Thinking the Impossible

Modern Cryptography
Jeremy R. Johnson

Introduction
Objective: To see how to securely communicate on the internet
without giving up privacy. To understand what a public key
cryptosystem is and how the RSA algorithm works. To do
impossible things.

Modern cryptography
Solutions to some impossible problems
Public Key Cryptosystems
Modular Arithmetic
RSA Algorithm

References: Rivest, Shamir, Adelman

CS Unplugged
2

Importance of the Area

Did you buy anything online recently? Use an ATM

machine? If so, whether you know it or not, you used
cryptography. Cryptography (in the guise of the SSL
protocol) protects your credit card information as it whizzes
across the Internet, and ensures that others can't withdraw
money from your account.

The ubiquitous use of tools such as SSL and SSH shows

that cryptography, once an esoteric military concern, has
now burst into the mainstream. Yet, this is only the
beginning of a coming flood.
3

Impossible Problem One

How can you determine the outcome of a vote on the intenet
without revealing individual votes?

Classical Cryptography
Basic problem: Secure communication over an
insecure channel
Solution: private key encryption
m E(k,m) = c D(k,c) = m

Shannon provided a rigorous theory of perfect secrecy

based on information theory
Adversary has unlimited computational resources, but
key must be as long as message
5

Substitution Cypher
HELLO
ALL HAIL CEASAR

Substitution Cypher
KHOOR
DOO KDLO FHDVDU

Frequency Analysis

en.wikipedia.org/wiki/Frequency_analysis_(cryptanalysis)
scottbryce.com/cryptograms
8

One Time Pad

Pad = b1 bn {0,1}* chosen randomly
m = m1 mn
E(Pad,m) = c = m Pad
D(Pad,c) = c Pad = (m Pad) Pad = m

m,c PrPad[E(Pad,m) = c] = 1/2n

No information gained from seeing c
However, E(Pad,m) E(Pad,m) = m m
9

Impossible Problem Two

How can you send a secret over the internet without
previously sending a courier to distribute the secret key?
Is your method secure?
The answer comes from modern cryptography and relies on
public key cryptography

Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography", IEEE

Transactions on Information Theory, Vol. IT-22, No. 6, Nov. 1976.
10

Public Key Cryptosystem

Let M be a message and let C be the encrypted message
(ciphertext). A public key cryptosystem has a separate
method E() for encrypting and D() decrypting.
D(E(M)) = M
Both E() and D() are easy to compute
Publicly revealing E() does not make it easy to determine D()
E(D(M)) = M - needed for signatures
The collection of E()s are made publicly available but the D()s
remain secret. Called a one-way trap-door function (hard to
invert, but easy if you have the secret information)
11

Public Key Encryption Map (From CS

Unplugged)

Public Key Encryption Map

The Map

Come up with 10 numbers

that add up to your ASCII
value.
Label your vertices with
the values.
Take each vertex and its
neighbors, compute the
sum, and replace the
vertex value with that sum.
Erase the old values!!!

What To Do

ASCII Table

Private Key Encryption Map

Private Key Encryption Map

The Private Key

Just add up the values

of each bold vertex
from the public map
you were given.

What To Do

Modern Cryptography
Adversarys resources are
computationally bounded
Probabilistic polynomial time algorithm

Impossibility of breaking the encryption system

Infeasibility of breaking
Rely on gap between efficient algorithms for encryption and
computational infeasibility of decryption by adversary

17

Dominating Sets & NP Completeness

18

Dominating Sets & NP Completeness

19

Impossible Problem Three

How can you flip a coin over the phone?
The answer comes from modern cryptography and is the key
to secure communication over the internet, provides
privacy, authentication and digital signatures

20

Public Key Cryptosystem

Let M be a message and let C be the encrypted message
(ciphertext). A public key cryptosystem has a separate
method E() for encrypting and D() decrypting.
D(E(M)) = M
Both E() and D() are easy to compute
Publicly revealing E() does not make it easy to determine D()
E(D(M)) = M - needed for signatures
The collection of E()s are made publicly available but the D()s
remain secret. Called a one-way trap-door function (hard to
invert, but easy if you have the secret information)
21

Impossible Problem Four

How can you prove you know something to an adversary
without revealing your secret?
The answer comes from the area of zero knowledge proofs

22

Wheres Waldo

23

Open Sesame

Jean-Jacques Quisquater, Louis C. Guillou, Thomas A. Berson. How to Explain

Zero-Knowledge Protocols to Your Children. Advances in Cryptology - CRYPTO '89:
Proceedings, v.435, p.628-631, 1990.
24

Zero Knowledge Proof

1. Completeness: if the statement is true, the honest verifier
(that is, one following the protocol properly) will be
convinced of this fact by an honest prover.
2. Soundness: if the statement is false, no cheating prover can
convince the honest verifier that it is true, except with some
small probability.
3. Zero-knowledge: if the statement is true, no cheating verifier
learns anything other than this fact. This is formalized by
showing that every cheating verifier has some simulator
that, given only the statement to be proven (and no access
to the prover), can produce a transcript that "looks like" an
interaction between the honest prover and the cheating
verifier.
25

Secure Passwords
Every users stores a statement of a theorem in a
publicly readable directory
Upon login, the user engages in a zeroknowledge proof of the correctness of the
theorem
If the proof is convincing access is granted
Guarantees that an adversary who overhears the
proof can not learn enough to gain access

26

RSA Public Key Cryptosystem

27

Public Key Cryptosystem

Let M be a message and let C be the encrypted message
(ciphertext). A public key cryptosystem has a separate
method E() for encrypting and D() decrypting.
D(E(M)) = M
Both E() and D() are easy to compute
Publicly revealing E() does not make it easy to determine D()
E(D(M)) = M - needed for signatures
The collection of E()s are made publicly available but the D()s
remain secret. Called a one-way trap-door function (hard to
invert, but easy if you have the secret information)
28

Clock Arithmetic
0
1
11
2

10

8
7+6 = ?

5
29

Clock Arithmetic
0
1
11
2

10

8
7+1

5
30

Clock Arithmetic
0
1
11
2

10

8
7+2

5
31

Clock Arithmetic
0
1
11
2

10

8
7+3

5
32

Clock Arithmetic
0
1
11
2

10

8
7+4

5
33

Clock Arithmetic
0
1
11
2

10

8
7+5

5
34

Clock Arithmetic
0
1
11
2

10

8
7
7 + 6 = 1 (mod 12)

5
35

Clock Arithmetic
0
1
11
2

10

8
55=?

5
36

Clock Arithmetic
0
1
11
2

10

8
52

5
37

Clock Arithmetic
0
1
11
2

10

8
53

5
38

Clock Arithmetic
0
1
11
2

10

8
54

5
39

Clock Arithmetic
0
1
11
2

10

8
7
5 5 = 1 (mod 12)

5
40

Multiplication Table mod 5

41

Multiplication Table mod 6

42

Modular Arithmetic (Zn)

Definition: a b (mod n) n | (b - a)
Alternatively, a = qn + b
Properties (equivalence relation)

[Reflexive]
a a (mod n)
a b (mod n) b a (mod n) [Symmetric]
a b (mod n) and b c (mod n) a c (mod n) [Transitive]

Definition: An equivalence class mod n

[a] = { x: x a (mod n)} = { a + qn | q }
43

Modular Arithmetic (Zn)

It is possible to perform arithmetic with equivalence classes mod n.
[a] + [b] = [a+b]
[a] * [b] = [a*b]
In order for this to make sense, you must get the same answer (equivalence) class
independent of the choice of a and b. In other words, if you replace a and b by
numbers equivalent to a or b mod n you end of with the sum/product being in the
same equivalence class.
a1 a2 (mod n) and b1 b2 (mod n) a1+ b1 a2 + b2 (mod n)
a1* b1 a2 * b2 (mod n)

(a + q1n) + (b + q2n) = a + b + (q1 + q2)n

(a + q1n) * (b + q2n) = a * b + (b*q1 + a*q2 + q1* q2)n

44

Representation of Zn
The equivalence classes [a] mod n, are typically represented by
the representatives a.

Positive Representation: Choose the smallest positive

integer in the class [a] then the representation is {0,1,,n-1}.

Symmetric Representation: Choose the integer with the

smallest absolute value in the class [a]. The representation
is {- (n-1)/2 ,, n/2 }. When n is even, choose the positive
representative with absolute value n/2.
E.G. Z6 = {-2,-1,0,1,2,3}, Z5 = {-2,-1,0,1,2}

45

Greatest Common Divisor

Definition: g = gcd(a,b)
g|a and g|b
if e|a and e|b then e|g
Example: gcd(30,12) = 6
30 = 2 3 5
12 = 22 3
Inefficient!!!
46

Euclidean Algorithm
gcd(a,b)
if b = 0 then
return a
else
return gcd(b, a mod b)
Example: gcd(30,12)
gcd(12,6)
gcd(6,0)
Efficient!!! O(log N), a, b N
47

Modular Inverses
Definition: x is the inverse of a mod n, if ax 1 (mod n)
The equation ax 1 (mod n) has a solution iff gcd(a,n) = 1.
Extended Euclidean Algorithm, there exist x and y such that
ax + ny = gcd(a,n).
When gcd(a,n) = 1, ax + ny = 1

ax 1 (mod n)

Example
gcd(5,12) = 1, 5 5 + -2 12 = 1
48

Euler phi function

Definition: phi(n) = #{a: 0 < a < n and gcd(a,n) = 1}

Properties:

Examples:

(p) = p-1, for prime p.

(p^e) = (p-1)*p^(e-1)
(m*n) = (m)* (n) for gcd(m,n) = 1.
(p*q) = (p-1)*(q-1)

(15) = (3)* (5) = 2*4 = 8. = #{1,2,4,7,8,11,13,14}

(9) = (3-1)*3^(2-1) = 2*3 = 6 = #{1,2,4,5,7,8}

49

Eulers Identity

The number of elements in Zn that have multiplicative

inverses is equal to phi(n).

Theorem: Let (Zn)* be the elements of Zn with inverses

(called units). If a (Zn)*, then a(n) 1 (mod n).

Proof. The same proof presented for Fermats theorem can be

used to prove this theorem.

50

Chinese Remainder Theorem

Theorem: If gcd(m,n) = 1, then given a and b there exist an
integer solution to the system:
x a (mod m) and x = b (mod n).
Proof:
Consider the map x (x mod m, x mod n).
This map is a 1-1 map from Zmn to Zm Zn, since if x and y map
to the same pair, then x y (mod m) and x y (mod n).
Since gcd(m,n) = 1, this implies that x y (mod mn).
Since there are mn elements in both Zmn and Zm Zn, the map is
also onto. This means that for every pair (a,b) we can find
the desired x.
51

Public Key Cryptosystem

Let M be a message and let C be the encrypted message
(ciphertext). A public key cryptosystem has a separate
method E() for encrypting and D() decrypting.
D(E(M)) = M
Both E() and D() are easy to compute
Publicly revealing E() does not make it easy to determine D()
E(D(M)) = M - needed for signatures
The collection of E()s are made publicly available but the D()s
remain secret. Called a one-way trap-door function (hard to
invert, but easy if you have the secret information)
52

RSA Public Key Cryptosystem

Based on the idea that it is hard to factor large numbers.
First encode M as an integer (e.g. use ASCII). Large messages
will need to be blocked.

Choose n = p*q, the product of two large prime numbers.

Choose e such that gcd(e,phi(n)) = 1.
Choose d such that de 1 (mod (n))

E = (e,n) and E(M) = Me mod n

D = (d,n) and D(M) = Md mod n
53

Correctness of the RSA Algorithm

Theorem: D(E(M)) = E(D(M)) = M.
Proof. D(E(M)) = (Me)d (mod n) = Med (mod n).
Since ed 1 (mod (n)), ed = k* (n) + 1, for some integer k.
Mk* (n)+1 (Mk* (n)+1 mod p, Mk* (n)+1 mod q)
= (Mk* (n) * M mod p, Mk* (n) * M mod q)
= (M(p-1)*(q-1)*k * M mod p, M(q-1)*(p-1)*k * M mod q) [since n = pq]
= ((M(p-1))(q-1)*k * M mod p, (M(q-1))(p-1)*k * M mod q)
= (M mod p, M mod q) [By Fermats theorem]
Therefore, by the CRT, Mk* (n)+1 M (mod n).
54