* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Modular Arithmetic
Survey
Document related concepts
List of important publications in mathematics wikipedia , lookup
Wiles's proof of Fermat's Last Theorem wikipedia , lookup
Large numbers wikipedia , lookup
Line (geometry) wikipedia , lookup
Location arithmetic wikipedia , lookup
Mathematics of radio engineering wikipedia , lookup
Factorization wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Fundamental theorem of algebra wikipedia , lookup
Transcript
The Algebra of Encryption 18 July 2011 The Algebra of Encryption 1 Modular Arithmetic Much of modern cryptography is based on modular arithmetic. We can think of modular arithmetic as a cycle. When we reach the base number or modulus, we cycle back to zero. We use modular arithmetic every day. For example, when we look at the clock we are using base 12. If the current time is 9 am and an appointment is at 1 pm, we know that the appointment is four hours away. Modular arithmetic tells us that 1 β 9 β‘ 4 πππ 12. (Modular arithmetic, 2011) 1.1 Division Algorithm The division algorithm roughly states βthat any integer a can be βdividedβ by b in such a way that the remainder is smaller than b.β (Burton, 2007, p. 17) Mathematically, this can be expressed as follows π = ππ + π Equation 1-1 Where m is a multiplier and r is a residue. Example 1-1 13 = 1 β 12 + 1, the multiplier is 1 and the residue is 1. Using modular arithmetic, we write 13 β‘ 1 πππ 12. Example 1-2 9 = 0 β 12 + 9, in this case the multiplier is zero and the residue is equal to 9 or a. Using modular arithmetic, we write 9 β‘ 9 πππ 12. 1.2 Addition Addition follows the same rules that we are used to from normal arithmetic with the additional step that the result is reduced by the modulus. To add two numbers π1 and π2 we first express the numbers in the form of Equation 1-1. π1 = π1 β π + π1 π2 = π2 β π + π2 Next we add and collect terms. π1 + π2 = (π1 + π2 ) β π + (π1 + π2 ) Note that this remains in the form of Equation 1-1 but does not preclude the possibility that the sum π1 + π2 could be greater than the modulus, thus causing a change to the multiplier. Example 1-3 13 + 9 β‘ 10 πππ 12 13 + 9 = (1 β 12 + 1) + (0 β 12 + 9) = (1 + 0) β 12 + (1 + 9) = 1 β 12 + 10 In this case, the multiplier is not affected. Page 1 of 17 The Algebra of Encryption 18 July 2011 Example 1-4 9 + 9 β‘ 6 πππ 12 9 + 9 = (0 β 12 + 9) + (0 β 12 + 9) = (0 + 0) β 12 + (9 + 9) = 0 β 12 + 18 In this case, the resulting residue is greater than the modulus and should be reduced. Add and subtract 12, and collect terms. 18 = 0 β 12 + 18 + 1 β 12 β 12 = (0 + 1) β 12 + (18 β 12) = 1 β 12 + 6 1.3 Subtraction Modular subtraction is similar to modular addition. To subtract two numbers π1 and π2 we first express the numbers in the form of Error! Reference source not found.. π1 = π1 β π + π1 π2 = π2 β π + π2 Next we subtract and collect terms. π1 β π2 = (π1 β π2 ) β π + (π1 β π2 ) Again, the result remains in the form of Equation 1-1 but does not preclude the possibility that the difference π1 β π2 could be less than the zero. Since we generally deal with positive numbers, this causes a change to the multiplier. Example 1-5 9 β 13 β‘ 8 πππ 12 9 β 13 = (0 β 12 + 9) β (1 β 12 + 1) = (0 β 1) β 12 + (9 β 1) = (β1) β 12 + 8 In this case, the multiplier is not affected. Example 1-6 13 β 9 β‘ 4 πππ 12 13 β 9 = (1 β 12 + 1) β (0 β 12 + 9) = (1 β 0) β 12 + (1 β 9) = 1 β 12 + (β8) In this case, the resulting residue is less than zero and should be adjusted. Add and subtract 12, and collect terms. (β8) = 1 β 12 + (β8) + (β1) β 12 + 12 = (1 β 1) β 12 + (β8 + 12) = 0 β 12 + 4 1.4 Multiplication Multiplication is merely repeated addition. As with addition and subtraction, the resulting residue is generally adjusted to be less than the modulus and non-negative. Example 1-7 4 β 13 β‘ 4 πππ 12 4 β 13 = (1 β 12 + 1) + (1 β 12 + 1) + (1 β 12 + 1) + (1 β 12 + 1) = (1 + 1 + 1 + 1) β 12 + (1 + 1 + 1 + 1) = (4) β 12 + 4 In this case, the multiplier is not affected. Example 1-8 13 β 4 β‘ 4 πππ 12 Page 2 of 17 The Algebra of Encryption 18 July 2011 13 β 4 = 13 β (0 β 12 + 4) = (13 β 0) β 12 + (13 β 4) = 0 β 12 + 52 In this case, the resulting residue should be adjusted. 52 = 4 β 12 + 4 1.5 Division Division is a little tricky. Normally we think of division as dividing one number into equal parts countable to another. Thus the name. However, when we stick to Integers, we donβt always get equal Integer parts. We need to think of modular division a little differently. Generally, when we divide c by d we use the following notation. π =π π Equation 1-2 We need to write this in a different way. π = π β π or π β π = π Equation 1-3 If trying to divide c by d, we need to ask by what number, e, can we multiply d such that the result is congruent to c modulo the modulus? Example 1-9 10 ÷ 2 β‘ 5 πππ 13 2 β 5 = 10 = 0 β 13 + 10 This is easy because we know we can multiply 2 by 5 and the result is 10. Example 1-10 10 ÷ 4 β‘ 9 πππ 13 In this case, 4 β 9 = 36 = 2 β 13 + 10. That is to say, we found a number, 9, that we can multiply by 4 such that the result is congruent to 10 modulo 13. Exactly how we find the number 9 directly, without trial and error, is discussed in section 1.6 and 0. 1.6 Division by Multiplicative Inverse Another way of accomplishing modular division is by using the multiplicative inverse of the divisor. Re-writing Equation 1-2, we get the following equation for division. π β πβ1 = π Equation 1-4 But this begs the question, what is the multiplicative inverse in modular arithmetic? Remembering back to regular arithmetic, we again think of multiplicative inverse in a different way. We need to ask by what number, πβ1 , can we multiply d such that the result is congruent to 1 modulo the modulus? This is expressed mathematically as follows. 1 β‘ π β π β1 πππ ππππ’ππ’π Equation 1-5 Page 3 of 17 The Algebra of Encryption 18 July 2011 Expressed algebraically for modular arithmetic, we have the following. 1 = π β π + π β π β1 Equation 1-6 Where again, m is the multiplier, b is the modulus, d is the number of interest, and π β1 is the modular multiplicative inverse (MMI). Example 1-11 (4)β1 β‘ 10 πππ 13 1 = (β3) β 13 + 4 β 10. Again, exactly how we find the number 10 directly, without trial and error, is discussed in section 0. Example 1-12 Going back to Example 1-10, we get the following. 10 ÷ 4 = 10 β 4β1 β‘ 10 β 10 πππ 13 = 100 = 7 β 13 + 9 β‘ 9 πππ 13, which agrees with the findings in Example 1-10. 2 Useful Functions 2.1 Euclidean Algorithm The Euclidean algorithm is an important part of the algebra of encryption. It is generally thought of as providing the Greatest Common Divisor (GCD) of two numbers. When the two numbers are properly chosen, the Euclidean algorithm can also be used to directly determine the Modular Multiplicative Inverse (MMI). 2.1.1 Greatest Common Divisor βThe Euclidean algorithm (also called Euclidβs algorithm) is an efficient method for computing the greatest common divisor.β βThe GCD of two numbers is the largest number that divides both of them without leaving a remainder.β (Euclidean algorithm, 2011) Figure 2-1 reproduces an example discussed in (Euclidean algorithm, 2011). We would like to find the GCD of two numbers represented by lines AB and CD. 1. Start by comparing the smaller number to the larger number. 2. Find the quotient of the two numbers. In this case, the quotient refers to the greatest integer less than or equal to π΄π΅ ÷ πΆπ·. In other words, how many times can we multiply CD and still remain smaller than or equal to AB. In the figure, this quotient is 1. 3. Multiply the second number by the quotient and subtract from the first. In the figure, the result, or residue, is AE. 4. Now compare the residue with the previous smaller number. In the figure, this is comparing CD and AE. Repeat the above steps until the larger number is an integral multiple of the smaller number. That is to say, there is no resulting residue. The GCD is the last residue, in this case, CF. Page 4 of 17 The Algebra of Encryption 18 July 2011 B E D F E A F C F C F E A C A C Figure 2-1: Euclidean Algorithm Now we can add up the line lengths and verify that CF is the GCD of AB and CD. π΄πΈ = 3 β πΆπΉ πΆπ· = 2 β π΄πΈ + πΆπΉ = 2 β 3 β πΆπΉ + πΆπΉ = 7 β πΆπΉ π΄π΅ = πΆπ· + π΄πΈ = 7 β πΆπΉ + 3 β πΆπΉ = 10 β πΆπΉ Referring to Figure 2-2, it is easy to see that CF does indeed evenly divide both AB and CD. B E A 10 * FC D F C 7 * FC E F C F C F A E C F A C F C F C F C F C F C F C Figure 2-2: Comparing the Results 2.1.2 Modular Multiplicative Inverse By computing the Euclidian algorithm on a number of interest and the modulus, we can directly compute the MMI of the number of interest. In these calculations, it is efficient to accumulate the quotients at each step as coefficients of the two numbers. This is often referred to as the Extended Euclidean algorithm. If we put numbers to the lines in Figure 2-1, for example 50 and 35, we have the following example. Example 2-1 1. Start by writing the two numbers as below. 50 = 50 ( 1) + 35 ( 0) 35 = 50 ( 0) + 35 ( 1) Page 5 of 17 The Algebra of Encryption 18 July 2011 2. Find the quotient of the two numbers. q = int(50 / 35) = 1 3. Multiply the second equation through by the quotient and subtract from the first. 50 = 50 ( 1) + 35 ( 0) 35 = 50 ( 0) + 35 ( 1), q = 1 15 = 50 ( 1) + 35 ( -1) 4. Repeat steps 2 and 3 comparing the residues until the result is 0 50 = 50 ( 1) + 35 ( 0) 35 = 50 ( 0) + 35 ( 1), q = 1 15 = 50 ( 1) + 35 ( -1), q = 2 5 = 50 ( -2) + 35 ( 3), q = 3 0 = 50 ( 7) + 35 (-10) The GCD is the last residue, in this case, 5. If we work this example again using the numbers 10 and 7, we will find that the GCD is 1. If two numbers have a GCD of 1, they are said to be relatively prime or coprime. (Coprime, 2011) Now, how does this find the MMI? If we return to Example 1-11, we wish to find the MMI of 4 modulo 13. If we compute the Extended Euclidian algorithm of 13 and 4 we have the following. 13 = 13 ( 4 = 13 ( 1 = 13 ( 1) + 4 ( 0) 0) + 4 ( 1), q = 3 1) + 4 ( -3) When searching for the MMI, we can stop when the residue is 1. Now compare our result with Equation 1-6. (-3) is the MMI of 4 modulo 13. We prefer to deal with non-negative numbers, so the result needs to be adjusted. We do this by adding and subtracting 13 * 4 and collecting terms. 1 = 13 (1 ) + 4 (-3 ) + 13 (-4) + 4 (13) 1 = 13 (1 - 4) + 4 (-3 + 13) 1 = 13 ( -3) + 4 ( 10) Thus 10 is the MMI of 4 mod 13. This result agrees with our findings in Example 1-11. Mentioned above is that we can stop searching for the MMI when the residue is 1. This is because the next line would result in a residue of zero. When we arrive at a residue of zero but the previous line does not have a residue of 1, the number of interest and the modulus are not coprime and no MMI exists for that number of interest for that modulus. (Burton, 2007, pp. 7677) 2.2 Modular Exponentiation Many encryption schemes employ modular exponentiation. When dealing with very large numbers, such as in cryptography, efficient computing is essential. (Garrett, 2004, p. 123) describes an algorithm entitled Fast Modula Exponentiation. Page 6 of 17 The Algebra of Encryption ο· ο· ο· ο· 18 July 2011 Initiate X = base, E = exponent, Y = 1: x e β‘ y mod m. If E is odd: replace Y by (X * Y) mod m and replace E = E - 1. E is now even: replace X by (X * X) mod m and replace E = E / 2. When E = 0: x e β‘ y mod m. X keeps the current binary power of the base number. Y is the accumulator. Note how E is parsed for its binary bit values. 1. Starting from the least significant bit, check if the bit is 1 (if E is odd). 2. If E is odd, accumulate the corresponding power of the base: Y = Y * X. The decrement of E simply makes the division by 2 in the next step easier. 3. E is now even, update X to the next binary power of the base: X = X * X. Divide E by 2, that is to say, right shift so the next binary bit is in the least significant bit position. 4. Loop to step 2 until E = 0. Example 2-2 First letβs calculate 311 without a modulus. E = 11 = 8 + 2 + 1. Y = 311 = 38 * 32 * 31 = 6561 * 9 * 3 = 177147 Notes X E 1 Initialization 11 3 =3 E is odd 11 β 1 = 10 2 E is even 10 ÷ 2 = 5 3 =9 E is odd 5β1=4 E is even 34 = 81 4÷2=2 8 E is even 2÷2=1 3 = 6561 E is odd 1β1=0 Y 1 3β1=3 9 β 3 = 27 6561 β 9 β 3 = 177147 Example 2-3 Now letβs calculate 311 πππ 527 Y = 311 = 38 * 32 * 31 = 237 * 9 * 3 mod 527 = 75 mod 527 Notes X E Initialization 11 31 = 3 E is odd 11 β 1 = 10 2 E is even 10 ÷ 2 = 5 3 πππ 527 = 9 E is odd 5β1=4 4 E is even 3 πππ 527 = 81 4÷2=2 8 E is even 2÷2=1 3 πππ 527 = 237 E is odd 1β1=0 Y 1 3 β 1 πππ 527 = 3 9 β 3 = 27 πππ 527 237 β 9 β 3 πππ 527 = 75 You can verify that 177,147 = 75 πππ 527. Notice that everything happens the same with a modulus as without a modulus. The only difference is in the size of the numbers - the calculation results are reduced modulo 527. Page 7 of 17 The Algebra of Encryption 18 July 2011 Also notice the significant role of multiplication in this algorithm. We multiply X*X for each exponent bit position. We multiply X*Y when the exponentβs least significant bit is 1. In Example 2-2 we dealt with larger numbers. In Example 2-3 the numbers were limited by the modulus and remained smaller. Consider multiplying two 4 digit binary numbers and two 2 digit binary numbers. 1111 x 1111 ----------------1111 1111 1111 + 1111 ----------------11100001 11 x 11 ----------------11 + 11 ----------------1001 The 4 digit multiplication involved the addition of 16 bits. The 2 digit multiplication involved the addition of only 4 bits. Since the size of numbers cryptography deals with are usually larger than a computerβs arithmetic logic unit can deal with, special Big Integer computational packages such as Multiple Precision Integers and Rationals (MPIR) (MPIR home page) or Gnu Multiple Precision (GMP) (The GNU Multiple Precision Arithmetic Library) are usually employed. The smaller the modulus, the smaller the numbers we deal with, and the less time involved in multiplying. 2.3 Chinese Remainder Theorem (CRT) Chinese Remainder Theorem is frequently used in cryptography to reduce the calculation time inherent in calculating with large numbers. This time reduction is accomplished by doing a few extra calculations, but with much smaller numbers. (Chinese remainder theorem, 2011) Also, a significant part of the calculations may be done once, in advance, and then used for subsequent calculations. 2.3.1 Pre-calculations This discussion and example follows (Stallings, 2011, pp. p 254-257): Choose the Factors of M Choose π1 and π2 . The numbers must be coprime. π1 = 37 π2 = 49 π = π1 β π2 = 37 β 49 = 1813 Calculate π΄π Calculate ππ = π ÷ ππ for each ππ . To continue the example: Page 8 of 17 The Algebra of Encryption 18 July 2011 π1 = π ÷ π1 = 1813 ÷ 37 = 49 π2 = π ÷ π2 = 1813 ÷ 49 = 37 Note that this is NOT a simple swapping of π1 and π2 . The example only gives that appearance because we are using two factors. If M had three or more factors, this would be more clear. Calculate π΄πβπ πππ ππ Use the Extended Euclidean Algorithm to calculate ππβ1 πππ ππ for each ππ . To continue the example: π1β1 πππ π1 = 49β1 πππ 37 β‘ 34 π2β1 πππ π2 = 37β1 πππ 49 β‘ 4 Calculate π¨π For convenience, define π΄π = ππ β ππβ1 πππ π for each ππ . In the example: π΄1 = π1 β π1β1 πππ π = 49 β 34 πππ 1813 β‘ 1666 π΄2 = π2 β π2β1 πππ π = 37 β 4 πππ 1813 β‘ 148 2.3.2 Addition To add two numbers, complete the addition for each ππ , then combine the results. Add for each ππ Compute π₯ + π¦ = π§π πππ ππ for each ππ . For example (Stallings, 2011, pp. p 254-257), to add 973 and 678 mod 1813: 973 πππ 37 = 11 + 678 πππ 37 = 12 --------------------------------π§1 = 23 πππ 37 973 πππ 49 = 42 + 678 πππ 49 = 41 --------------------------------π§2 = 34 πππ 49 Combine the results Find the result of (π₯ + π¦) πππ π = (π§1 β π΄1 + π§2 β π΄2 ) πππ π To complete the example: (973 + 678) πππ 1813 = (23 β 1666 + 34 β 148) πππ 1813 β‘ 1651 2.3.3 Multiplication To multiply two numbers, complete the multiplication for each ππ , then combine the results. Multiply for each ππ Compute π₯ β π¦ = π§π πππ ππ for each ππ . For example (Stallings, 2011, pp. p 254-257), to multiply 1651 and 73 mod 1813: Page 9 of 17 The Algebra of Encryption 18 July 2011 1651 πππ 37 = 23 x 73 πππ 37 = 36 --------------------------------π§1 = 14 πππ 37 1651 πππ 49 = 34 x 73 πππ 49 = 24 --------------------------------π§2 = 32 πππ 49 Combine the results Find the result of (π₯ β π¦) πππ π = (π§1 β π΄1 + π§2 β π΄2 ) πππ π To complete the example: (1651 β 73) πππ 1813 = (14 β 1666 + 32 β 148) πππ 1813 β‘ 865 2.4 Eulerβs Totient Function Eulerβs totient function, π·(π), identifies the number of integers, less than n, that are relatively prime to n. A good treatment of Eulerβs Totient function can be found in (Burton, 2007, pp. 131135). (Stallings, 2011, pp. 249-250) presents Eulerβs totient function as π·(π) = π β 1 for prime p. This is correct, but not good for a general definition of the function. (Burton, 2007, pp. 131-135) gives a more versatile definition as π·(ππ ) = ππ β ππβ1 . It is easy to see that this version degenerates to the previous version in the case of π = 1. To determine the totient of a composite number, we must know the prime factors of the number. Given π = ππ β π π , π·(π) = π·(ππ ) β π·(π π ) = (ππ β ππβ1 ) β (π π β π πβ1 ) (Burton, 2007, pp. 131-135). Again, if π and π = 1, then the equation degenerates to π·(π) = π·(π) β π·(π) = (π β 1) β (π β 1) as described by (Stallings, 2011, pp. 249-250). Example 2-4 To calculate π·(21), the first form is adequate. First we must know the prime factors of 21, namely 3 and 7. π·(21) = (3 β 1) β (7 β 1) = 2 β 6 = 12 Therefore, the number of integers less than 21 relatively prime to 21 should count to 12. 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are the 12 numbers less than 21 that are relatively prime to 21. Example 2-5 To calculate π·(20), the second form of the totient function is required. The prime factors of 20 are 22 and 5. π·(20) = (22 β 21 ) β (51 β 50 ) = (4 β 2) β (5 β 1) = 2 β 4 = 8 The 8 integers less than 20 relatively prime to 20 are 1, 3, 7, 9, 11, 13, 17, 19. 3 Public Key Cryptography - RSA Eulerβs theorem states that if π β₯ 1 and gcd(π, π) = 1, then ππ·(π) β‘ 1 πππ π. (Burton, 2007, p. 137) This is the heart of the RSA encryption and decryption method. (RSA, 2011). If we choose two prime numbers p and q we can form π = π β π and determine π·(π). If we then choose an encryption exponent e so that gcd(π, π·(π)) = 1, we can find a decryption exponent d Page 10 of 17 The Algebra of Encryption 18 July 2011 such that π β π β‘ 1 πππ π·(π). The exponent d is merely the MMI of π πππ π·(π), and we know from section 2.1.2 how to find d. Note that π β π = π β π·(π) + 1 for some multiplier m. Now take a message expressed as a number M. Calculate the encrypted message by using the encryption exponent. πΆ = ππ πππ π To decrypt, use the decryption exponent. Calculate πΆ π πππ π = π. πΆ π = (ππ )π = ππβπ·(π)+1 = ππβπ·(π) β π = (ππ·(π) )π β π Taking note of Eulerβs theorem, if the decryption calculations are made modulo n, we have πΆ π = (1)π β π πππ π = π Thus we have successfully decrypted the message, assuming gcd(π, π) = 1 to satisfy the requirements of Eulerβs theorem. βIn the unlikely event that M and n are not relatively prime, a similar argument establishes that [πΆ π ] β‘ π πππ π and [πΆ π ] β‘ π πππ π, which then yields the desired congruence [πΆ π ] β‘ π πππ π. We omit the details.β (Burton, 2007, p. 204) RSA involves calculating modular exponentials. The example uses normal encryption and CRT decryption. Note that CRT only benefits decryption because the factors of the modulus must be known and they are part of the private key. Let: π = 17 π = 31 π = 11 message: π = 3 calculate π = π β π = 17 β 31 = 527 calculate π·(π) = (π β 1) β (π β 1) = 16 β 30 = 480 calculate π = π β1 πππ π·(π) β‘ 131 3.1 CRT Pre-calculations π = π ÷ π = 31 πβ1 πππ π β‘ 11 π΄π = π β πβ1 πππ π = 31 β 11 πππ 527 β‘ 341 π = π ÷ π = 17 π β1 πππ π β‘ 11 π΄π = π β π β1 πππ π = 17 β 11 πππ 527 β‘ 187 ππ = π πππ π·(π) = 131 πππ 16 β‘ 3 ππ = π πππ π·(π) = 131 πππ 30 β‘ 11 3.2 Encrypt πΆ = ππ πππ π = 311 πππ 527 β‘ 75 (See Example 2-3.) Page 11 of 17 The Algebra of Encryption 18 July 2011 3.3 Decrypt Note the use of ππ and ππ in place of the normal decrypt exponent. These exponents are d modulus π·(π) and π·(π), NOT d modulus p and q. ππ = πΆ ππ πππ π = 753 πππ 17 = 73 πππ 17 β‘ 3 3.4 ππ = πΆ ππ πππ π = 7511 πππ 31 = 1311 πππ 31 β‘ 3 Combine the results π = (ππ β π΄π + ππ β π΄π ) πππ π = (3 β 341 + 3 β 187) πππ 527 β‘ 3 3.5 Conclusion Decryption is accomplished using smaller exponents and smaller moduli. Multiplication is a large part of calculating modular exponentials. When computing many exponentials using the same private key, time savings becomes significant. 4 How to Share a Secret (Shamir, November, 1979) describes how to share secret information such that the holders of a share cannot individually obtain the secret. Only if a certain minimum number of share holders collaborate can the secret information be identified. A simple description of this method is to use a curve described by a polynomial function. π(π₯) = ππ‘ π₯ π‘ + ππ‘β1 π₯ π‘β1 β― π1 π₯ + π0 Equation 4-1 Typically, π0 is the secret information, for example a secret key, and the other t coefficients in the polynomial may be chosen at random. If two or more elements comprise the secret key, such as π, π, πππ π , necessary for CRT decryption of RSA, then more coefficients may be set and the remainder chosen at random. Basic algebra tells us that when we have π‘ + 1 unknowns - the π‘ + 1 coefficients, we need to know π‘ + 1 points on the curve to identify all of the coefficients. We really only want the one coefficient, π0 , but even that cannot be determined without the required minimum number of points from the curve. Points on the curve - x and f(x) pairs, are the secret shares given to the trusted authorities. Many more than π‘ + 1 secret shares may be given out. But, only if a minimum of π‘ + 1 trusted authorities agree to provide their secret share and collaborate, can the secret information be identified. The secret information - coefficient(s) of the polynomial, may be identified by any linear algebra method for solving a system of simultaneous equations. The x values may be as simple as indexes, incremented between one share holder to the next. Only the value of f(x) must be held secret. Page 12 of 17 The Algebra of Encryption 18 July 2011 5 Paillier Cryptography The cryptographic systems proposed by (Paillier, 1999) involve polynomial expansion of exponentiation. Paillier proposed three systems, one will be discussed here. It is similar to RSA cryptography. 5.1 Carmichael Function In order to understand the algebra of Paillier cryptography, we need to understand the Carmichael function. The Carmichael function, π(π), is similar to Eulerβs totient function π·(π). (Paillier, 1999, p. 2) π(π) = πππ(π β 1, π β 1) Equation 5-1 where π = ππ, π and π are distinct primes, and lcm stands for Least Common Multiple. The Carmichael function also has some useful properties for Paillier cryptography. For any integer π€ that is coprime with π: π { π€ππ β‘ 1 πππ π2 π€ β‘ 1 πππ π Equation 5-2 Which implies there exists some integer π and π such that π { π€ππ = ππ2+ 1 π€ = ππ + 1 Equation 5-3 5.2 Preliminaries Choose two safe prime numbers p and q, form π = π β π, and determine π = πππ(π β 1, π β 1). Safe prime numbers are of the form 2π + 1, where p is also a prime. (Safe prime, 2010) Define the function πΏ(π’) = π’β1 π Equation 5-4 Choose a generator value g such that gcd(πΏ(π π πππ π2 ), π) = 1 Equation 5-5 The public key is (g, n). The private key is Ξ». 5.3 Encrypt The plaintext message is π < π. Choose a random number π < π. Calculate the encrypted message π = ππ π π πππ π2 Equation 5-6 Page 13 of 17 The Algebra of Encryption 18 July 2011 5.4 Decrypt Plaintext πΏ(π π πππ π2 ) π= πππ π πΏ(π π πππ π2 ) Equation 5-7 5.5 Explanation The Generator g Starting from the Carmichael function Equation 5-3. π π = 1 + ππ π ππ₯ = (1 + ππ)π₯ Equation 5-8 If we use binomial expansion of the polynomial, we get (Binomial theorem, 2011) π₯ (1 + ππ)π₯ = 1π₯ + π₯ β (1π₯β1 ) β (ππ)1 + ( ) β (1π₯β2 ) β π2 + β― 2 where π₯ π₯! ( )= π π! (π₯ β π)! When we reduce modulo π2 , all of the polynomial terms of π2 and higher drop out. We are left with π ππ₯ = (1 + ππ)π₯ = (1 + π₯ππ) πππ π2 Equation 5-9 The Decrypt Numerator ππ β 1 (ππ π π )π β 1 πππ π ππ β 1 πΏ(π π πππ π2 ) = πππ π2 = πππ π2 = πππ π2 π π π Applying Equation 5-2. πππ (1) β 1 πΏ(π πππ π ) β‘ πππ π2 π π 2 Equation 5-10 Applying Equation 5-9 to πππ (1 + πππ) β 1 πππ πΏ(π π πππ π2 ) β‘ πππ π2 = πππ π2 = ππ πππ π2 π π The Decrypt Denominator (1 + ππ) β 1 ππ β 1 πΏ(π πππ π ) = πππ π2 = πππ π2 = π πππ π2 π π Equation 5-11 π 2 Page 14 of 17 The Algebra of Encryption 18 July 2011 The Decrypt Combining Equation 5-10 and Equation 5-11 into Equation 5-7, we get πΏ(π π πππ π2 ) ππ πππ π2 π= πππ π = πππ π π πππ π2 πΏ(π π πππ π2 ) 5.6 Blinding Cryptographic blinding allows for a message to be multiplied by a specially treated random number, while still allowing the message to be decrypted without knowledge of the random number. (Blinding (cryptography), 2011) Due to the properties of Paillier cryptography noted in Equation 5-2, any succession of blinding factors may be applied to the ciphertext without affecting the successful decryption. To see this, apply a succession of π blinding factors to the same message. π = ππ β π1π π2π β― πππ πππ π2 = ππ β π π πππ π2 where π = βπ ππ . π is still a random number and does not affect the successful decryption of the message. 5.7 Additive Homomorphic Properties Paillier cryptography includes an interesting homomorphic property in that the multiplication of two ciphertexts is equivalent to the addition of the respective plaintexts. (Paillier, 1999, p. 13) To see this, start with two messages π1 and π2 and encrypt. π1 = ππ1 π1π πππ π2 π2 = ππ2 π2π πππ π2 Now multiply the two ciphertexts. π1 β π2 = ππ1 π1π β ππ2 π2π πππ π2 = ππ1 ππ2 β π1π π2π πππ π2 = ππ1 +π2 β (π1 π2 )π πππ π2 = ππ3 β π3π πππ π2 where m3 = m1 + m2 and r3 = r1 β r2 . r3 is a random number, and the product c1 β c2 will correctly decrypt as m1 + m2 . 5.8 Pre-calculations Some elements of Paillier cryptography can be pre-calculated. Decryption All of the elements of the decrypt denominator are known to the decryptor and may be precalculated. β1 ππ β 1 π=[ ] πππ π2 π Equation 5-12 Page 15 of 17 The Algebra of Encryption 18 July 2011 This is of course an MMI modulo n2 . Decryption then becomes π = [πΏ(π π ) β π πππ π2 ] πππ π Equation 5-13 Determine Ξ» Because p and q are safe primes, we have the following determination for Ξ». π = 2πβ² + 1 π = 2π β² + 1 where πβ² and πβ² are also primes. This leads to the following pre-calculation for Ξ». π = πππ(π β 1, π β 1) = = (π β 1)(π β 1) gcd(π β 1, π β 1) (2πβ² )(2π β² ) 4πβ²πβ² = β² β² gcd(2π , 2π ) 2 = 2πβ²πβ² Equation 5-14 5.9 Observations Choosing g with a common factor The choosing of g, Equation 5-5, allows a vulnerability. If π shares a factor with π, the division of the numerator, πΏ(π π β 1), by the denominator, π, does not always yield an integer. If this goes un-noticed, and the result is truncated, the equality of Equation 5-5 may hold and the value of π will be accepted. The public key is (π, π). If π shares a factor with π, the astute adversary would be able to employ the Euclid algorithm to factor n and thereby find the secret key π. Choosing g without Blinding If one should choose π = 1 + ππ, for some integer π, blinding is in fact necessary. Consider encryption Equation 5-6 without the blinding factor π π . π = ππ = (1 + ππ)π Following the same process as the derivation of Equation 5-9, we arrive at π = (1 + ππ)π = (1 + πππ) πππ π2 Because (g, n) is the public key, the value of a is known publicly. Thus m can be easily calculated from c. Thus Blinding is necessary if π is chosen such that π = 1 + ππ. 6 Works Cited Binomial theorem. (2011, June 21). Retrieved July 10, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Binomial_expansion Page 16 of 17 The Algebra of Encryption 18 July 2011 Blinding (cryptography). (2011, June 3). Retrieved July 10, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Blinding_(cryptography) Burton, D. M. (2007). Elementary Number Theory, Sixth Edition. New York, New York 10020: McGraw-Hill Higher Education. Chinese remainder theorem. (2011, July 2). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Chinese_remainder_theorem Coprime. (2011, June 25). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Coprime Euclidean algorithm. (2011, June 30). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Euclid_algorithm Garrett, P. (2004). The Mathematics of Coding Theory. Upper Saddle River, New Jersey: Pearson Prentice Hall. Modular arithmetic. (2011, July 5). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Modular_arithmetic MPIR home page. (n.d.). Retrieved July 9, 2011, from MPIR: http://www.mpir.org/ Paillier, P. (1999). Public-Key Cryptosystems Based on Composite Degree Residuosity Clases. Advances in Cryptology - Eurocrypt '99 , pp. 223-238. RSA. (2011, July 8). Retrieved July 8, 2011, from Wikipedia: http://en.wikipedia.org/wiki/RSA Safe prime. (2010, August 24). Retrieved July 9, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Safe_prime Shamir, A. (November, 1979). How to Share a Secret. Communications of the ACM , 612-613. Stallings, W. (2011). Cryptography and Network Security, Principles and Practice, Fifth Edition. Prentice Hall. The GNU Multiple Precision Arithmetic Library. (n.d.). Retrieved July 9, 2011, from GNU: http://gmplib.org/ Page 17 of 17