modular Exponentiation. Page 6 of 21 The Algebra of Encryption ο· ο· ο· ο· 25 July 2011 Initiate X = base, E = exponent, Y = 1: x e ≡ y mod m. If E is odd: replace Y by (X * Y) mod m and replace E = E - 1. E is now even: replace X by (X * X) mod m and replace E = E / 2. When E = 0: x e ≡ y mod m. X keeps the current binary power of the base number. Y is the accumulator. Note how E is parsed for its binary bit values. 1. Starting from the least significant bit, check if the bit is 1 (if E is odd). 2. If E is odd, accumulate the corresponding power of the base: Y = Y * X. The decrement of E simply makes the division by 2 in the next step easier. 3. E is now even, update X to the next binary power of the base: X = X * X. Divide E by 2, that is to say, right shift so the next binary bit is in the least significant bit position. 4. Loop to step 2 until E = 0. Example 2-2 First let’s calculate 311 without a modulus. πΈ = 11 = 1 + 2 + 8. π = 311 = 31 ∗ 32 ∗ 38 = 3 ∗ 9 ∗ 6561 = 177147 Notes X E 1 Initialization 11 3 =3 E is odd 11 − 1 = 10 E is even 10 ÷ 2 = 5 32 = 9 E is odd 5−1=4 E is even 34 = 81 4÷2=2 8 E is even 2÷2=1 3 = 6561 E is odd 1−1=0 Y 1 3∗1=3 9 ∗ 3 = 27 6561 ∗ 9 ∗ 3 = 177147 Example 2-3 Now let’s calculate 311 πππ 527 π = 311 = 31 ∗ 32 ∗ 38 = 3 ∗ 9 ∗ 237 πππ 527 = 75 πππ 527 Notes X E 1 Initialization 11 3 =3 E is odd 11 − 1 = 10 2 E is even 10 ÷ 2 = 5 3 πππ 527 = 9 E is odd 5−1=4 E is even 34 πππ 527 = 81 4÷2=2 8 E is even 2÷2=1 3 πππ 527 = 237 E is odd 1−1=0 Y 1 3 ∗ 1 πππ 527 = 3 9 ∗ 3 = 27 πππ 527 237 ∗ 9 ∗ 3 πππ 527 = 75 You can verify that 177,147 = 75 πππ 527. Notice that everything happens the same with a modulus as without a modulus. The only difference is in the size of the numbers - the calculation results are reduced modulo 527. Page 7 of 21 The Algebra of Encryption 25 July 2011 Also notice the significant role of multiplication in this algorithm. We multiply π ∗ π for each exponent bit position. We multiply π ∗ π when the exponent’s least significant bit is 1. In Example 2-2 we dealt with larger numbers. In Example 2-3 the numbers were limited by the modulus and remained smaller. Consider multiplying two 4 digit binary numbers and two 2 digit binary numbers. 1111 x 1111 ----------------1111 1111 1111 + 1111 ----------------11100001 11 x 11 ----------------11 + 11 ----------------1001 The 4 digit multiplication involved the addition of 16 bits. The 2 digit multiplication involved the addition of only 4 bits. Since the size of numbers cryptography deals with are usually larger than a computer’s arithmetic logic unit can deal with, special Big Integer computational packages such as Multiple Precision Integers and Rationals (MPIR) (MPIR home page) or Gnu Multiple Precision (GMP) (The GNU Multiple Precision Arithmetic Library) are usually employed. The smaller the modulus, the smaller the numbers we deal with, and the less time involved in multiplying. 2.3 Chinese Remainder Theorem (CRT) Chinese Remainder Theorem is frequently used in cryptography to reduce the calculation time inherent in calculating with large numbers. This time reduction is accomplished by doing a few extra calculations, but with much smaller numbers. (Chinese remainder theorem, 2011) Also, a significant part of the calculations may be done once, in advance, and then used for subsequent calculations. This discussion follows (Stallings, 2011, pp. p 254-257). The example will use a modulus with four factors. 2.3.1 Pre-calculations Identify the Factors of M Choose π1 , π2 , π3 , and π4 . The numbers must be coprime. π1 = 37 π2 = 49 = 72 π3 = 55 = 5 ∗ 11 π4 = 64 = 26 Page 8 of 21 The Algebra of Encryption 25 July 2011 Notice that π2 and π4 are powers of prime numbers and π3 is composite. Only π1 is truly prime in this example. The only requirement is that the chosen factors of M be coprime with respect to each other. π = π1 ∗ π2 ∗ π3 ∗ π4 = 37 ∗ 49 ∗ 55 ∗ 64 = 6,381,760 Calculate π΄π Calculate ππ = π ÷ ππ for each ππ . π1 = π ÷ π1 = 6,381,760 π2 = π ÷ π2 = 6,381,760 π3 = π ÷ π2 = 6,381,760 π4 = π ÷ π4 = 6,381,760 ÷ 37 = 172,480 ÷ 49 = 130,240 ÷ 55 = 116,032 ÷ 64 = 99,715 Calculate π΄π−π πππ ππ Use the Extended Euclidean Algorithm to calculate ππ−1 πππ ππ for each ππ . π1−1 πππ π1 = 172,480−1 πππ 37 ≡ 29 π2−1 πππ π2 = 130,240−1 πππ 49 ≡ 24 π3−1 πππ π3 = 116,032−1 πππ 55 ≡ 3 π4−1 πππ π4 = 99,715−1 πππ 64 ≡ 43 Calculate π¨π For convenience, define π΄π = ππ ∗ ππ−1 πππ π for each ππ . π΄1 = π1 ∗ π1−1 πππ π = 172,480 ∗ 29 πππ 6,381,760 ≡ 5,001,920 π΄2 = π2 ∗ π2−1 πππ π = 130,240 ∗ 24 πππ 6,381,760 ≡ 3,125,760 π΄3 = π3 ∗ π3−1 πππ π = 116,032 ∗ 3 πππ 6,381,760 ≡ 348,096 π΄4 = π4 ∗ π4−1 πππ π = 99,715 ∗ 43 πππ 6,381,760 ≡ 4,287,745 2.3.2 Addition To add two numbers, complete the addition for each ππ , then combine the results. As an example, we will add 735,839 and 826,277 mod M. Start by computing the residue for each factor. π₯ = 735,839 π₯1 = π₯ πππ π1 = 735,839 πππ 37 = 20 π₯2 = π₯ πππ π2 = 735,839 πππ 49 = 6 π₯3 = π₯ πππ π3 = 735,839 πππ 55 = 49 π₯4 = π₯ πππ π4 = 735,839 πππ 64 = 31 π¦ = 826,277 π¦1 = π¦ πππ π1 = 826,277 πππ 37 = 30 π¦2 = π¦ πππ π2 = 826,277 πππ 49 = 39 π¦3 = π¦ πππ π3 = 826,277 πππ 55 = 12 π¦4 = π¦ πππ π4 = 826,277 πππ 64 = 37 Add for each ππ Compute π₯ + π¦ = π§π πππ ππ for each ππ . π§1 = π₯1 + π¦1 = 20 + 30 = 50 ≡ 13 πππ 37 Page 9 of 21 The Algebra of Encryption 25 July 2011 π§2 = π₯2 + π¦2 = 6 + 39 = 45 ≡ 45 πππ 49 π§3 = π₯3 + π¦3 = 49 + 12 = 61 ≡ 6 πππ 55 π§4 = π₯4 + π¦4 = 31 + 37 = 68 ≡ 4 πππ 64 Combine the results Find the result of (π₯ + π¦) πππ π = (π§1 ∗ π΄1 + π§2 ∗ π΄2 + π§3 ∗ π΄3 + π§4 ∗ π΄4 ) πππ π (735,839 + 826,277) πππ 6,381,760 = (13 ∗ 5,001,920 + 45 ∗ 3,125,760 + 6 ∗ 348,096 + 4 ∗ 4,287,745) πππ 6,381,760 ≡ 1,562,116 2.3.3 Multiplication To multiply two numbers, complete the multiplication for each ππ , then combine the results. If we use the same x and y values as for addition, we can use the same residues for each factor. Multiply for each ππ Compute π₯ ∗ π¦ = π§π πππ ππ for each ππ . π§1 = π₯1 ∗ π¦1 = 20 ∗ 30 = 600 ≡ 8 πππ 37 π§2 = π₯2 ∗ π¦2 = 6 ∗ 39 = 234 ≡ 38 πππ 49 π§3 = π₯3 ∗ π¦3 = 49 ∗ 12 = 588 ≡ 38 πππ 55 π§4 = π₯4 ∗ π¦4 = 31 ∗ 37 = 1147 ≡ 59 πππ 64 Combine the results Find the result of (π₯ ∗ π¦) πππ π = (π§1 ∗ π΄1 + π§2 ∗ π΄2 + π§3 ∗ π΄3 + π§4 ∗ π΄4 ) πππ π (735,839 ∗ 826,277) πππ 6,381,760 = (8 ∗ 5,001,920 + 38 ∗ 3,125,760 + 38 ∗ 348,096 + 59 ∗ 4,287,745) πππ 6381760 ≡ 3,802,683 2.4 Euler’s Totient Function Euler’s totient function, π·(π), identifies the number of integers, less than n, that are relatively prime to n. A good treatment of Euler’s Totient function can be found in (Burton, 2007, pp. 131135). (Stallings, 2011, pp. 249-250) presents Euler’s totient function as π·(π) = π − 1 for prime p. This is correct, but not good for a general definition of the function. (Burton, 2007, pp. 131-135) gives a more versatile definition as π·(ππ ) = ππ − ππ−1 . It is easy to see that this version degenerates to the previous version in the case of π = 1. To determine the totient of a composite number, we must know the prime factors of the number. Given π = ππ ∗ π π , π·(π) = π·(ππ ) ∗ π·(π π ) = (ππ − ππ−1 ) ∗ (π π − π π−1 ) (Burton, 2007, pp. 131-135). Again, if π and π = 1, then the equation degenerates to π·(π) = π·(π) ∗ π·(π) = (π − 1) ∗ (π − 1) as described by (Stallings, 2011, pp. 249-250). Page 10 of 21 The Algebra of Encryption 25 July 2011 Example 2-4 To calculate π·(21), the first form is adequate. First we must know the prime factors of 21, namely 3 and 7. π·(21) = (3 − 1) ∗ (7 − 1) = 2 ∗ 6 = 12 Therefore, the number of integers less than 21 relatively prime to 21 should count to 12. 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are the 12 numbers less than 21 that are relatively prime to 21. Example 2-5 To calculate π·(20), the second form of the totient function is required. The prime factors of 20 are 22 and 5. π·(20) = (22 − 21 ) ∗ (51 − 50 ) = (4 − 2) ∗ (5 − 1) = 2 ∗ 4 = 8 The 8 integers less than 20 relatively prime to 20 are 1, 3, 7, 9, 11, 13, 17, 19. 3 Exponentiation and Chinese Remainder Theorem In section 2.3 we looked at addition and multiplication using CRT. We would like to take advantage of the CRT and reduce the exponent. Notice that reducing the exponent by the modulus does not result in congruence. π π = π πππ+ππ β’ π ππ πππ π where π is the base, ππ is the multiplier, and ππ is the residue. To demonstrate this, let π = 131 π = 17 π=3 π = 131 = ππ π + ππ = 7 ∗ 17 + 12 π π = 3131 = 10 πππ 17 π ππ = 312 = 4 πππ 17 π π β’ π ππ πππ π To reduce the exponent correctly, we must employ Euler’s theorem. Euler’s theorem states that if π ≥ 1 and gcd(π, π) = 1, then ππ·(π) ≡ 1 πππ π. (Burton, 2007, p. 137) π π = π ππ· π·(π)+ππ· ≡ π ππ· πππ π where π is the base, ππ· is the multiplier, and ππ· is the residue. To demonstrate this, let π = 131 π = 17, π·(π) = 16 π=3 Page 11 of 21 The Algebra of Encryption 25 July 2011 π = 131 = ππ· π·(π) + ππ· = 8 ∗ 16 + 3 π π = 3131 = 10 πππ 17 π ππ· = 33 = 10 πππ 17 π π ≡ π ππ· πππ π We can always use the full exponent when conducting the calculations for each CRT modulus. But to reduce the exponent, we must know π·(π) which requires we know the factors of π if π is not prime. 4 Public Key Cryptography - RSA Euler’s theorem is the heart of the RSA encryption and decryption method. (RSA, 2011). If we choose two prime numbers π and π we can form π = π ∗ π and determine π·(π). If we then choose an encryption exponent π so that πππ(π, π·(π)) = 1, we can find a decryption exponent π such that π ∗ π ≡ 1 πππ π·(π). The exponent π is merely the MMI of π πππ π·(π), and we know from section 2.1.2 how to find π. Note that π ∗ π = π ∗ π·(π) + 1 for some multiplier π. Now take a message expressed as a number π. Calculate the encrypted message by using the encryption exponent. πΆ = ππ πππ π To decrypt, use the decryption exponent. Calculate πΆ π πππ π = π. πΆ π = (ππ )π = ππ∗π·(π)+1 = ππ∗π·(π) ∗ π = (ππ·(π) )π ∗ π Taking note of Euler’s theorem, if the decryption calculations are made modulo n, we have πΆ π = (1)π ∗ π πππ π = π Thus we have successfully decrypted the message, assuming πππ(π, π) = 1 to satisfy the requirements of Euler’s theorem. “In the unlikely event that M and n are not relatively prime, a similar argument establishes that [πΆ π ] ≡ π πππ π and [πΆ π ] ≡ π πππ π, which then yields the desired congruence [πΆ π ] ≡ π πππ π. We omit the details.” (Burton, 2007, p. 204) RSA involves calculating modular exponentials. The example uses normal encryption and CRT decryption. Note that CRT only benefits decryption because the factors of the modulus must be known and they are part of the private key. Let: π = 17 π = 31 π = 11 message: π = 3 Page 12 of 21 The Algebra of Encryption 25 July 2011 calculate π = π ∗ π = 17 ∗ 31 = 527 calculate π·(π) = (π − 1) ∗ (π − 1) = 16 ∗ 30 = 480 calculate π = π −1 πππ π·(π) ≡ 131 4.1 CRT Pre-calculations π = π ÷ π = 31 π−1 πππ π ≡ 11 π΄π = π ∗ π−1 πππ π = 31 ∗ 11 πππ 527 ≡ 341 π = π ÷ π = 17 π −1 πππ π ≡ 11 π΄π = π ∗ π −1 πππ π = 17 ∗ 11 πππ 527 ≡ 187 ππ = π πππ π·(π) = 131 πππ 16 ≡ 3 ππ = π πππ π·(π) = 131 πππ 30 ≡ 11 See section 3 regarding how to reduce the exponent π into ππ and ππ . 4.2 Encrypt πΆ = ππ πππ π = 311 πππ 527 ≡ 75 (See Example 2-3.) 4.3 Decrypt Note the use of ππ and ππ in place of the normal decrypt exponent. ππ = πΆ ππ πππ π = 753 πππ 17 = 73 πππ 17 ≡ 3 4.4 ππ = πΆ ππ πππ π = 7511 πππ 31 = 1311 πππ 31 ≡ 3 Combine the results π = (ππ ∗ π΄π + ππ ∗ π΄π ) πππ π = (3 ∗ 341 + 3 ∗ 187) πππ 527 ≡ 3 4.5 Conclusion Decryption is accomplished using smaller exponents and smaller moduli. Multiplication is a large part of calculating modular exponentials. When computing many exponentials using the same private key, time savings becomes significant. 5 How to Share a Secret (Shamir, November, 1979) describes how to share secret information such that the holders of a share cannot individually obtain the secret. Only if a certain minimum number of share holders collaborate can the secret information be identified. A simple description of this method is to use a curve described by a polynomial function. π(π₯) = ππ‘ π₯ π‘ + ππ‘−1 π₯ π‘−1 β― π1 π₯ + π0 Equation 5-1 Typically, π0 is the secret information, for example a secret key, and the other t coefficients in the polynomial may be chosen at random. If two or more elements comprise the secret key, such Page 13 of 21 The Algebra of Encryption 25 July 2011 as π, π, πππ π , necessary for CRT decryption of RSA, then more coefficients may be set and the remainder chosen at random. Basic algebra tells us that when we have π‘ + 1 unknowns - the π‘ + 1 coefficients, we need to know π‘ + 1 points on the curve to identify all of the coefficients. We really only want the one coefficient, π0 , but even that cannot be determined without the required minimum number of points from the curve. Points on the curve - x and f(x) pairs, are the secret shares given to the trusted authorities. Many more than π‘ + 1 secret shares may be given out. But, only if a minimum of π‘ + 1 trusted authorities agree to provide their secret share and collaborate, can the secret information be identified. The secret information - coefficient(s) of the polynomial, may be identified by any linear algebra method for solving a system of simultaneous equations. The x values may be as simple as indexes, incremented between one share holder to the next. Only the value of f(x) must be held secret. 6 Paillier Cryptography The cryptographic systems proposed by (Paillier, 1999) involve polynomial expansion of exponentiation. Paillier proposed three systems, one will be discussed here. It is similar to RSA cryptography. 6.1 Carmichael Function In order to understand the algebra of Paillier cryptography, we need to understand the Carmichael function. The Carmichael function, π(π), is similar to Euler’s totient function π·(π). (Paillier, 1999, p. 2) π(π) = πππ(π − 1, π − 1) Equation 6-1 where π = ππ, π and π are distinct primes, and lcm stands for Least Common Multiple. The Carmichael function also has some useful properties for Paillier cryptography. For any integer π€ that is coprime with π: π { π€ππ ≡ 1 πππ π2 π€ ≡ 1 πππ π Equation 6-2 Which implies there exists some integer π and π such that π { π€ππ = ππ2+ 1 π€ = ππ + 1 Equation 6-3 6.2 Preliminaries Choose two safe prime numbers p and q, form π = π ∗ π, and determine π = πππ(π − 1, π − 1). Safe prime numbers are of the form 2π + 1, where p is also a prime. (Safe prime, 2010) Page 14 of 21 The Algebra of Encryption 25 July 2011 Define the function πΏ(π’) = π’−1 π Equation 6-4 Note: that π’ is usually an exponential πππ π2 . The notation used is a little awkward because only the exponential should be calculated πππ π2. The division by π cannot be accomplished πππ π2 because π has no MMI πππ π2. The numerator should be a multiple of π, and the “normal” division should result in an integer with no residue. Choose a generator value π such that πππ(πΏ(π π πππ π2 ), π) = 1 Equation 6-5 Note: See section 6.12 regarding choosing values of π. The public key is (π, π). The private key is λ. 6.3 Encrypt The plaintext message is π < π. Choose a random number π < π. Calculate the encrypted message π = ππ π π πππ π2 Equation 6-6 6.4 Decrypt Plaintext π= πΏ(π π πππ π2 ) πππ π πΏ(π π πππ π2 ) Equation 6-7 6.5 Explanation The Generator g Starting from the Carmichael function Equation 6-3. π π = 1 + ππ π ππ₯ = (1 + ππ)π₯ Equation 6-8 If we use binomial expansion of the polynomial, we get (Binomial theorem, 2011) π₯ (1 + ππ)π₯ = 1π₯ + π₯ ∗ (1π₯−1 ) ∗ (ππ)1 + ( ) ∗ (1π₯−2 ) ∗ π2 + β― 2 where π₯ π₯! ( )= π π! (π₯ − π)! Page 15 of 21 The Algebra of Encryption 25 July 2011 When we reduce modulo π2 , all of the polynomial terms of π2 and higher drop out. We are left with π ππ₯ = (1 + ππ)π₯ = (1 + π₯ππ) πππ π2 Equation 6-9 The Decrypt Numerator ππ − 1 (ππ π π )π − 1 πππ π ππ − 1 πΏ(π π πππ π2 ) = πππ π2 = πππ π2 = πππ π2 π π π Applying Equation 6-2 to π ππ . πΏ(π π πππ π2 ) ≡ πππ (1) − 1 πππ π2 π Applying Equation 6-9 to πππ (1 + πππ) − 1 πππ πΏ(π π πππ π2 ) ≡ πππ π2 = πππ π2 = ππ πππ π2 π π Equation 6-10 Note that we must divide by π using normal division. π has no multiplicative inverse πππ π2. The Decrypt Denominator πΏ(π π πππ π2 ) = (1 + ππ) − 1 ππ − 1 πππ π2 = πππ π2 = π πππ π2 π π Equation 6-11 Again, we must divide by π using normal division. The Decrypt Combining Equation 6-10 and Equation 6-11 into Equation 6-7, we get πΏ(π π πππ π2 ) ππ πππ π2 π= πππ π = πππ π π πππ π2 πΏ(π π πππ π2 ) See section 6.11 concerning pre-calculations. The decrypt equation can be written as π = [πΏ(π π ) πππ π2 ] ∗ π πππ π where −1 ππ − 1 2 π=[ πππ π ] πππ π π 6.6 Paillier Cryptography Example Preliminaries Let π = 23 π = 59 π = π ∗ π = 23 ∗ 59 = 1357 Page 16 of 21 The Algebra of Encryption 25 July 2011 π2 = 1,841,449 π = πππ(π − 1, π − 1) = (π − 1)(π − 1) 22 ∗ 58 = = 638 πππ(π − 1, π − 1) 2 Choose π π = 71 Check π (see section 6.12.) πππ(π, π) = 1 π ≠ ππ + 1 for some integer π. Verify π π π πππ π2 = 71638 = 521,089 ππ − 1 521,089 − 1 πΏ(π πππ π ) = πππ π2 = πππ 1,841,449 = 384 π 1357 π 2 πππ(πΏ(π π πππ π2 ), π) = πππ(384, 1357) = 1 Pre-calculate π (See section 6.11.) −1 π = [πΏ(π π πππ π2 )] πππ π = [384]−1 πππ π = 887 Encrypt Let π = 1025 π = 1019 π = ππ π π πππ π2 = 711025 ∗ 10191357 πππ 1,841,449 = 1,593,818 Decrypt Numerator: πΏ(π π πππ π2 ) = ππ − 1 1,593,818638 − 1 πππ π2 = πππ 1,841,449 = 70 π 1357 Plaintext: π = πΏ(π π πππ π2 ) ∗ π πππ π = 70 ∗ 887 πππ 1357 = 1025 6.7 Blinding Cryptographic blinding allows for a message to be multiplied by a specially treated random number, while still allowing the message to be decrypted without knowledge of the random number. (Blinding (cryptography), 2011) Due to the properties of Paillier cryptography noted in Equation 6-2, any succession of blinding factors may be applied to the ciphertext without affecting the successful decryption. Page 17 of 21 The Algebra of Encryption 25 July 2011 To see this, apply a succession of π blinding factors to the same message. π = ππ ∗ π1π π2π β― πππ πππ π2 = ππ ∗ π π πππ π2 where π = ∏π ππ . π is still a random number and does not affect the successful decryption of the message. 6.8 Blinding Example We use the ciphertext from the example in section 6.6 and chose another random number. π1 = 1,593,818 π2 = 951 π2 = π1 π2π πππ π2 = 1,593,818 ∗ 9511357 πππ 1,841,449 = 1,587,825 Decrypt Numerator: πΏ(π π πππ π2 ) = ππ − 1 1,587,825638 − 1 πππ π2 = πππ 1,841,449 = 70 π 1357 As we saw in the explanation in section 6.5, the decrypt numerator is unaffected by the blinding of the added random number. 6.9 Additive Homomorphic Properties Paillier cryptography includes an interesting homomorphic property in that the multiplication of two ciphertexts is equivalent to the addition of the respective plaintexts. (Paillier, 1999, p. 13) To see this, start with two messages π1 and π2 and encrypt. π1 = ππ1 π1π πππ π2 π2 = ππ2 π2π πππ π2 Now multiply the two ciphertexts. π1 ∗ π2 = ππ1 π1π ∗ ππ2 π2π πππ π2 = ππ1 ππ2 ∗ π1π π2π πππ π2 = ππ1 +π2 ∗ (π1 π2 )π πππ π2 = ππ3 ∗ π3π πππ π2 where m3 = m1 + m2 and r3 = r1 ∗ r2 . r3 is a random number, and the product c1 ∗ c2 will correctly decrypt as m1 + m2 . 6.10 Homomorphic Example We use the ciphertext from the example in section 6.6 and section 6.8. These two ciphertext represent the same plaintext, so the expected result is that the original message will be doubled. π3 = π1 ∗ π2 = 1,593,818 ∗ 1,587,825 πππ 1,841,449 = 705,150 Page 18 of 21 The Algebra of Encryption 25 July 2011 Decrypt Numerator: ππ − 1 705,150638 − 1 2 πΏ(π πππ π ) = πππ π = πππ 1,841,449 = 140 π 1357 π 2 Plaintext: π = πΏ(π π πππ π2 ) ∗ π πππ π = 140 ∗ 887 πππ 1357 = 693 Which is as expected since 2 ∗ 1025 πππ 1357 = 693. 6.11 Pre-calculations Some elements of Paillier cryptography can be pre-calculated. Decryption The decrypt denominator is actually calculated when π is verified. The only additional precalculation is to find the MMI of the denominator. −1 ππ − 1 2 π=[ πππ π ] πππ π π Equation 6-12 Decryption then becomes π = [πΏ(π π ) πππ π2 ] ∗ π πππ π Equation 6-13 Determine λ Because p and q are safe primes, we have the following determination for λ. π = 2π′ + 1 π = 2π ′ + 1 where π′ and π′ are also primes. This leads to the following pre-calculation for λ. π = πππ(π − 1, π − 1) = = (π − 1)(π − 1) gcd(π − 1, π − 1) (2π′ )(2π ′ ) 4π′π′ = ′ ′ gcd(2π , 2π ) 2 = 2π′π′ Equation 6-14 6.12 Observations Choosing g with a common factor to n The choosing of π, Equation 6-5, allows a vulnerability. If π shares a factor with π, the division of the numerator of πΏ(π π πππ π2 ) by the denominator, π, does not always yield an integer. (Paillier, 1999) never discusses that the division result should be verified to be an integer. If this Page 19 of 21 The Algebra of Encryption 25 July 2011 goes un-noticed, and the result is truncated, the equality of Equation 6-5 may hold and the value of π will be accepted. Example 6-1 π = 7 = 2 ∗ 3 + 1, π′ = 3 π = 11 = 2 ∗ 5 + 1, π′ = 5 π = π ∗ π = 77 π2 = 5929 π = 2π′ π ′ = 2 ∗ 3 ∗ 5 = 30 π = 35 = 5 ∗ 7 πππ(π, π) = 7 πΏ(π π πππ π2 ) = π π πππ π2 − 1 3530 πππ 5929 − 1 2597 − 1 = = = 33.7 π 77 77 πππ(πΏ(π π πππ π2 ), π) = πππ(33, 77) = 11 Example 6-2 Same as Example 6-1 except: π = 22 = 2 ∗ 11 πππ(π, π) = 11 π π πππ π2 − 1 2230 πππ 5929 − 1 484 − 1 πΏ(π πππ π ) = = = = 6.27 π 77 77 π 2 πππ(πΏ(π π πππ π2 ), π) = πππ(6, 77) = 1 In Example 6-1, the choice of π is rejected. In Example 6-2, the choice of π is accepted. The public key is (π, π). If π shares a factor with π, the astute adversary would be able to employ the Euclid algorithm to factor n and thereby find the secret key π. Choosing g without Blinding If one should choose π = 1 + ππ, for some integer π, blinding is in fact necessary. Consider encryption Equation 6-6 without the blinding factor π π . π = ππ = (1 + ππ)π Following the same process as the derivation of Equation 6-9, we arrive at π = (1 + ππ)π = (1 + πππ) πππ π2 Because (π, π) is the public key, the value of π is known publicly. Thus π can be easily calculated from π. Thus Blinding is necessary if π is chosen such that π = 1 + ππ. Page 20 of 21 The Algebra of Encryption 25 July 2011 7 Works Cited Binomial theorem. (2011, June 21). Retrieved July 10, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Binomial_expansion Blinding (cryptography). (2011, June 3). Retrieved July 10, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Blinding_(cryptography) Burton, D. M. (2007). Elementary Number Theory, Sixth Edition. New York, New York 10020: McGraw-Hill Higher Education. Chinese remainder theorem. (2011, July 2). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Chinese_remainder_theorem Coprime. (2011, June 25). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Coprime Euclidean algorithm. (2011, June 30). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Euclid_algorithm Garrett, P. (2004). The Mathematics of Coding Theory. Upper Saddle River, New Jersey: Pearson Prentice Hall. Modular arithmetic. (2011, July 5). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Modular_arithmetic MPIR home page. (n.d.). Retrieved July 9, 2011, from MPIR: http://www.mpir.org/ Paillier, P. (1999). Public-Key Cryptosystems Based on Composite Degree Residuosity Clases. Advances in Cryptology - Eurocrypt '99 , pp. 223-238. RSA. (2011, July 8). Retrieved July 8, 2011, from Wikipedia: http://en.wikipedia.org/wiki/RSA Safe prime. (2010, August 24). Retrieved July 9, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Safe_prime Shamir, A. (November, 1979). How to Share a Secret. Communications of the ACM , 612-613. Stallings, W. (2011). Cryptography and Network Security, Principles and Practice, Fifth Edition. Prentice Hall. The GNU Multiple Precision Arithmetic Library. (n.d.). Retrieved July 9, 2011, from GNU: http://gmplib.org/ Page 21 of 21