home | college of engineering and applied science...

The Algebra of Encryption 25 July 2011

The Algebra of Encryption

1 Modular ArithmeticMuch of modern cryptography is based on modular arithmetic. We can think of modular arithmetic as a cycle. When we reach the base number or modulus, we cycle back to zero. We use modular arithmetic every day. For example, when we look at the clock we are using base 12. If the current time is 9 am and an appointment is at 1 pm, we know that the appointment is four hours away. Modular arithmetic tells us that 1−9≡ 4 mod 12. (Modular arithmetic, 2011)

1.1 Division AlgorithmThe division algorithm roughly states “that any integer a can be “divided” by b in such a way that the remainder is smaller than b.” (Burton, 2007, p. 17) Mathematically, this can be expressed as follows

a=mb+rEquation 1-1

Where m is a multiplier and r is a residue.

Example 1-1

13=1∗12+1, the multiplier is 1 and the residue is 1. Using modular arithmetic, we write 13≡1mod 12.

Example 1-2

9=0∗12+9, in this case the multiplier is zero and the residue is equal to 9 or a. Using modular arithmetic, we write 9≡ 9mod 12.

1.2 AdditionAddition follows the same rules that we are used to from normal arithmetic with the additional step that the result is reduced by the modulus.

To add two numbers a1 and a2 we first express the numbers in the form of Equation 1-1.a1=m1∗b+r1

a2=m2∗b+r2

Next we add and collect terms.a1+a2=(m1+m2 )∗b+(r 1+r 2)

Note that this remains in the form of Equation 1-1 but does not preclude the possibility that the sum r1+r2 could be greater than the modulus, thus causing a change to the multiplier.

Example 1-3

13+9≡ 10 mod12 13+9=(1∗12+1 )+(0∗12+9 )=(1+0 )∗12+ (1+9 )=1∗12+10In this case, the multiplier is not affected.

of 22


Example 1-4

9+9≡ 6mod 129+9=(0∗12+9 )+ (0∗12+9 )=(0+0 )∗12+(9+9 )=0∗12+18In this case, the resulting residue is greater than the modulus and should be reduced. Add and subtract the modulus, 12, and collect terms.18=0∗12+18+1∗12−12=(0+1 )∗12+(18−12 )=1∗12+6

1.3 SubtractionModular subtraction is similar to modular addition. To subtract two numbers a1 and a2 we first express the numbers in the form of Equation 1-1.

a1=m1∗b+r1

a2=m2∗b+r2

Next we subtract and collect terms.a1−a2= (m1−m2 )∗b+(r1−r2)

Again, the result remains in the form of Equation 1-1 but does not preclude the possibility that the difference r1−r2 could be less than the zero. Since we generally deal with positive numbers, this causes a change to the multiplier.

Example 1-5

9−13≡8mod 12 9−13= (0∗12+9 )−(1∗12+1 )=(0−1 )∗12+ (9−1 )=(−1 )∗12+8In this case, the multiplier is not affected.

Example 1-6

13−9≡4 mod 1213−9= (1∗12+1 )−(0∗12+9 )=(1−0 )∗12+ (1−9 )=1∗12+(−8)In this case, the resulting residue is less than zero and should be adjusted. Add and subtract the modulus, 12, and collect terms.(−8 )=1∗12+ (−8 )+(−1 )∗12+12=(1−1 )∗12+(−8+12 )=0∗12+4

1.4 MultiplicationMultiplication is merely repeated addition. As with addition and subtraction, the resulting residue is generally adjusted to be less than the modulus and non-negative.

Example 1-7

4∗13≡ 4 mod12 4∗13=(1∗12+1 )+ (1∗12+1 )+(1∗12+1 )+(1∗12+1 )

¿ (1+1+1+1 )∗12+(1+1+1+1 )=( 4 )∗12+4In this case, the multiplier is not affected.

of 22


Example 1-8

13∗4 ≡ 4 mod1213∗4=13∗(0∗12+4 )=(13∗0 )∗12+ (13∗4 )=0∗12+52In this case, the resulting residue should be adjusted.52=4∗12+4

1.5 DivisionDivision is a little tricky. Normally we think of division as dividing one number into equal parts countable to another. Thus the name. However, when we stick to Integers, we don’t always get equal Integer parts.

We need to think of modular division a little differently. Generally, when we divide c by d we use the following notation.

cd=e

Equation 1-2

For modular division, we need to write this in a different way.c=d∗e or d∗e=c

Equation 1-3

If trying to divide c by d , we need to ask by what number, e, can we multiply d such that the result is congruent to c modulo the modulus?

Example 1-9

10÷ 2≡5 mod13 2∗5=10=0∗13+10This is easy because we know we can multiply 2 by 5 and the result is 10.

Example 1-10

10÷ 4 ≡ 9mod 13In this case, 4∗9=36=2∗13+10. That is to say, we found a number, 9, that we can multiply by 4 such that the result is congruent to 10 modulo 13. Exactly how we find the number 9 directly, without trial and error, is discussed in section 1.6 and 2.1.2.

1.6 Division by Multiplicative InverseAnother way of accomplishing modular division is by using the multiplicative inverse of the divisor. Re-writing Equation 1-2, we get the following equation for division.

c∗d−1=eEquation 1-4

But this begs the question, what is the multiplicative inverse in modular arithmetic? Remembering back to regular arithmetic, we again think of multiplicative inverse in a different way. We need to ask by what number, d−1, can we multiply d such that the result is congruent to 1 modulo the modulus? This is expressed mathematically as follows.

of 22


1≡d∗d−1 mod modulusEquation 1-5

Expressed algebraically for modular arithmetic, we have the following.1=m∗b+d∗d−1

Equation 1-6

Where again, m is the multiplier, b is the modulus, d is the number of interest, and d−1 is the Modular Multiplicative Inverse (MMI).

Example 1-11

(4)−1≡ 10mod 13 1= (−3 )∗13+4∗10.Again, exactly how we find the number 10 directly, without trial and error, is discussed in section 2.1.2.

Example 1-12

Going back to Example 1-10, we get the following.10÷ 4=10∗4−1≡ 10∗10mod 13=100=7∗13+9≡ 9 mod 13, which agrees with the findings in Example 1-10.

2 Useful Functions

2.1 Euclidean AlgorithmThe Euclidean algorithm is an important part of the algebra of encryption. It is generally thought of as providing the Greatest Common Divisor (GCD) of two numbers. When the two numbers are properly chosen, the Euclidean algorithm can also be used to directly determine the Modular Multiplicative Inverse (MMI).

2.1.1 Greatest Common Divisor“The Euclidean algorithm (also called Euclid’s algorithm) is an efficient method for computing the greatest common divisor.” “The GCD of two numbers is the largest number that divides both of them without leaving a remainder.” (Euclidean algorithm, 2011)

Figure 2-1 reproduces an example discussed in (Euclidean algorithm, 2011). We would like to find the GCD of two numbers represented by lines AB and CD.

1. Start by comparing the smaller number to the larger number.2. Find the quotient of the two numbers. In this case, the quotient refers to the greatest

integer less than or equal to AB÷ CD. In other words, how many times can we multiply CD and still remain smaller than or equal to AB. In the figure, this quotient is 1.

3. Multiply the second number by the quotient and subtract from the first. In the figure, the result, or residue, is AE.

4. Now compare the residue with the previous smaller number. In the figure, this is comparing CD and AE. Repeat the above steps until the larger number is an integral

of 22


multiple of the smaller number. That is to say, there is no resulting residue. The GCD is the last residue, in this case, CF.

Figure 2-1: Euclidean Algorithm

Now we can add up the line lengths and verify that CF is the GCD of AB and CD.AE=3∗CFCD=2∗AE+CF=2∗3∗CF+CF=7∗CFAB=CD+AE=7∗CF+3∗CF=10∗CF

Referring to Figure 2-2, it is easy to see that CF does indeed evenly divide both AB and CD.

Figure 2-2: Comparing the Results

2.1.2 Modular Multiplicative InverseBy computing the Euclidian algorithm on a number of interest and the modulus, we can directly compute the MMI of the number of interest. In these calculations, it is efficient to accumulate the quotients at each step as coefficients of the two numbers. This is often referred to as the Extended Euclidean algorithm.

If we put numbers to the lines in Figure 2-1, for example 50 and 35, we have the following example.

Example 2-13

1. Start by writing the two numbers as below.50 = 50 ( 1) + 35 ( 0)

of 22


35 = 50 ( 0) + 35 ( 1)

2. Find the quotient of the two numbers.q = int(50 / 35) = 1

3. Multiply the second equation through by the quotient and subtract from the first.50 = 50 ( 1) + 35 ( 0)35 = 50 ( 0) + 35 ( 1), q = 115 = 50 ( 1) + 35 ( -1)

4. Repeat steps 2 and 3 comparing the residues until the result is 050 = 50 ( 1) + 35 ( 0)35 = 50 ( 0) + 35 ( 1), q = 115 = 50 ( 1) + 35 ( -1), q = 2 5 = 50 ( -2) + 35 ( 3), q = 3 0 = 50 ( 7) + 35 (-10)

The GCD is the last residue, in this case, 5. If we work this example again using the numbers 10 and 7, we will find that the GCD is 1. If two numbers have a GCD of 1, they are said to be relatively prime or coprime. (Coprime, 2011)

Now, how does this find the MMI? If we return to Example 1-11, we wish to find the MMI of 4 modulo 13. If we compute the Extended Euclidian algorithm of 13 and 4 we have the following.

13 = 13 ( 1) + 4 ( 0) 4 = 13 ( 0) + 4 ( 1), q = 3 1 = 13 ( 1) + 4 ( -3)

When searching for the MMI, we can stop when the residue is 1. Now compare our result with Equation 1-6. (-3) is the MMI of 4 modulo 13. We prefer to deal with non-negative numbers, so the result needs to be adjusted. We do this by adding and subtracting 13 * 4 and collecting terms.

1 = 13 (1 ) + 4 (-3 ) + 13 (-4) + 4 (13)1 = 13 (1 - 4) + 4 (-3 + 13)1 = 13 ( -3) + 4 ( 10)

Thus 10 is the MMI of 4 mod 13. This result agrees with our findings in Example 1-11.

Mentioned above is that we can stop searching for the MMI when the residue is 1. This is because the next line would result in a residue of zero. When we arrive at a residue of zero but the previous line does not have a residue of 1, the number of interest and the modulus are not coprime and no MMI exists for that number of interest for that modulus. (Burton, 2007, pp. 76-77)

of 22


2.2 Modular ExponentiationMany encryption schemes employ modular exponentiation. When dealing with very large numbers, such as in cryptography, efficient computing is essential. (Garrett, 2004, p. 123) describes an algorithm entitled Fast Modular Exponentiation.

Initiate X = base, E = exponent, Y = 1: xe≡ ymod m. If E is odd: replace Y by (X * Y) mod m and replace E = E - 1. E is now even: replace X by (X * X) mod m and replace E = E / 2. When E = 0: xe≡ ymod m.

X keeps the current binary power of the base number. Y is the accumulator. Note how E is parsed for its binary bit values.

1. Starting from the least significant bit, check if the bit is 1 (if E is odd). 2. If E is odd, accumulate the corresponding power of the base: Y = Y * X. The decrement

of E simply makes the division by 2 in the next step easier.3. E is now even, update X to the next binary power of the base: X = X * X. Divide E by 2,

that is to say, right shift so the next binary bit is in the least significant bit position.4. Loop to step 2 until E = 0.

Example 2-14

First let’s calculate 311 without a modulus.E=11=1+2+8.Y=311=31∗32∗38=3∗9∗6561=177147

Notes X E YInitialization 31=3 11 1E is odd 11−1=10 3∗1=3E is even 32=9 10÷ 2=5E is odd 5−1=4 9∗3=27E is even 34=81 4 ÷2=2E is even 38=6561 2÷2=1E is odd 1−1=0 6561∗9∗3=177147

Example 2-15

Now let’s calculate 311 mod 527Y=311=31∗32∗38=3∗9∗237mod 527=75mod 527

Notes X E YInitialization 31=3 11 1E is odd 11−1=10 3∗1mod 527=3E is even 32 mod 527=9 10÷ 2=5E is odd 5−1=4 9∗3=27mod 527E is even 34mod 527=81 4 ÷2=2E is even 38 mod 527=237 2÷2=1E is odd 1−1=0 237∗9∗3mod 527

¿75

of 22


You can verify that 177,147=75mod 527.

Notice that everything happens the same with a modulus as without a modulus. The only difference is in the size of the numbers - the calculation results are reduced modulo 527.

Also notice the significant role of multiplication in this algorithm. We multiply X∗X for each exponent bit position. We multiply X∗Y when the exponent’s least significant bit is 1. In Example 2-14 we dealt with larger numbers. In Example 2-15 the numbers were limited by the modulus and remained smaller.

Consider multiplying two 4 digit binary numbers and two 2 digit binary numbers.

1111 x 1111----------------- 1111 1111 1111 + 1111----------------- 11100001

11 x 11----------------- 11 + 11----------------- 1001

The 4 digit multiplication involved the addition of 16 bits. The 2 digit multiplication involved the addition of only 4 bits. Since the size of numbers cryptography deals with are usually larger than a computer’s arithmetic logic unit can deal with, special Big Integer computational packages such as Multiple Precision Integers and Rationals (MPIR) (MPIR home page) or Gnu Multiple Precision (GMP) (The GNU Multiple Precision Arithmetic Library) are usually employed. The smaller the modulus, the smaller the numbers we deal with, and the less time involved in multiplying.

2.3 Chinese Remainder Theorem (CRT)Chinese Remainder Theorem is frequently used in cryptography to reduce the calculation time inherent in calculating with large numbers. This time reduction is accomplished by doing a few extra calculations, but with much smaller numbers. (Chinese remainder theorem, 2011) Also, a significant part of the calculations may be done once, in advance, and then used for subsequent calculations.

This discussion follows (Stallings, 2011, pp. p 254-257). The example will use a modulus with four factors.

2.3.1 Pre-calculations

Identify the Factors of MChoose m1, m2, m3, and m4. The numbers must be coprime.

m1=37m2=49=72

of 22


m3=55=5∗11m4=64=26

Notice that m2 and m4 are powers of prime numbers and m3 is composite. Only m1 is truly prime in this example. The only requirement is that the chosen factors of M be coprime with respect to each other.

M=m1∗m2∗m3∗m4=37∗49∗55∗64=6,381,760

Calculate M i

Calculate M i=M ÷mi for each mi.

M 1=M ÷ m1=6,381,760 ÷ 37=172,480M 2=M ÷ m2=6,381,760÷ 49=130,240M 3=M ÷ m2=6,381,760÷ 55=116,032M 4=M ÷ m4=6,381,760÷ 64=99,715

Calculate M i−1 mod mi

Use the Extended Euclidean Algorithm to calculate M i−1 mod mi for each mi.

M 1−1 mod m1=172,480−1 mod 37≡29

M 2−1 mod m2=130,240−1 mod 49≡24

M 3−1 mod m3=116,032−1 mod 55≡3

M 4−1 mod m4=99,715−1 mod 64≡ 43

Calculate Ai

For convenience, define Ai=Mi∗M i−1mod M for each mi.

A1=M 1∗M1−1mod M=172,480∗29mod 6,381,760 ≡5,001,920

A2=M 2∗M 2−1mod M=130,240∗24mod 6,381,760≡ 3,125,760

A3=M3∗M 3−1 mod M =116,032∗3mod 6,381,760 ≡348,096

A4=M 4∗M 4−1mod M =99,715∗43mod 6,381,760 ≡4,287,745

2.3.2 AdditionTo add two numbers, complete the addition for each mi, then combine the results.

As an example, we will add 735,839 and 826,277 mod M. Start by computing the residue for each factor.

x=735,839x1=x mod m1=735,839mod 37=20x2=x mod m2=735,839mod 49=6x3=x mod m3=735,839 mod 55=49

x4=xmod m4=735,839 mod 64=31

y=826,277y1= y mod m1=826,277 mod 37=30y2= y mod m2=826,277 mod 49=39

of 22


y3= y mod m3=826,277 mod 55=12 y4= y mod m4=826,277 mod 64=37

Add for each mi

Compute x+ y=z i mod mi for each mi.

z1=x1+ y1=20+30=50≡ 13mod 37z2=x2+ y2=6+39=45≡ 45mod 49z3=x3+ y3=49+12=61≡6mod 55z4=x4+ y4=31+37=68≡ 4mod 64

Combine the resultsFind the result of ( x+ y ) mod M=(z1∗A1+z2∗A2+ z3∗A3+z4∗A4)mod M

(735,839+826,277 )mod 6,381,760¿ (13∗5,001,920+45∗3,125,760+6∗348,096+4∗4,287,745 ) mod 6,381,760≡1,562,116

2.3.3 MultiplicationTo multiply two numbers, complete the multiplication for each mi, then combine the results.

If we use the same x and y values as for addition, we can use the same residues for each factor.

Multiply for each mi

Compute x∗y=zi mod mi for each mi.

z1=x1∗y1=20∗30=600≡ 8 mod 37z2=x2∗y2=6∗39=234 ≡38mod 49z3=x3∗y3=49∗12=588 ≡38mod 55

z4=x4∗y 4=31∗37=1147 ≡59mod 64

Combine the resultsFind the result of ( x∗y ) mod M=(z1∗A1+z2∗A2+z3∗A3+ z4∗A4)mod M

(735,839∗826,277 ) mod 6,381,760¿ (8∗5,001,920+38∗3,125,760+38∗348,096+59∗4,287,745 )mod 6381760≡3,802,683

2.4 Euler’s Totient FunctionEuler’s totient function, Φ (n), identifies the number of integers, less than n, that are relatively prime to n. A good treatment of Euler’s Totient function can be found in (Burton, 2007, pp. 131-135).

(Stallings, 2011, pp. 249-250) presents Euler’s totient function as Φ ( p )=p−1 for prime p. This is correct, but not good for a general definition of the function. (Burton, 2007, pp. 131-135)

of 22


gives a more versatile definition as Φ ( pk)=pk−pk−1. It is easy to see that this version degenerates to the previous version in the case of k=1.

To determine the totient of a composite number, we must know the prime factors of the number. Given n=p i∗q j, Φ (n )=Φ ( pi )∗Φ (q j )=( pi−pi−1 )∗(q j−q j−1) (Burton, 2007, pp. 131-135). Again, if i and j=1, then the equation degenerates to Φ (n )=Φ ( p )∗Φ (q )=( p−1 )∗(q−1) as described by (Stallings, 2011, pp. 249-250).

Example 2-16

To calculate Φ (21), the first form is adequate. First we must know the prime factors of 21, namely 3 and 7.

Φ (21 )=(3−1 )∗(7−1 )=2∗6=12Therefore, the number of integers less than 21 relatively prime to 21 should count to 12.1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are the 12 numbers less than 21 that are relatively prime to 21.

Example 2-17

To calculate Φ (20), the second form of the totient function is required. The prime factors of 20 are 22 and 5.

Φ (20 )=(22−21 )∗(51−50 )=( 4−2 )∗(5−1 )=2∗4=8The 8 integers less than 20 relatively prime to 20 are 1, 3, 7, 9, 11, 13, 17, 19.

3 Exponentiation and Chinese Remainder TheoremIn section 2.3 we looked at addition and multiplication using CRT. We would like to take advantage of the CRT and reduce the exponent.

Notice that reducing the exponent by the modulus does not result in congruence.be=bmn n+rn ≢brn mod n

where b is the base, mn is the multiplier, and rn is the residue.

To demonstrate this, lete=131n=17b=3

e=131=mnn+r n=7∗17+12

be=3131=10mod17

brn=312=4mod 17

be ≢brn mod n

of 22


To reduce the exponent correctly, we must employ Euler’s theorem. Euler’s theorem states that if n≥ 1 and gcd ( a ,n )=1, then aΦ(n )≡ 1mod n. (Burton, 2007, p. 137)

be=bmΦ Φ(n )+r Φ ≡brΦ mod n

where b is the base, mΦ is the multiplier, and rΦ is the residue.

To demonstrate this, lete=131n=17 ,Φ (n )=16b=3

e=131=mΦ Φ(n)+rΦ=8∗16+3

be=3131=10mod17

brΦ=33=10mod 17

be≡brΦ mod n

We can always use the full exponent when conducting the calculations for each CRT modulus. But to reduce the exponent, we must know Φ (n) which requires we know the factors of n if n is not prime.

4 Public Key Cryptography - RSAEuler’s theorem is the heart of the RSA encryption and decryption method. (RSA, 2011).

If we choose two prime numbers p and q we can form n=p∗q and determine Φ (n). If we then choose an encryption exponent e so that gdc ( e ,Φ (n ) )=1, we can find a decryption exponent d such that d∗e≡1m odΦ (n). The exponent d is merely the MMI of e mod Φ(n), and we know from section 2.1.2 how to find d . Note that d∗e=m∗Φ (n )+1 for some multiplier m.

Now take a message expressed as a number M . Calculate the encrypted message by using the encryption exponent.

C=M e mod n

To decrypt, use the decryption exponent. Calculate Cd mod n=M .Cd=(M e)d=Mm∗Φ (n )+1=Mm∗Φ (n )∗M=(MΦ (n ))m∗M

Taking note of Euler’s theorem, if the decryption calculations are made modulo n, we haveCd=(1)m∗M mod n=M

Thus we have successfully decrypted the message, assuming gcd ( M ,n )=1 to satisfy the requirements of Euler’s theorem. “In the unlikely event that M and n are not relatively prime, a similar argument establishes that [Cd ]≡ M mod p and [Cd ]≡ M mod q, which then yields the desired congruence [Cd ]≡ M mod n. We omit the details.” (Burton, 2007, p. 204)

of 22


RSA involves calculating modular exponentials. The example uses normal encryption and CRT decryption. Note that CRT only benefits decryption because the factors of the modulus must be known and they are part of the private key.

Let:p=17q=31e=11message: M=3

calculate n=p∗q=17∗31=527calculate Φ (n )=( p−1 )∗(q−1 )=16∗30=480calculate d=e−1mod Φ ( n )≡ 131

4.1 CRT Pre-calculationsP=n÷ p=31P−1 mod p≡ 11Ap=P∗P−1 mod n=31∗11mod 527≡ 341Q=n÷ q=17Q−1 mod q≡ 11Aq=Q∗Q−1mod n=17∗11mod 527 ≡187

d p=dmod Φ ( p )=131 mod 16 ≡3dq=d mod Φ (q )=131mod 30≡ 11See section 3 regarding how to reduce the exponent d into d p and dq.

4.2 EncryptC=M emod n=311mod 527≡75 (See Example 2-15.)

4.3 DecryptNote the use of d p and dq in place of the normal decrypt exponent.

M p=C d p mod p=753 mod 17 ¿73 mod 17≡3 M q=Cd qmod q=7511 mod 31

¿1311 mod 31≡3

4.4 Combine the resultsM=( M p∗A p+M q∗Aq ) mod n=(3∗341+3∗187 ) mod 527 ≡3

4.5 ConclusionDecryption is accomplished using smaller exponents and smaller moduli. Multiplication is a large part of calculating modular exponentials. When computing many exponentials using the same private key, time savings becomes significant.

of 22


5 How to Share a Secret(Shamir, November, 1979) describes how to share secret information such that the holders of a share cannot individually obtain the secret. Only if a certain minimum number of share holders collaborate can the secret information be identified.

A simple description of this method is to use a curve described by a polynomial function.f ( x )=at x

t+a t−1 x t−1⋯ a1 x+a0

Equation 5-7

Typically, a0 is the secret information, for example a secret key, and the other t coefficients in the polynomial may be chosen at random. If two or more elements comprise the secret key, such as p ,q ,∧d, necessary for CRT decryption of RSA, then more coefficients may be set and the remainder chosen at random.

Basic algebra tells us that when we have t+1 unknowns - the t+1 coefficients, we need to know t+1 points on the curve to identify all of the coefficients. We really only want the one coefficient, a0, but even that cannot be determined without the required minimum number of points from the curve.

Points on the curve - x and f(x) pairs, are the secret shares given to the trusted authorities. Many more than t+1 secret shares may be given out. But, only if a minimum of t+1 trusted authorities agree to provide their secret share and collaborate, can the secret information be identified. The secret information - coefficient(s) of the polynomial, may be identified by any linear algebra method for solving a system of simultaneous equations.

The x values may be as simple as indexes, incremented between one share holder to the next. Only the value of f(x) must be held secret.

6 Paillier CryptographyThe cryptographic systems proposed by (Paillier, 1999) involve polynomial expansion of exponentiation. Paillier proposed three systems, one will be discussed here. It is similar to RSA cryptography.

6.1 Carmichael FunctionIn order to understand the algebra of Paillier cryptography, we need to understand the Carmichael function. The Carmichael function, λ (n), is similar to Euler’s totient function Φ (n). (Paillier, 1999, p. 2)

λ (n )=lcm( p−1, q−1)Equation 6-8

where n=pq, p and q are distinct primes, and lcm stands for Least Common Multiple.

The Carmichael function also has some useful properties for Paillier cryptography. For any integer w that is coprime with n:

{ w λ≡1mod nwnλ≡ 1mod n2

of 22


Equation 6-9

Which implies there exists some integer a and b such that

{ w λ=an+1w λn=bn2+1

Equation 6-10

6.2 PreliminariesChoose two safe prime numbers p and q, form n=p∗q, and determine λ=lcm( p−1 ,q−1). Safe prime numbers are of the form 2 p+1, where p is also a prime. (Safe prime, 2010)

Define the function

L (u )=u−1n

Equation 6-11

Note: that u is usually an exponential mod n2. The notation used is a little awkward because only the exponential should be calculated mod n2. The division by n cannot be accomplished mod n2 because n has no MMI mod n2. The numerator should be a multiple of n, and the “normal” division should result in an integer with no residue.

Choose a generator value g such thatgcd ( L ( gλmod n2 ), n)=1

Equation 6-12

Note: See section 6.12 regarding choosing values of g.

The public key is (g ,n). The private key is λ.

6.3 EncryptThe plaintext message is m<n. Choose a random number r<n. Calculate the encrypted message

c=gmr nmod n2

Equation 6-13

6.4 DecryptPlaintext

m=L(cλ mod n2)L(gλ mod n2)

mod n

Equation 6-14

6.5 Explanation

The Generator gStarting from the Carmichael function Equation 6-10.

gλ=1+angλx=(1+an )x

of 22


Equation 6-15

If we use binomial expansion of the polynomial, we get (Binomial theorem, 2011)

(1+an)x=1x+x∗(1x−1)∗(an )1+(x2)∗(1x−2 )∗n2+⋯

where

(xi )= x !i ! ( x−i )!

When we reduce modulo n2, all of the polynomial terms of n2 and higher drop out. We are left with

gλx=(1+an)x=(1+ xan)mod n2

Equation 6-16

The Decrypt Numerator

L (cλ mod n2 )= c λ−1n

mod n2=(gmr n)λ−1n

mod n2= gmλ rnλ−1n

mod n2

Applying Equation 6-9 to rnλ.

L (cλ mod n2 ) ≡ gmλ (1 )−1n

mod n2

Applying Equation 6-16 to gmλ

L (cλ mod n2 ) ≡ (1+man)−1n

mod n2=mann

m od n2=ma mod n2

Equation 6-17

Note that we must divide by n using normal division. n has no multiplicative inverse mod n2.

The Decrypt Denominator

L (g λ mod n2 )= gλ−1n

mod n2=(1+an )−1

nmod n2=amod n2

Equation 6-18

Again, we must divide by n using normal division.

The DecryptCombining Equation 6-17 and Equation 6-18 into Equation 6-14, we get

m= L(cλ mod n2)L(gλ mod n2)

mod n=mamod n2

amod n2 mod n

See section 6.11 concerning pre-calculations. The decrypt equation can be written asm=[ L (c λ) mod n2 ]∗μmod n

where

of 22


μ=[ gλ−1n mod n2]

−1

mod n

6.6 Paillier Cryptography Example

PreliminariesLet

p=23q=59n=p∗q=23∗59=1357n2=1,841,449

λ=lcm ( p−1 , q−1 )=( p−1 )(q−1)

gcd ( p−1 , q−1 )=

22∗582 =638

Choose gg=71

Check g (see section 6.12.)gcd ( g ,n )=1g≠an+1 for some integer a.

Verify ggλ mod n2=71638=521,089

L (g λ mod n2 )= gλ−1n

mod n2=521,089−11357

mod 1,841,449=384

gcd ( L ( gλ mod n2 ), n)=gcd (384 ,1357 )=1

Pre-calculate μ (See section 6.11.)μ= [ L ( gλ mod n2 ) ]−1

mod n= [384 ]−1mod n=887

EncryptLet

m=1025r=1019

c=gmr nmod n2=711025∗10191357 mod 1,841,449=1,593,818

DecryptNumerator:


mod n2=1,593,818638−11357

mod 1,841,449=70

Plaintext:

of 22


m=L (c λ mod n2 )∗μmod n=70∗887mod 1357=1025

6.7 BlindingCryptographic blinding allows for a message to be multiplied by a specially treated random number, while still allowing the message to be decrypted without knowledge of the random number. (Blinding (cryptography), 2011)

Due to the properties of Paillier cryptography noted in Equation 6-9, any succession of blinding factors may be applied to the ciphertext without affecting the successful decryption.

To see this, apply a succession of k blinding factors to the same message.c=gm∗r1

nr2n⋯ rk

n mod n2

¿ gm∗rn mod n2

where r=∏k

ri. r is still a random number and does not affect the successful decryption of the message.

6.8 Blinding ExampleWe use the ciphertext from the example in section 6.6 and chose another random number.

c1=1,593,818r2=951

c2=c1 r2n mod n2=1,593,818∗9511357mod 1,841,449=1,587,825

DecryptNumerator:


mod n2=1,587,825638−11357

mod 1,841,449=70

As we saw in the explanation in section 6.5, the decrypt numerator is unaffected by the blinding of the added random number.

6.9 Additive Homomorphic PropertiesPaillier cryptography includes an interesting homomorphic property in that the multiplication of two ciphertexts is equivalent to the addition of the respective plaintexts. (Paillier, 1999, p. 13)

To see this, start with two messages m1 and m2 and encrypt.c1=gm1 r1

n mod n2

c2=gm2r2n mod n2

Now multiply the two ciphertexts.c1∗c2=gm1r 1

n∗gm2 r2n mod n2

¿ gm1 gm2∗r 1nr2

nmod n2

¿ gm1+m2∗(r1r 2)n mod n2

of 22


¿ gm3∗r3n mod n2

where m3=m1+m2 and r3=r1∗r2. r3 is a random number, and the product c1∗c2 will correctly decrypt as m1+m2.

6.10 Homomorphic ExampleWe use the ciphertext from the example in section 6.6 and section 6.8. These two ciphertext represent the same plaintext, so the expected result is that the original message will be doubled.

c3=c1∗c2=1,593,818∗1,587,825 mod 1,841,449=705,150

DecryptNumerator:


mod n2=705,150638−11357

mod 1,841,449=140

Plaintext:m=L (c λ mod n2 )∗μmod n=140∗887 mod 1357=693

Which is as expected since 2∗1025mod 1357=693.

6.11 Pre-calculationsSome elements of Paillier cryptography can be pre-calculated.

DecryptionThe decrypt denominator is actually calculated when g is verified. The only additional pre-calculation is to find the MMI of the denominator.

μ=[ gλ−1n mod n2]

−1

mod n

Equation 6-19

Decryption then becomesm=[ L (c λ) mod n2 ]∗μmod n

Equation 6-20

Determine λBecause p and q are safe primes, we have the following determination for λ.

p=2 p'+1q=2q'+1

where p ' and q ' are also primes.

This leads to the following pre-calculation for λ.

λ=lcm ( p−1 , q−1 )=( p−1 )(q−1)

gcd (p−1 , q−1)

of 22


¿(2 p' )(2q' )

gcd (2 p' ,2 q ')=4 p ' q '

2

¿2 p ' q 'Equation 6-21

6.12 ObservationsChoosing g with a common factor to nThe choosing of g, Equation 6-12, allows a vulnerability. If g shares a factor with n, the division of the numerator of L(gλ mod n2) by the denominator, n, does not always yield an integer. (Paillier, 1999) never discusses that the division result should be verified to be an integer. If this goes un-noticed, and the result is truncated, the equality of Equation 6-12 may hold and the value of g will be accepted.

Example 6-18

p=7=2∗3+1 , p'=3q=11=2∗5+1 , q '=5n=p∗q=77n2=5929λ=2 p ' q '=2∗3∗5=30g=35=5∗7gcd ( g ,n )=7

L (g λ mod n2 )= gλ mod n2−1n

=3530 mod 5929−177

=2597−177

=33.7

gcd ( L ( gλ mod n2 ), n)=gcd (33 ,77 )=11

Example 6-19

Same as Example 6-18 except:g=22=2∗11gcd ( g ,n )=11

L (g λ mod n2 )= gλ mod n2−1n

=2230 mod 5929−177

=484−177

=6.27

gcd ( L ( gλ mod n2 ), n)=gcd (6 ,77 )=1

In Example 6-18, the choice of g is rejected. In Example 6-19, the choice of g is accepted.

The public key is (g ,n). If g shares a factor with n, the astute adversary would be able to employ the Euclid algorithm to factor n and thereby find the secret key λ.

of 22


Choosing g without BlindingIf one should choose g=1+an, for some integer a, blinding is in fact necessary. Consider encryption Equation 6-13 without the blinding factor rn.

c=gm=(1+an )m

Following the same process as the derivation of Equation 6-16, we arrive atc=(1+an)m= (1+man) mod n2

Because (g ,n) is the public key, the value of a is known publicly. Thus m can be easily calculated from c. Thus Blinding is necessary if g is chosen such that g=1+an.

7 Works CitedBinomialtheorem. (2011, June 21). Retrieved July 10, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Binomial_expansion

Blinding(cryptography). (2011, June 3). Retrieved July 10, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Blinding_(cryptography)

Burton, D. M. (2007). ElementaryNumberTheory,SixthEdition. New York, New York 10020: McGraw-Hill Higher Education.

Chineseremaindertheorem. (2011, July 2). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Chinese_remainder_theorem

Coprime. (2011, June 25). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Coprime

Euclideanalgorithm. (2011, June 30). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Euclid_algorithm

Garrett, P. (2004). TheMathematicsofCodingTheory. Upper Saddle River, New Jersey: Pearson Prentice Hall.

Modulararithmetic. (2011, July 5). Retrieved July 7, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Modular_arithmetic

MPIRhomepage. (n.d.). Retrieved July 9, 2011, from MPIR: http://www.mpir.org/

Paillier, P. (1999). Public-Key Cryptosystems Based on Composite Degree Residuosity Clases. AdvancesinCryptology-Eurocrypt'99 , pp. 223-238.

RSA. (2011, July 8). Retrieved July 8, 2011, from Wikipedia: http://en.wikipedia.org/wiki/RSA

Safeprime. (2010, August 24). Retrieved July 9, 2011, from Wikipedia: http://en.wikipedia.org/wiki/Safe_prime

Shamir, A. (November, 1979). How to Share a Secret. CommunicationsoftheACM , 612-613.

of 22


Stallings, W. (2011). CryptographyandNetworkSecurity,PrinciplesandPractice,FifthEdition. Prentice Hall.

TheGNUMultiplePrecisionArithmeticLibrary. (n.d.). Retrieved July 9, 2011, from GNU: http://gmplib.org/

of 22

home | college of engineering and applied science...

Documents