the rsa algorithm and reed-solomon codes

PowerPoint Presentation

The RSA Algorithm and Reed-Solomon CodesGroup 5: Daryl, Etkin, Supartha, Rajendra and Aarthi1IntroductionTwo Information Coding Schemes

RSA AlgorithmPrivacyAuthenticity

Reed-Solomon Codes(Bursty) Noise Tolerance2Two information coding schemes that complement each otherFirst half, second half2

Welcome to the Matrix3

Privacy4

Authenticity5

Trinity?Yes, its me.Shared Key CryptographyEncrypt messages with a symmetric-key cryptosystem (e.g. DES, AES, etc)

Requires prior agreement on a shared key over a secure channel

What if Neo and Trinity have yetto meet?6Recursive problem: You need a secure channel to establish your secure channel6Public Key CryptographyMathematically-related public/private key pairs are generatedMessages encrypted with public keyCan only be decrypted with private key

Infeasible to compute private key from public key aloneNo need to agree on a shared key!

7RSA AlgorithmRivest, Shamir and Adleman (1977)

Based on difficulty of computing prime factors of large integers8

RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1

Compute d wherede 1 (mod (n))

Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)9SetupUsagee must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long9RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1


Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)10e must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long10Modular Multiplicative InverseLet e, d, n be integers with n 0

Fact:

If gcd(e, n) = 1 (i.e. e and n are coprime)then there exists d such that de 1 (mod n)

In other words, the multiplicative inverse of e (mod n) exists when gcd(e, n) = 1 11RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1


Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)12e must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long12RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1


Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)13e must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long13Eulers Totient Function (n)Definition:no. of integers 1 a n with gcd(a, n) = 1

Formula:

For n = pq where p and q are primes

14

Modular ExponentiationLet x, y, m, n be integers with n 0

Fact:

If x y (mod (n)) , then mx my (mod n)

In other words, working in mod n requires that we work mod (n) in the exponent15RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1


Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)16e must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long16RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1


Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)17(M e) d M (mod n)

and

(M d) e M (mod n)

e must be 1 < e < (p-1)(q-1), but second condition ensures that e is at least 3e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long17Example: M = 1234Pick p = 37 and q = 43Compute n = 1591 and (n) = 1512Pick e = 71gcd(e, (n)) = gcd(71, 1512) = 1

Compute d = 575 (Extended Euclidean Algorithm)de = 40825 1 (mod 1512)

Public key is (n, e), private key is (n, d)Encrypt: C M e 1234 71 908 (mod 1591)Decrypt: M C d 908 575 1234 (mod 1591)

18RSA Algorithm for SignaturesPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1


Public key is (n, e), private key is (n, d)Sign M with S M d (mod n); Send (M, S)Verify that M S e (mod n)19Reversed!

Sign with private keyVerify with public keye must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long19ImplementingModular exponentiationSuccessive-Squaring

Computing d from e and (n) Extended Euclidean Algorithm

Finding large primes20Modular Exponentiation Algo.Successive-Squaring to Compute C M e (mod n)

Let e = ek ek1 e0 (binary representation of e)

C := 1 For i := k, k 1, , 0C := (C * C) mod nIf ei = 1 Then C := (C * M) mod n End For

Performance: O(log e)Memory: O(1)21Computing d from e and (n)Extended Euclidean Algorithm:

Since e and (n) are coprime,solvingyields d = y satisfying22

Find max. qi satisfyingand xi and yi satisfying

When rk = 0, stop and output gcd(a, b) = rk-1 andx = xk-1 and y = yk-1

Similar to Euclidean Algorithm for gcd(a, b), but retain quotients qi at each step i to compute xi and yi

Generating Large PrimesGenerate a large random integerApply primal test repeatedly

Primality Tests:Miller-Rabin Solovay-StrassenFermat Primality Test

Euler Witness, Euler Liar

23Algorithm24Sieving25Miller-Rabin Primality Test26Miller-Rabin Primality Test27Fermats Little Theorem28Miller-Rabin Primality Test29Miller-Rabin Primality Test30Psuedocode31Example32Example33Example34Example35Deterministic Miller-Rabin36Complexity and Error37 Reed-Solomon Codes3838

Agent Smith is Frustrated39

???

Disrupts Channel40

Noisy ChannelNoise is Natural

Studied models in generalBinary Symmetric ChannelBinary Erasure ChannelNoisy Typewriter ChannelContinuous Output Channel 41Error Correction (Toy Example)

42

Error Correction43MC00000010011001011011100101110111Code Distance (Toy Example)44

45

Linear Codes46MC00000010011001011011100101110111No Structure??Have to store the whole mapping in a codebook Linear Codes47G =n x k, where n =7, k=4for example, Hamming Code is Linear=Singleton Bound48Applications: CDs, Space Communication, Robust against Burst errors49

From left: Gustave Solomon & Irving S. ReedReed Solomon Code (Original View)50

Reed Solomon Sketch (Original View)51

Reed Solomon Sketch52RS Sketch53

Reed Solomon Code

54Finite Fields55FieldA set of elements with two operations Addition and Multiplication defined on these elements.Closed under these two operationsBasically all arithmetic operations are allowed

Examples: Set of Real numbers, Set of Rational numbers5656Finite FieldA field with finite number of elements.

Example: {0,1} with modulo operationsIn general {0,1,2.p-1} is a field with p elements with modulo operations. (p is prime)

How to construct fields with 8 elements?

In general how to construct pr elements??

57Galois Field GF(2m)A field with 2m elements can be constructed by extending the field GF(2) which is {0,1}.Let denotes an additional element in GF(2m).

Now GF(2m) ={ 0,1, ,2,.. 2m-1, 2m,}

To make the number of elements 2m, we restrict 2m-1 = 1 = 058GF(2m)={0, 0, , 2m-2 }

Any non-zero element in GF(2m) can be written as a polynomial of degree at most m-1.Coefficients are from GF(2)Also they can be mapped to binary values.

59Primitive Polynomial An irreducible polynomial f(x) of degree m is said to be primitive if the smallest positive integer n for which f(x) divides xn+1 is n=2m-1.

Example: 1 + x + x4 because it divides xn+1 for n=15 and not for other values less than 15.

Used for construction GF(2m)RS codes use GF(2m).60The Field GF(23)

61

62Reed Solomon Code: RS[n,k,d]63Properties of RS(n,k,d)Linear CodeCyclicd = n-k+1 (Maximum Distance Separable)Can correct up to n-k erasuresCan correct up to (n-k)/2 symbol errors

64Systematic EncodingThis form of encoding is not in Systematic formSystematic form : Parity symbols message symbols 010 110 111 100 001 011 101 010 110 111Message polynomial + 3x + 5x2Code Polynomial 0 + 2x + 4x2+ 6x3+ x4+ 3x5+ 5x6A generator polynomial g(x) is defined as g(x) = (x-) (x-2) (x-2t)

65Encoding in Systematic FormShift the message polynomial m(x) by 2t positions by multiplying m(x) by x2t.

Define p(x) = x2t m(x) (mod g(x))

The final codeword polynomial u(x) is u(x) = p(x) + x2t m(x)

66Example RS[7,3,5]Message polynomial + 3x + 5x2Yielding x4 + 3x5 + 5x6 after multiplication with x2t i.e. x4Take g(x) = (x- )(x- 2)(x- 3)(x- 4) = x4 3x3+ 0x2 x + 3 = 3 + x + 0x2 + 3x3+x4Next divide x4 + 3x5 + 5x6 by g(x) to find the remainder p(x) = 0 + 2x4+ 4x2+ 6x3.Now u(x)=0 + 2x + 4x2+ 6x3+ x4+ 3x5+ 5x6

67Syndrome ComputationThe syndrome is the result of a parity check performed on the received polynomial r(x) to determine whether r(x) is a valid codeword.The syndromes are basically evaluations of the received polynomial r(x) at , 2, 3, 2t. Si = r(i) , i=1,2,.2tIf r(x) is a valid codeword then we get all the Si evaluate to zero.Any non-zero Si indicates the presence of errors.68Error PolynomialThe errors introduced by the channel during transmission can be modeled as a polynomial e(x) over the field GF(2m).

Hence r(x) = u(x) + e(x).

The problem finding e(x) from r(x) (or the syndromes) is decoding.69Properties of RS codesGiven any collection of k coefficients from the polynomial u(x), it is possible to construct the remaining coefficients of u(x).If at most t of the coefficients of u(x) are incorrect, it is possible to reconstruct all the coefficients of u(x) correctly.Polynomial multiplication/division using FFT takes O(klogk) where k is the max of degrees of the polynomial.

70Structure of SyndromeError polynomial e(x) = e0 + e1x +.enxnSuppose the received polynomial r(x) has errors in it at the locations i1,i2,i. The magnitude of error at these locations are eij.Then syndromes can be written in the form Sj = e1jxlj + e2jxlj + .+ejxlj j=1,2,2t

where Xl= il71Decoders for Reed Solomon Codes72OutlineCalculate Syndromes

Find the error locator polynomialPeterson-Gorenstein-Zierler Decoder

Find error locationsChien Search

Find error valuesForneys Algorithm73Generating Syndrome Polynomials74

Non-LinearSystem!!Finding Sj for j = 1 to 2tError Locator Polynomial

75

Intuition: The roots of this polynomial are inverses of the error locationsHelp to find the locations where an error has occurredExpanding (x):Using Error Locator Polynomial76For x = Xl-1 and for any 1 l

Multiplying throughout by Yl Xl (j+)

Using Error Locator Polynomial77

Sum over l = 1 to t

Using Error Locator Polynomial 78

Equation (1) (4) now form a system of Linear EquationsPeterson-Gorenstein-Zierler Decoder (1960)79Solved for is by finding the largest value of for which M is non-singular starting from = t

Overall this algorithms runs in polynomial time t; 2t = n k = O(n) (could also be O(1) for large n & k)Use polynomial-time algorithms for matrix determinants and inversion

Proof of correctness80

Proof of correctness81For i , YiXi = 0 The Middle matrix is singular M is singular

OutlineCalculate Syndromes



Find error valuesForneys Algorithm82Chien SearchFind roots of Error Locator Polynomial, (x), by exhaustive search

Evaluate (i) for i = 1, 2, , 2t

Find all i where (i) = 0 i is a root of (x)

Error locations will also be of the form: jHere, j = -1 and j = 2t i.

If number of errors found is t, abort process83

Chien Search84

Observations regd. Chien SearchNumber of iterations = O(n) Linear time algoCorrectness of Chien Search:Viewing (x) as a polynomial over a finite field

85

OutlineCalculate Syndromes



Find error valuesForneys Algorithm86Finding error values87Convert to matrix form

VandermondeMatrixForneys Algorithm88Defining the Syndrome polynomial:

Defining the Error Evaluator polynomial:

where, b is the degree of the smallest root of the generating function of the code &

Runtime for Forneys AlgorithmComputing coefficients of (x) takes 2/2 multiplications

Computing each Yi takes 2+1 multiplications and one reciprocal

Total computation time needed 2.52 multiplications

= O(n) Operations needed O(n2) Polynomial Time algorithm8989OutlineCalculate Syndromes



Find error valuesForneys Algorithm90Dial D for you messager(x) = u(x) + e(x)

Decoding techniques help determine e(x) completely

Hence, u(x) = r(x) e(x) = Message sent is recovered91We are done!! ExtrasOther more efficient (implementation wise) algorithms for decoding:Berlekamp-Massey Decoder (LFSR and iterative correction)Euclidean Algorithm (Values and locations simultaneously determined using iterative GCD of polynomials)

Decoders implemented as dedicated chips by manufacturers (Hardware and Software)92ReferencesRSA:Evgeny Milanov, RSA algorithm, http://www.math.washington.edu/~morrow/336_09/papers/Yevgeny.pdfKenneth Rose, Elementary Number Theory and its applications, 5th Ed., Pearson InternationalTrappe & Washington, Introduction to Cryptography with Coding Theory, 2nd Ed., Pearson International

Reed-Solomon Codes:Bernard Sklar, Reed Solomon error correction, http://ptgmedia.pearsoncmg.com/images/art_sklar7_reed-solomon/elementLinks/art_sklar7_reed-solomon.pdfV. Guruswami, Introduction to Coding Theory, CMU, http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/John Gill, EE 387 Note #7, Stanford University, http://www.stanford.edu/class/ee387/handouts/notes7.pdfWikipedia

93Thanks for your attention!!94

the rsa algorithm and reed-solomon codes

Documents