Cryptography Fundamentals 5: GCD, Extended GCD and Base Generators
ASecuritySite Podcast - Een podcast door Professor Bill Buchanan OBE
Categorieën:
Cryptography Fundamentals 5: GCD, Extended GCD and Group Generators This podcast will outline a few building blocks of cryptography: GCD (Greatest common divisor), extended GCD and group generators. These you will find in many related cryptography papers, and any weaknesses in these can cause significant problems to the overall security of a method. Greatest common divisor— GCD A fairly simple concept that is used within public key encryption is the greatest common divisor (GCD). With this, we take two integer values and determine the largest factor that they are. Overall, every non-prime number is made up of the multiplication of prime numbers. For example: 32,128 = 2 x 2 x 2 x 2 x 2 x 2 x 2 x 251 36,281 = 7 x 71 x 73 So, the GCD of 56 and 42 is 14, as both of the values can be factorized into 4 x 14 and 3x14, respectively. https://asecuritysite.com/principles_pub/gcd Normally we use this function to find values which do not share a factor, as we will see when selecting the public exponent (e) in the RSA method. The method to determine the GCD is fairly simple, and where we take two values (a and b) and use the modulus operation to find the GCD: def gcd(a, b): while( b != 0 ): Remainder = a % b; a = b; b = Remainder; return a;g = gcd(679,99)print g A sample run shows that 679 and 99 do not share any factors: a:679, b:99, Remainder:85a:99, b:85, Remainder:14a:85, b:14, Remainder:1a:14, b:1, Remainder:0Return value:1 Web: https://asecuritysite.com/encryption/gcd Extended GCD GCD is the greatest common divisor. For two integers (x and y), the extended GCD method solves ax+by=v for a and b, and where v=gcd(x,y). One example of using the Extended GCD method is to determine the modulo inverse of a value (the inverse value of n (mod p) so that: n⋅n^{−1}=1 (mod p) ). 30a+20b=gcd(30,20). Soln: a=1, b=−1. Try! 35a+15b=gcd(35,15) . Soln: a=1, b=−2. Try! Group generator In reading about cryptography, have you ever come across the term of a cyclic group G of order p and with a generator g? With a discrete log mapping, we map x to Y with Y=g^x (mod p) where we have a generator value (g) and a prime number p. The challenge is that even though we know Y, g and p, it is extremely difficult to determine the x value if we use a large prime number. But can we use any value of g, and should it be as large as possible? The answer to both of these questions is no. If we select a prime number of 11, and then select g values of 2, 3, 4 …10, and then calculate the results we get [spreadsheet]: Now look at g=2 and p=11, for 2¹ (mod 11) we get 2, 2² (mod 11) we get 4, 2³ (mod 11) we get 8, and so on. As we see {1,2,3,4,5,6,7,8,9,10} gives {2,4,8,5,10,9,7,3,6,1}, and where all the input values give a 1-to-1 mapping to another value in the group. But if we try g=3 and p=11, we get x=1 gives 3, and for x=6 also gives 3. The mapping is now {1,2,3,4,5,6,7,8,9,10} to {3,9,5,4,1,3,9,5,4,1}, and so we are not using the full range, and where there would be a confusing for mapping back to our original value. But, in order to demonstrate the principle, I have done this in a long-handed way, so how do I find out all the possible values of G for a given prime number (p)? Well, here’s a nice simple method in Python that I created to test up to p): import sysdef issafe(g,p): exp=1 rand=g next = rand % p while (next != 1 ): next = (next*rand) % p exp = exp+1 if (exp==p-1): return True else: return Falsep=11g=4if (len(sys.argv)>1): p=int(sys.argv[1])if (len(sys.argv)>2): g=int(sys.argv[2])print ("Is g={0} safe for p={1}? {2}".format(g,p,issafe(g,p)))print ("x\tg^x\tg^x (mod p)")for x in range(0,10): print ("{0}\t{1}\t{2}".format(x,pow(g,x),pow(g,x,p))) A sample run with an unsafe value is: Is g=3 safe for p=13? Falsex g^x g^x (mod p)0 1 11 3 32 9 93 27 14 81 35 243 96 729 17 2187 38 6561 99 19683 1 and where the only output value is 1, 3 and 9. For a safe value, we get: Is g=3 safe for p=17? Truex g^x g^x (mod p)0 1 11 3 32 9 93 27 104 81 135 243 56 729 157 2187 118 6561 169 19683 14 So, how does this work in practice? Well, rather than picking the prime number and then finding a g value which will work, we typically pick the g value we want, such as for g=2, g=3 or g=5, and then find a prime number of a given size to work with that value. This will slow down the process, as we might have to pick a few prime numbers before we find one that will work. An example command in OpenSSL to generate the Diffie-Hellman parameters for g=3 and a 512-bit prime number is: openssl dhparam -text -3 512DH Parameters: (512 bit) P: 00:ff:1a:a6:fd:94:1b:55:8c:03:e0:ba:91:d5:e3: 23:40:6a:8e:49:a1:d4:d9:dd:68:3f:10:3d:ff:a7: a6:8e:2f:9f:f9:3f:4d:dc:3d:54:71:e0:aa:65:dc: 24:03:42:73:39:db:d6:02:a6:dc:bd:ac:49:12:a8: dc:d0:57:d9:bf G: 3 (0x3) https://asecuritysite.com/openssl/dh