the rsa algorithm and reed-solomon codes
DESCRIPTION
Group 5: Daryl, Etkin , Supartha , Rajendra and Aarthi. The RSA Algorithm and Reed-Solomon Codes. Introduction. Two Information Coding Schemes RSA Algorithm Privacy Authenticity Reed-Solomon Codes ( Bursty ) Noise Tolerance. Welcome to the Matrix. Privacy. Authenticity. - PowerPoint PPT PresentationTRANSCRIPT
PowerPoint Presentation
The RSA Algorithm and Reed-Solomon CodesGroup 5: Daryl, Etkin, Supartha, Rajendra and Aarthi1IntroductionTwo Information Coding Schemes
RSA AlgorithmPrivacyAuthenticity
Reed-Solomon Codes(Bursty) Noise Tolerance2Two information coding schemes that complement each otherFirst half, second half2
Welcome to the Matrix3
Privacy4
Authenticity5
Trinity?Yes, its me.Shared Key CryptographyEncrypt messages with a symmetric-key cryptosystem (e.g. DES, AES, etc)
Requires prior agreement on a shared key over a secure channel
What if Neo and Trinity have yetto meet?6Recursive problem: You need a secure channel to establish your secure channel6Public Key CryptographyMathematically-related public/private key pairs are generatedMessages encrypted with public keyCan only be decrypted with private key
Infeasible to compute private key from public key aloneNo need to agree on a shared key!
7RSA AlgorithmRivest, Shamir and Adleman (1977)
Based on difficulty of computing prime factors of large integers8
RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1
Compute d wherede 1 (mod (n))
Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)9SetupUsagee must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long9RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1
Compute d wherede 1 (mod (n))
Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)10e must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long10Modular Multiplicative InverseLet e, d, n be integers with n 0
Fact:
If gcd(e, n) = 1 (i.e. e and n are coprime)then there exists d such that de 1 (mod n)
In other words, the multiplicative inverse of e (mod n) exists when gcd(e, n) = 1 11RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1
Compute d wherede 1 (mod (n))
Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)12e must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long12RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1
Compute d wherede 1 (mod (n))
Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)13e must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long13Eulers Totient Function (n)Definition:no. of integers 1 a n with gcd(a, n) = 1
Formula:
For n = pq where p and q are primes
14
Modular ExponentiationLet x, y, m, n be integers with n 0
Fact:
If x y (mod (n)) , then mx my (mod n)
In other words, working in mod n requires that we work mod (n) in the exponent15RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1
Compute d wherede 1 (mod (n))
Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)16e must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long16RSA AlgorithmPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1
Compute d wherede 1 (mod (n))
Public key is (n, e), private key is (n, d)Encrypt with C M e (mod n)Decrypt with M C d (mod n)17(M e) d M (mod n)
and
(M d) e M (mod n)
e must be 1 < e < (p-1)(q-1), but second condition ensures that e is at least 3e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long17Example: M = 1234Pick p = 37 and q = 43Compute n = 1591 and (n) = 1512Pick e = 71gcd(e, (n)) = gcd(71, 1512) = 1
Compute d = 575 (Extended Euclidean Algorithm)de = 40825 1 (mod 1512)
Public key is (n, e), private key is (n, d)Encrypt: C M e 1234 71 908 (mod 1591)Decrypt: M C d 908 575 1234 (mod 1591)
18RSA Algorithm for SignaturesPick two distinct primes p and qCompute n = pq and (n) = (p 1)(q 1)Pick e where 1 < e < (n) andgcd(e, (n)) = 1
Compute d wherede 1 (mod (n))
Public key is (n, e), private key is (n, d)Sign M with S M d (mod n); Send (M, S)Verify that M S e (mod n)19Reversed!
Sign with private keyVerify with public keye must be 1 < e < (p-1)(q-1)e is typically chosen as 2^16 + 1 = 65,537. If e is too small (2 or 3), security would be compromised.N is typically 1024-2048 bits long19ImplementingModular exponentiationSuccessive-Squaring
Computing d from e and (n) Extended Euclidean Algorithm
Finding large primes20Modular Exponentiation Algo.Successive-Squaring to Compute C M e (mod n)
Let e = ek ek1 e0 (binary representation of e)
C := 1 For i := k, k 1, , 0C := (C * C) mod nIf ei = 1 Then C := (C * M) mod n End For
Performance: O(log e)Memory: O(1)21Computing d from e and (n)Extended Euclidean Algorithm:
Since e and (n) are coprime,solvingyields d = y satisfying22
Find max. qi satisfyingand xi and yi satisfying
When rk = 0, stop and output gcd(a, b) = rk-1 andx = xk-1 and y = yk-1
Similar to Euclidean Algorithm for gcd(a, b), but retain quotients qi at each step i to compute xi and yi
Generating Large PrimesGenerate a large random integerApply primal test repeatedly
Primality Tests:Miller-Rabin Solovay-StrassenFermat Primality Test
Euler Witness, Euler Liar
23Algorithm24Sieving25Miller-Rabin Primality Test26Miller-Rabin Primality Test27Fermats Little Theorem28Miller-Rabin Primality Test29Miller-Rabin Primality Test30Psuedocode31Example32Example33Example34Example35Deterministic Miller-Rabin36Complexity and Error37 Reed-Solomon Codes3838
Agent Smith is Frustrated39
???
Disrupts Channel40
Noisy ChannelNoise is Natural
Studied models in generalBinary Symmetric ChannelBinary Erasure ChannelNoisy Typewriter ChannelContinuous Output Channel 41Error Correction (Toy Example)
42
Error Correction43MC00000010011001011011100101110111Code Distance (Toy Example)44
45
Linear Codes46MC00000010011001011011100101110111No Structure??Have to store the whole mapping in a codebook Linear Codes47G =n x k, where n =7, k=4for example, Hamming Code is Linear=Singleton Bound48Applications: CDs, Space Communication, Robust against Burst errors49
From left: Gustave Solomon & Irving S. ReedReed Solomon Code (Original View)50
Reed Solomon Sketch (Original View)51
Reed Solomon Sketch52RS Sketch53
Reed Solomon Code
54Finite Fields55FieldA set of elements with two operations Addition and Multiplication defined on these elements.Closed under these two operationsBasically all arithmetic operations are allowed
Examples: Set of Real numbers, Set of Rational numbers5656Finite FieldA field with finite number of elements.
Example: {0,1} with modulo operationsIn general {0,1,2.p-1} is a field with p elements with modulo operations. (p is prime)
How to construct fields with 8 elements?
In general how to construct pr elements??
57Galois Field GF(2m)A field with 2m elements can be constructed by extending the field GF(2) which is {0,1}.Let denotes an additional element in GF(2m).
Now GF(2m) ={ 0,1, ,2,.. 2m-1, 2m,}
To make the number of elements 2m, we restrict 2m-1 = 1 = 058GF(2m)={0, 0, , 2m-2 }
Any non-zero element in GF(2m) can be written as a polynomial of degree at most m-1.Coefficients are from GF(2)Also they can be mapped to binary values.
59Primitive Polynomial An irreducible polynomial f(x) of degree m is said to be primitive if the smallest positive integer n for which f(x) divides xn+1 is n=2m-1.
Example: 1 + x + x4 because it divides xn+1 for n=15 and not for other values less than 15.
Used for construction GF(2m)RS codes use GF(2m).60The Field GF(23)
61
62Reed Solomon Code: RS[n,k,d]63Properties of RS(n,k,d)Linear CodeCyclicd = n-k+1 (Maximum Distance Separable)Can correct up to n-k erasuresCan correct up to (n-k)/2 symbol errors
64Systematic EncodingThis form of encoding is not in Systematic formSystematic form : Parity symbols message symbols 010 110 111 100 001 011 101 010 110 111Message polynomial + 3x + 5x2Code Polynomial 0 + 2x + 4x2+ 6x3+ x4+ 3x5+ 5x6A generator polynomial g(x) is defined as g(x) = (x-) (x-2) (x-2t)
65Encoding in Systematic FormShift the message polynomial m(x) by 2t positions by multiplying m(x) by x2t.
Define p(x) = x2t m(x) (mod g(x))
The final codeword polynomial u(x) is u(x) = p(x) + x2t m(x)
66Example RS[7,3,5]Message polynomial + 3x + 5x2Yielding x4 + 3x5 + 5x6 after multiplication with x2t i.e. x4Take g(x) = (x- )(x- 2)(x- 3)(x- 4) = x4 3x3+ 0x2 x + 3 = 3 + x + 0x2 + 3x3+x4Next divide x4 + 3x5 + 5x6 by g(x) to find the remainder p(x) = 0 + 2x4+ 4x2+ 6x3.Now u(x)=0 + 2x + 4x2+ 6x3+ x4+ 3x5+ 5x6
67Syndrome ComputationThe syndrome is the result of a parity check performed on the received polynomial r(x) to determine whether r(x) is a valid codeword.The syndromes are basically evaluations of the received polynomial r(x) at , 2, 3, 2t. Si = r(i) , i=1,2,.2tIf r(x) is a valid codeword then we get all the Si evaluate to zero.Any non-zero Si indicates the presence of errors.68Error PolynomialThe errors introduced by the channel during transmission can be modeled as a polynomial e(x) over the field GF(2m).
Hence r(x) = u(x) + e(x).
The problem finding e(x) from r(x) (or the syndromes) is decoding.69Properties of RS codesGiven any collection of k coefficients from the polynomial u(x), it is possible to construct the remaining coefficients of u(x).If at most t of the coefficients of u(x) are incorrect, it is possible to reconstruct all the coefficients of u(x) correctly.Polynomial multiplication/division using FFT takes O(klogk) where k is the max of degrees of the polynomial.
70Structure of SyndromeError polynomial e(x) = e0 + e1x +.enxnSuppose the received polynomial r(x) has errors in it at the locations i1,i2,i. The magnitude of error at these locations are eij.Then syndromes can be written in the form Sj = e1jxlj + e2jxlj + .+ejxlj j=1,2,2t
where Xl= il71Decoders for Reed Solomon Codes72OutlineCalculate Syndromes
Find the error locator polynomialPeterson-Gorenstein-Zierler Decoder
Find error locationsChien Search
Find error valuesForneys Algorithm73Generating Syndrome Polynomials74
Non-LinearSystem!!Finding Sj for j = 1 to 2tError Locator Polynomial
75
Intuition: The roots of this polynomial are inverses of the error locationsHelp to find the locations where an error has occurredExpanding (x):Using Error Locator Polynomial76For x = Xl-1 and for any 1 l
Multiplying throughout by Yl Xl (j+)
Using Error Locator Polynomial77
Sum over l = 1 to t
Using Error Locator Polynomial 78
Equation (1) (4) now form a system of Linear EquationsPeterson-Gorenstein-Zierler Decoder (1960)79Solved for is by finding the largest value of for which M is non-singular starting from = t
Overall this algorithms runs in polynomial time t; 2t = n k = O(n) (could also be O(1) for large n & k)Use polynomial-time algorithms for matrix determinants and inversion
Proof of correctness80
Proof of correctness81For i , YiXi = 0 The Middle matrix is singular M is singular
OutlineCalculate Syndromes
Find the error locator polynomialPeterson-Gorenstein-Zierler Decoder
Find error locationsChien Search
Find error valuesForneys Algorithm82Chien SearchFind roots of Error Locator Polynomial, (x), by exhaustive search
Evaluate (i) for i = 1, 2, , 2t
Find all i where (i) = 0 i is a root of (x)
Error locations will also be of the form: jHere, j = -1 and j = 2t i.
If number of errors found is t, abort process83
Chien Search84
Observations regd. Chien SearchNumber of iterations = O(n) Linear time algoCorrectness of Chien Search:Viewing (x) as a polynomial over a finite field
85
OutlineCalculate Syndromes
Find the error locator polynomialPeterson-Gorenstein-Zierler Decoder
Find error locationsChien Search
Find error valuesForneys Algorithm86Finding error values87Convert to matrix form
VandermondeMatrixForneys Algorithm88Defining the Syndrome polynomial:
Defining the Error Evaluator polynomial:
where, b is the degree of the smallest root of the generating function of the code &
Runtime for Forneys AlgorithmComputing coefficients of (x) takes 2/2 multiplications
Computing each Yi takes 2+1 multiplications and one reciprocal
Total computation time needed 2.52 multiplications
= O(n) Operations needed O(n2) Polynomial Time algorithm8989OutlineCalculate Syndromes
Find the error locator polynomialPeterson-Gorenstein-Zierler Decoder
Find error locationsChien Search
Find error valuesForneys Algorithm90Dial D for you messager(x) = u(x) + e(x)
Decoding techniques help determine e(x) completely
Hence, u(x) = r(x) e(x) = Message sent is recovered91We are done!! ExtrasOther more efficient (implementation wise) algorithms for decoding:Berlekamp-Massey Decoder (LFSR and iterative correction)Euclidean Algorithm (Values and locations simultaneously determined using iterative GCD of polynomials)
Decoders implemented as dedicated chips by manufacturers (Hardware and Software)92ReferencesRSA:Evgeny Milanov, RSA algorithm, http://www.math.washington.edu/~morrow/336_09/papers/Yevgeny.pdfKenneth Rose, Elementary Number Theory and its applications, 5th Ed., Pearson InternationalTrappe & Washington, Introduction to Cryptography with Coding Theory, 2nd Ed., Pearson International
Reed-Solomon Codes:Bernard Sklar, Reed Solomon error correction, http://ptgmedia.pearsoncmg.com/images/art_sklar7_reed-solomon/elementLinks/art_sklar7_reed-solomon.pdfV. Guruswami, Introduction to Coding Theory, CMU, http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/John Gill, EE 387 Note #7, Stanford University, http://www.stanford.edu/class/ee387/handouts/notes7.pdfWikipedia
93Thanks for your attention!!94