University of Debrecen Faculty of Informatics Data security (Cryptography) exercise book 1
Contents 1 RSA 4 1.1 RSA in general.................................. 4 1.2 RSA background................................. 5 1.2.1 Euclidean algorithm........................... 5 1.2.2 Extended Euclidean algorithm...................... 5 1.2.3 Fast modular exponentiation (FME)................... 6 1.2.4 Fermat-test................................ 8 1.2.5 Miller-Rabin primality test (compositeness test)............. 9 1.2.6 Chinese Remainder Theorem....................... 10 1.3 RSA exercises................................... 13 2 Discrete logarithm problem 14 2.1 Primitive root and discrete logarithm....................... 14 2.2 ElGamal encryption................................ 15 2.2.1 ElGamal exercises............................ 16 2.3 Diffie-Hellman Key Exchange.......................... 16 2.3.1 Diffie-Hellman key exchange exercises................. 17 3 Solutions 18 3.1 RSA solutions................................... 18 3.1.1 Euclidean algorithm solutions...................... 18 3.1.2 Fast exponentiation solutions....................... 18 3.1.3 Fermat-test solutions........................... 18 3.1.4 Miller-Rabin solutions.......................... 19 3.1.5 Chinese Remainder Theorem solutions................. 19 2
3.1.6 RSA solutions.............................. 19 3.2 Solutions of exercises based on the Discrete logarithm problem......... 20 3.2.1 ElGamal solutions............................ 20 3.2.2 Diffie-Hellman key exchange solutions................. 20 3
Chapter 1 RSA 1.1 RSA in general I. Key generation Let p and q are randomly generated large prime numbers. Let n = p q. Let e be a small odd number such that e and φ(n) are relative primes (or coprimes) (and 1 < e < φ(n)). Calculate number d, where e d 1 mod φ(n) (and 1 < d < φ(n)). (d is the inverse of e modφ(n)) The public key of RSA is the pair: PK = (e, n). The secret key of RSA is: S K = d. The set of the plaintexts (messages): Z n. In this scheme the set of encrypted messages (ciphertext): Z n = {0, 1,..., n 1}. (Denote the message with m, 0 m < n.) II. Encryption with the public key PK = (e, n): Enc PK (m) = c = m e (mod n). III. Decryption with the secret key S K = d: Dec S K (c) = m = c d (mod n). 4
1.2 RSA background 1.2.1 Euclidean algorithm The division with remainder For every two integers a and b 0 there exist uniquely determined q and r such that: a = b q + r and 0 r < b. (By the quotient remainder theorem.) Greatest common divisor The greatest common divisor of a and b is d, if d a, d b; and if there exists a c such that c a and c b then c d. Notation: d = (a, b) or d = gcd(a, b) or d = gcd{a, b}. If a = b = 0 then the greatest common divisor is 0 (by definition). Euclidean algorithm There exists a greatest common divisor of any two integer numbers. Proof: Euclidean algorithm. Algorithm: We use long division until we get the zero remainder. (Divide r k by r k+1, set q k+1 as the quotient and set r k+2 as the remainder of the division, and so on.) k 0 1 2 3 4 r k 139 14 13 1 0 q k - 9 1 13 1.2.2 Extended Euclidean algorithm Theorem: The greatest common divisor (gcd) of two integers a and b can be written in form gcd(a, b) = ax + by where x and y are integers. 5
x 0 =1, x 1 =0, y 0 =0, y 1 =1 (by definition) x k+1 = x k r k +x k 1 y k+1 = y k r k +y k 1 x=( 1) n x n y=( 1) n+1 y n k 0 1 2 3 (n) 4 q k 139 14 13 1 0 r k - 9 1 13 x k 1 0 1 1 y k 0 1 9 10 gcd(a, b) = ax + by x = ( 1) 3 1 = 1 y = ( 1) 4 10 = 10 1 = 139 ( 1) + 14 10 Exercises Find the greatest common divisor of 45 and 211! Use the extended euclidean algorithm and check the result! We have two numbers a = 2340 and b = 113. Determine the greatest common divisor of a and b, coefficients x and y in gcd(a,b)= ax+by! Solve the following equation (use the EEA): gcd(1491, 23) = 1491 x + 23 y! 1.2.3 Fast modular exponentiation (FME) In many cases for example in the RSA algorithm (see it later) it is necessary to determine the remainder of some integer powers in modular arithmetic. Using the following method we can get value a b modulo m (by taking relatively few steps), where a is an integer, b > 1 is an integer and m is a positive integer. Algorithm: 1. We write the exponent as the sum of the powers of 2: b = 2 b 1 + 2 b 2 +... + 2 b r 6
2. We calculate the following values with repeated square operations: a 20 (mod m), a 21 (mod m),... a 2r (mod m) /Using: a 2k+1 (mod m) = a 2k 2 (mod m) = (a 2k ) 2 (mod m)/ 3. We get the solution: a b (mod m) = [a 2b 1 (mod m) * a 2b 2 (mod m) *... * a 2br (mod m)] (mod m) Example Calculate the value 6 73 (mod 100)! The exponent as the sum of the powers of 2: 73 = 2 6 + 2 3 + 2 0 Repeated squares: 6 20 6 (mod 100) 6 21 36 (mod 100) 6 22 96 (mod 100) 6 23 16 (mod 100) 6 24 56 (mod 100) 6 25 36 (mod 100) 6 26 96 (mod 100) The solution: 6 73 (mod 100) = [6 26 (mod 100)* 6 23 (mod 100) * 6 20 (mod 100)] (mod 100) = 96 16 6 (mod 100) = 9216 (mod 100) = 16 6 73 16 (mod 100) Exercises Calculate the following values with FME: 9 22 (mod 79), 129 97 (mod 171), 23 209 (mod 211). 7
1.2.4 Fermat-test Probabilistic primality test based on Fermat s Little Theorem. Theorem: If (a, p) = 1 then a p 1 1 (mod p). Algorithm: The input is an integer n. We chose integer a where a and n are co-primes. We calculate the value a n 1 (mod n). If a n 1 1 (mod n) n is composite. If it is 1, then n may or may not be prime. If a n 1 1 (mod n) but n is not a prime n is called a pseudoprime to base-a. If n is a pseudoprime to the base a for all integers with gcd(a, n) = 1 n is called a Carmichael number. Example Use Fermat-test on number 341 (the bases are 2 and 3)! What can we tell about this number? Let the base be 2! 2 340 1 (mod 341)? Let the base be 3! 3 340 3 28 3 26 3 24 3 21 56 (mod 341) 341 is composite. 3 20 3 (mod 341) 3 21 9 (mod 341) 3 22 81 (mod 341) 3 23 82 (mod 341) 3 24 245 (mod 341) 8
3 25 9 (mod 341) 3 26 81 (mod 341) 3 27 82 (mod 341) 3 28 245 (mod 341)) Exercise Use Fermat-test on number 181, if the base is 7-! What can we tell about the number? Use Fermat-test on number 127, if the base is 5-! What can we tell about the number? 1.2.5 Miller-Rabin primality test (compositeness test) This test works when the value n is greater than 1 and is an odd number. Algorithm: Determine values s and d: s = max{r : 2 r (n 1)} and d = (n 1)/2 s Test: Choose some positive integer a such that a < n. If a d 1 (mod n) and a 2r d 1 (mod n) for all r {0,..., s 1} then n is composite and a is the witness for compositeness. Otherwise n may or may not be prime. Exercise With using two-rounds Miller-Rabin test decide about the number 561 (let the bases are: 2, 13)! From n 1 = 2 s d (where d is an odd number): 560 = 2 2 2 2 35 = 2 4 35 s = 4 r = 0, r = 1, r = 2, r = 3 d = 35 In case of a = 2: 9
2 20 d 263 (mod 561) 2 21 d 166 (mod 561) 2 22 d 67 (mod 561) 2 23 d 1 (mod 561) n composite In case of a = 13: 13 20 d 208 (mod 561) 13 21 d 67 (mod 561) 13 22 d 1 (mod 561) 13 23 d 1 (mod 561) n composite Exercise What can you tell about the compositeness of the number 197 by using two-rounds Miller- Rabin test (where the bases are: 7, 12)! What can you tell about the compositeness of the number 243 by using two-rounds Miller- Rabin test (where the bases are: 11, 15)! 1.2.6 Chinese Remainder Theorem Let the modulus m 1,..., m k are pairwise co-primes. Then x c 1 (mod m 1 ) x c 2 (mod m 2 )... x c k (mod m k ) linear congruence system has a simultaneous solution for any integers c 1,..., c k where the modulo is m 1 m 2... m k. In details: M = m 1... m k 10
M i = M/m i where i = 1, 2,..., k Let the integer y i be the solution of the following equation y i M i 1 (mod m i ) where i = 1,..., k x c i y i M i (mod M) Example x 0 (mod 5) M 1 = 60/5 = 12 x 1 (mod 3) M 2 = 60/3 = 20 x 2 (mod 4) M 3 = 60/4 = 15 M = 5 4 3 = 60 12 y 1 1 (mod 5) 20 y 2 1 (mod 3) 15 y 3 1 (mod 4) 2 y 1 1 (mod 5) 2 y 2 1 (mod 3) 3 y 3 1 (mod 4) 2 y 1 6 (mod 5) 2 y 2 4 (mod 3) 3 y 3 9 (mod 4) y 1 3 (mod 5) y 2 2 (mod 3) y 3 3 (mod 4) x c i y i M i (mod M) x 0 3 12 + 1 2 20 + 2 3 15 130 10 (mod 60) RSA example In case of decrypt the RSA ciphertext we apply the chinese remainder theorem on the following congruence system: m c d(mod(p 1)) (mod p) m p m c d(mod(q 1)) (mod q) m q n = p q 1 = y p p + y q q 11
m m p y q q + m q y p p (mod n) Example. We know the following values: p = 5 random prime q = 11 random prime n = 55 modulo φ(n) = 40 m = 20 plaintext e = 7 public key c = 15 ciphertext d = 23 decryption (secret) key x c 1 (mod m 1 ) x c 2 (mod m 2 ) x = 15 23 (mod 4) (mod 5)=0 x = 15 23 (mod 10) (mod 11)=9 M 1 = q = 11 M 2 = p = 5 M = 55 y 1 5 1 (mod 11) y 2 11 1 (mod 5) EEA k 0 1 2 qk 11 5 1 0 rk - 2 5 xk 1 0 1 yk 0 1 2 x(y 1 )= ( 1) 2 1 = 1 y(y 2 )= ( 1) 3 2 = 2 x c i y i M i (mod M) 0 1 11 + 9 2 5 90 20 (mod 55) 12
Exercises The RSA secret key: primes 7 and 13, and the secret exponent is 70. Decrypt the ciphertext 9 using the chinese remainder theorem! Decrypt the RSA encrypted ciphertext 5 using the chinese remainder theorem, if we know the primes:7,13 and the decryption exponent is 70! 1.3 RSA exercises Generate public and secret keys for RSA encryption where the two primes are 463 and 547, and the encryption exponent is one of the following values according to the conditions: 12,47,76,93. Decrypt the RSA ciphertext 10 with the chinese remainder theorem where the primes are: 7, 13 and the decryption exponent is 70! Prove that if we encrypt a plaintext with the public key (n,e) and with the public key (n,f) where e and f are co-primes, then the with the public information the plaintext is retrievable! 13
Chapter 2 Discrete logarithm problem 2.1 Primitive root and discrete logarithm Multiplicative subgroup: Z p = {(1) p,..., (p 1) p } The order of an element a is k if for i : 1 i < k : a i 1 (mod n) and a k 1 (mod n) holds, where a Z n, (a, n) = 1, k Z +. Notation: ord(a) = k. Let g Z p is a primitive root modulo p, if the order of g is φ(p). Comment: The primitive root generates the whole group. Example: Z 5 = {(1) 5, (2) 5, (3) 5, (4) 5 } Primitive root: (2) 5 2 1 2 (mod 5) 2 2 4 (mod 5) 2 3 3 (mod 5) ord 5 (2) = 4 2 4 1 (mod 5) The discrete logarithm probleme provides several system s security (ElGamal encryption, Diffie- Hellman key exchange). Let p is a prime and g Z p is a primitive root. Then any A Z p can be written in form A g a (mod p). The discrete logarithm of element A with base g considering the modulus p: a Z p 1. 14
There is not exists (at least we don t know) a polinomial time algorithm for calculating the discrete logarithm problem where p is an appropriate large prime. (A, p, g) a "hard" problem 2.2 ElGamal encryption asymmetric encryption The set of plaintexts: P = Z p, p large prime The set of ciphertexts: C = Z p Z p set of ordered pairs 1. Key generation: Give values (p, g, h, a) p: large prime g Z p primitive root h g a (mod p) S K = a PK = (p, g, h) 2. Encryption: Enc PK (m) = (c 1, c 2 ) c 1 g k (mod p), where k is a secret random value (k {2, 2,..., p 2}) c 2 m h k (mod p) 3. Decryption: Dec S K (c 1, c 2 ) = m m c 2 (c 1 a ) 1 c 2 (c 1 p 1 a ) (mod p) Example: p = 47, g = 13, a = 42, m = 20 Key generation: h g a (mod p) h = 13 42 25 (mod 47) SK = a = 42 PK = (p, g, h) = (47, 13, 25) 15
Encryption: k = 17 (c 1, c 2 ) = (31, 22) c 1 = 13 17 31 (mod 47) c 2 = 20 25 17 22 (mod 47) Decryption: m = c 2 c 1 a = 22 31 42 22 31 4 22 18 20 (mod 47) 2.2.1 ElGamal exercises Let 23 be the public prime and 5 be the primitive root. Let 13 be the secret key. Encrypt with ElGamal system the plaintext message 18! (Choose other parameters if it is necessary!) Encrypt with ElGamal encryption the plaintext message 83, if the pritmitive root is 2, the prime is 103 and the secret key is 47! Decrypt the calculated ciphertext! (Choose other parameters if it is necessary!) 2.3 Diffie-Hellman Key Exchange We chose a large prime: p (public), We chose a primitive root: g Z p (public), Alice choses a secret random value a {0,..., p 1}, Bob choses a secret random value b {0,..., p 1}, Alice calculates A g a (mod p) and sends it to Bob, Bob calculates B g b (mod p) and sends it to Alice, Alice and Bob calculate the symmetric key: K g ba g ab (mod p). 16
A A=g a (modp) K=g ba B B=g b (modp) (g a ) (modp) K=g ab (modp) (g b ) (modp) 2.3.1 Diffie-Hellman key exchange exercises Calculate the shared key with Diffie-Hellman KE, if the public prime is 149, and the public primitive root is 21. (Choose other parameters if it is necessary!) Let the public prime be 41, the public primitive root be 22 and the chosen secrets are: 17 and 9. Calculate the shared key with the Diffie-Hellman KE! 17
Chapter 3 Solutions 3.1 RSA solutions 3.1.1 Euclidean algorithm solutions (a, b)= ax+by 1= 211 16+45 75, 1= 2340 ( 24)+113 497, 1= 1491 ( 6)+23 389. 3.1.2 Fast exponentiation solutions 9 22 73 (mod 79), 129 97 108 (mod 171), 23 209 156 (mod 211). 3.1.3 Fermat-test solutions 7 180 1 (mod 181) may or may not be a prime 5 126 1 (mod 127) may or may not be a prime 18
3.1.4 Miller-Rabin solutions s = 2, d = 49 r = 0, r = 1 In case of a = 7: 7 49 196 (mod 197) ( 1 (mod 197)) may or may not be a prime In case of a = 12: 12 49 14 (mod 197) 12 21 49 196 (mod 197) may or may not be a prime s = 1, d = 121 r = 0 In case of a = 11: 11 121 47 (mod 243) composite In case of a = 15: 15 121 0 (mod 197) composite 3.1.5 Chinese Remainder Theorem solutions 9 51 3.1.6 RSA solutions n = 253261, φ(n) = 252252, e = 47, d = 166379 PK = (253261, 47) S K = (253261, 166379) n = 91 Linear congruences: m 10 70(mod6) (mod 7) m 10 70(mod12) (mod 13) m c 1 y 1 M 1 + c 2 y 2 M 2 = 4 ( 1) 13 + 3 2 7 81 (mod 91) 19
3.2 Solutions of exercises based on the Discrete logarithm problem 3.2.1 ElGamal solutions Let k = 3. h = 21, (c1, c2) = (10, 17), m = 18 Let k = 4. h = 58, (c1, c2) = (16, 14), m = 83 3.2.2 Diffie-Hellman key exchange solutions Let the secret parameters are 3 and 5. The shared key is 139. The shared key is 15. 20