CS6750: Cryptography and Communica7on Security

Transcription

1 CS6750: Cryptography and Communica7on Security Class 6: Simple Number Theory Dr. Erik- Oliver Blass

2 Plan 1. Role of number theory in cryptography 2. Classical problems in computa7onal number theory 3. Finite groups 4. Cyclic groups, discrete log 5. Euler s φ func7on, group isomorphism, product of groups 6. Chinese Remainder Theorem, groups Z N *, and QR N, where N=pq 7. Ellip7c curves

3 Number theory in cryptography advantages 1. security can (in principle) be based on famous mathema4cal conjectures, 2. the construc7ons have a mathema4cal structure, this allows us to create more advanced construc7ons (public key encryp4on, digital signature schemes, and many others...). 3. the construc7ons have a natural security parameter: size (hence they can be scaled ). Addi4onal advantage a prac4cal applica4on of an area that was never believed to be prac4cal... (wonderful argument for all theore7cians!) 3

4 Number theory in cryptography - disadvantages 1. cryptography based on number theory is much less efficient! 2. the number- theore7c structure may help the cryptoanalyst... 4

5 Number theory as a source of hard problems In this lecture, we will look at some basic number- theore4c problems, iden7fying those that may be useful in cryptography. 5

6 Plan 1. Role of number theory in cryptography 2. Classical problems in computa7onal number theory 3. Finite groups 4. Cyclic groups, discrete log 5. Euler s φ func7on, group isomorphism, product of groups 6. Chinese Remainder Theorem, groups Z N *, and QR N, where N=pq 7. Ellip7c curves

7 Famous algorithmic problems in number theory primality tes4ng: input: a є N output: yes if a is a prime, no otherwise this problem is computa4onally easy input: a є N output: factors of a factoring: this problem is believed to be computa4onally hard, if a is a product of two long random primes p and q, of equal length. 7

8 Primality tes7ng x the number that we want to test Sieve of Eratosthenes (ca. 240 BC): takes x steps, which is exponen7al in x = log 2 x Miller- Rabin test (late 1970s) is probabilis4c: if x is prime, it always outputs yes if x is composite, it outputs yes with probability at most ¼. Discuss later Probability is taken only over the internal randomness of the algorithm, so we can iterate! The error goes to zero exponen4ally fast. This algorithm is fast and prac4cal! Determinis4c algorithm of Agrawal, Saxena and Kayal (2002) polynomial, but very inefficient in prac4ce 8

9 Primality tes7ng x the number that we want to test Sieve of Eratosthenes (ca. 240 BC): takes x steps, which is exponen7al in x = log 2 x Miller- Rabin test (late 1970s) is probabilis4c: if x is prime, it always outputs yes if x is composite, it outputs yes with probability at most ¼. Discuss later Probability is taken only over the internal randomness of the algorithm, so we can iterate! The error goes to zero exponen4ally fast. This algorithm is fast and prac4cal! Determinis4c algorithm of Agrawal, Saxena and Kayal (2002) polynomial, but very inefficient in prac4ce 9

10 Primality tes7ng x the number that we want to test Sieve of Eratosthenes (ca. 240 BC): takes x steps, which is exponen7al in x = log 2 x Miller- Rabin test (late 1970s) is probabilis4c: if x is prime, it always outputs yes if x is composite, it outputs yes with probability at most ¼. Discuss later Probability is taken only over the internal randomness of the algorithm, so we can iterate! The error goes to zero exponen4ally fast. This algorithm is fast and prac4cal! Determinis4c algorithm of Agrawal, Kayal and Saxena (2002) polynomial, but very inefficient in prac4ce 10

11 How to select a random prime of length n? Select a random number x and test if it is prime. Prime Number Theorem Let π(n) := number of x s with x {1,...,n}, and x is prime Then lim π(n) n n /ln(n) =1 π(n) n ln(n) For example: if n = , then π(n) Hence, the set of primes is dense. Probability P that a random number is prime: P= π(n) n= à P 0.14% n = 1 ln(n)

12 Factoring is believed to be hard! Factoring assump4on. Take random primes p and q of length n. Set N = pq. No polynomial- 7me algorithm that is given N can find p and q with a non- negligible probability. Factoring is a subject of very intensive research. Currently, N =2048 is believed to be a safe choice. 12

13 So, we have a one- way func7on! f(p,q) = pq is one- way. (assuming the factoring assump7on holds). Using theore7cal results (PRGs), this is enough to construct secure encryp7on schemes. It turns out that we can do much beker: based on number theory, we can construct efficient schemes, that have some very nice addi4onal proper4es (public key cryptography!) But how to do it? We need to some more maths... 13

14 Nota7on Suppose a and b are integers, such that a 0 a b: a divides b, or a is a divisor of b, or a is a factor of b (if a 1 then a is a non- trivial factor of b) gcd(a,b) = the greatest common divisor of a and b If gcd(a,b) = 1, then we say that a and b are co- prime ( rela4vely prime ). 14

15 How to compute gcd(a,b)? Recursion: (assume a b 0) Euclidean algorithm gcd(a,b) = if b a, then return b else return gcd(b, a mod b) It can be shown that this algorithm is correct (induc7on), it terminates in polynomial number of steps. 15

16 compu7ng gcd(185,40): Example a b a mod b this is the result

17 Bézout s iden4ty Claim Let a and b be posi7ve integers. There always exist integers X and Y such that Xa + Yb = gcd (a,b) X and Y can be computed using the extended Euclidian algorithm. 17

18 Example of Extended Euclidian Algorithm compu7ng X and Y such that X Y 40 = 5 a = 185 b = 40 X = - 3 Y = 14 a b a mod b = = = 10 5 = 15 ( ) = 5 5 = = 40 2 ( ) 3 = = 25 + ( ) 2 = = =

19 Plan 1. Role of number theory in cryptography 2. Classical problems in computa7onal number theory 3. Finite groups 4. Cyclic groups, discrete log 5. Euler s φ func7on, group isomorphism, product of groups 6. Chinese Remainder Theorem, groups Z N *, and QR N, where N=pq 7. Ellip7c curves

20 Groups A group is a set G along with a binary opera7on such that [closure] for all g,h є G we have g h є G, there exists an iden4ty e є G, such that for all g є G we have e g = g e = g, for every g є G there exists an inverse, that is an element h such that g h = h g = e, [associa4vity] for all g,h,k є G we have g (h k) = (g h) k [commuta4vity] for all g,h є G we have g h = h g order of G = G. if this holds, the group is called abelian 20

21 Addi7ve/mul7plica7ve nota7on Conven4on: [addi4ve nota4on] If the groups opera7on is denoted with +, then: the inverse of g is denoted with - g, the neutral element is denoted with 0, g g (n 7mes) is denoted with ng. [mul4plica4ve nota4on] If the groups opera7on is denoted with, then: some7mes we write gh instead of g h, the inverse of g is denoted with g - 1 or 1/g. the neutral element is denoted with 1, g... g (n 7mes) is denoted with g n (g - 1 ) n is denoted with g - n. Scalar (integer) mul7plica7on Exponen7a7on with integer 21

22 Subgroups A group G is a subgroup of H if G is a subset of H, the group opera7on is the same as in H 22

23 Examples of groups R (reals) is not a group under mul7plica7on. Z (integers): is a group under addi4on (iden7ty element: 0), is not a group under mul4plica4on. Z N = {0,...,N- 1} (integers modulo N) is a group under addi4on modulo N (iden7ty element: 0) If p is a prime, then Z p * = {1,...,p- 1} is a group under mul4plica4on modulo p (iden7ty element: 1) (we will discuss it later) 23

24 Z N is a group under addi4on. Is it also a group under mul4plica4on? No: 0 does not have an inverse. What about other elements of Z N? Only: 1,5,7,11 have an inverse! Why? Because they are co- prime to 12. Example N = 12. Mul7plica7on Table

25 Observa4on/Claim If gcd(a,n) > 1, then for every integer b we have ab mod n 1. Proof Assume (contradic7on!) that ab mod n = 1. Hence, we have: ab = nk + 1 ab - nk = 1 Since gcd(a,n) divides both ab and nk, it also divides ab nk. Thus, gcd(a,n)>1 has to divide 1(= ab nk). Contradic7on. 25

26 Z N * Define Z N * = {a є Z N : gcd(a,n) = 1}. Claim: Then Z N * is an abelian group under mul4plica4on modulo N. Proof First, observe that Z N * is closed under mul4plica4on modulo N. This is because if a,b are co- prime to N, then ab is also co- prime to N. Associa4vity and commuta4vity are trivial. 1 is the iden7ty element. It remains to show that for every a є Z N * there always exist an b є Z N * that is an inverse of a modulo N. We say that b is an inverse of a modulo N, if: a b = 1 mod N 26

27 Lemma Suppose that gcd(a,n) = 1. Then, for every a є Z N * there always exist an element X є Z such that X a = 1 mod N. Proof Since gcd(a,n) = 1, there always exist integers X and Y such that Xa + YN = gcd(a,n) = 1. Therefore: Xa = 1 (mod N). Observa4on Such an X can be efficiently computed (using the extended Euclidian algorithm). 27

28 One more step to show! X (from the previous lemma) can be such that X Z N * What to do? define b := X mod N. We need to show that a b = 1 mod N

29 If b := X mod N then b = X + tn So a b = a (X + tn) = ax + atn = 1 (mod N) Remember that X is such that ax mod N = 1. Hence we are done!

30 An (important) example p a prime Z p * = {1,...,p- 1}. Z p * is an abelian group under mul7plica7on modulo p. 30

31 A simple observa7on For every a,b,c є G. If ac = bc then a = b. Proof ac = bc (ac) c - 1 = (bc) c - 1 a (cc - 1 )= b (cc - 1 ) a 1 = b 1 a = b 31

32 Corollary In every group G and for every element g Є G, the func7on f g : G G f g (x) = x g is a bijec7on. (or, in other words, a permuta4on on G). Why? (See previous proof!) Example: Z 11 * x f(x) f 5 (x) = 5 x mod 11 Composing permuta7ons results in cycles. Let s look now at the cycles that contain 1!

33 Example: f 5 (x) = 5 x mod = 20 = 9 (mod 11) 9 5 = 45 = 1 (mod 11) = 25 = 3 (mod 11) = 15 = 4 (mod 11) 1 5 = 5 (mod 11) 4 3

34 Example: f 10 (x) = 10 x mod

35 Example: f 2 (x) = 2 x mod

36 Order of an element Defini4on An order of g (denoted g ) is the smallest integer i > 0 such that g i = 1. Of course i G g = 5 order: g = 10 order: g = 2 order:

37 G:=Z 11 * m := G = 10 Observa7on g = 5 g = 10 g = Observe: in these examples g m = 1 the order of g divides the order of the group G. we will now show that it s not a coincidence

38 Lemma G an abelian group, m := G, g є G. Then g m = 1. Proof Suppose G = {g 1,...,g m }. Observe that from associa7vity and commuta7vity Hence g m = 1. g 1... g m = (g g 1 )... (g g m ) = g m (g 1... g m ) these are the same elements (permuted), because the func7on f(x) = g x is a permuta7on 38

39 Observa7on G an abelian group, m := G, g є G, i є N. Then g i = g i mod m. Proof Let i = qm + r, r=i mod m, where q is some integer ( 0). We have g i = g qm + r = (g m ) q g r = 1 q g r = g r 39

40 Another way to look at it: m order of the group g m g m+1 g m+2 g m- 1 g 0 g 1 g 2 g m+3 g 3 = 1 g 4 g 5 g 6 g 7

41 Z 11 *: Which orders are possible? For Z 11 *: 1,2,5,10 What do they have in common? 1 9 g = 5 order: g = 10 order: They are the divisors of group order 10 = Z 11 * g = 2 order: g = 1 order: 1 1

42 Subgroups generated by elements Defini4on G a group, g є G, i order of g g := {g 0,g 1,...,g i- 1 } g is a subgroup of G generated by g. g 6 g i- 1 g 0 g 1 g 3 g 2 Why? because: 1. it is closed under mul7plica7on g a g b = ga+b mod i 2. the inverse of every g a exists, and it is equal to g i- a g 5 g 4 Because: g i- a g a = g i = 1

43 Lemma G a group of order m. Suppose, some g є G has order i. Then i m. Proof... 43

44 This is the situa7on, if i m. = g (t+1)i mod m by our previous lemma g 4 g 0 g i 1= g 2i g 3i g 4i

45 What happens otherwise? Suppose i does not divide m. = g (t+1)i mod m by our previous lemma g 4 g 0 g (t+1)i g i So g (t+1)i mod m = 1 1= g 2i g 3i But: 0 < (t+1)i mod m < i g 4i Contradic7on with the assump7on that i is the order of g.

46 Plan 1. Role of number theory in cryptography 2. Classical problems in computa7onal number theory 3. Finite groups 4. Cyclic groups, discrete log 5. Euler s φ func7on, product of groups 6. Chinese Remainder Theorem, groups Z N *, and QR N, where N=pq 7. Ellip7c curves

47 Cyclic groups If there exists g such that g = G, then we say that G is cyclic. Such a g is called a generator of G. 47

48 Example 1 is a generator of Z

49 Example 2 is not a generator of Z

50 Observa4on/Claim Every group G of a prime order p is cyclic. Every element g of G, except the iden7ty, is a generator. Proof The order of g has to divide p. So, the only possible orders of g are 1 or p. Only iden7ty has order 1, so all the other elements have order p. 50

51 Another (related) fact Theorem If p is prime, then Z * p is cyclic. We leave it without a proof. We verified that claim is true for p=11 and p= Z 11 * generator g = Z 7 * generator g =

52 Of course: Not every element of is a generator. For example: Z p * has order 2 because (p- 1) ε Z p * (p- 1) 2 = p 2 + 2p + 1 = 1 (mod p)

53 Example of a group that is not cyclic Z 15 *: a The maximal order is 4...

54 How to compute g x for large x? Use the square- and- mul4ply method Example: How to compute g x with x = 429? x in binary compute by squaring g from right to len g 256 g 128 g 64 g 32 g 16 g 8 g 4 g 2 g 1 g 256 g 128 g 32 g 8 g 4 g 1 mul4ply g 256 g 128 g 32 g 8 g 4 g 1 equals to g x 54

55 What about the other direc7on = logarithms? (g a generator) In many groups, inver7ng is hard! f(x) = g x

56 Discrete logarithms Suppose G is cyclic, and g is its generator. For every element y, there exists x such that y = g x Such a x will be called a discrete logarithm of y, and it is denoted as x := log y. In some groups, compu7ng a discrete log is believed to be hard. Informally speaking: f: {0,..., G - 1} G defined as f(x) = g x is believed to be a one- way func4on (in some groups). 56

57 Hardness of the discrete log In Z p * (where p is prime), it is believed to be hard. There exist also other groups, where it is believed to be hard (e.g., based on Ellip4c curves). Of course: if P = NP, then compu7ng discrete log is easy. 57

58 How to define formally the discrete log assump7on We need a defini7on for any security parameter n. Therefore we need an algorithm H that on input n outputs a group : a descrip7on of a cyclic group G of order q, such that q = n, a generator g of G.

59 Example H on input n: outputs a descrip7on for a group Z p * random prime p of length n bits a generator of Z p *

60 The discrete log assump7on For every adversary A, consider the following experiment: n Adversary A output: x with y=g x (G, g, y) Let (G, g) be the output of H(n). Select random y G. We say that a discrete logarithm problem is hard with respect to H, if A Prob. poly- 7me adversary A P(A outputs x such that g x = y)=ε(n) (negligible in n)

61 One way func7on This looks almost the same as saying that f(x) = g x is a one- way func7on. The only difference is that the func7on f depends on the group G that was chosen randomly. We could formalize it, by defining: one- way func7on families

62 A problem f: {0,...,p - 1} Z p * defined as f(x) = g x is believed to be a one- way func4on (informally speaking), but from f(x) one can compute the parity of x. We now show how to do it. 62

63 Quadra7c Residues Defini4on a is a quadra4c residue modulo p, if there exists b such that a = b 2 mod p QR p a set of quadra7c residues modulo p QR p is a subgroup of Z p * Quadra7c Non Residues QNR p := Z p* \ QR p Why? because: 1 є QR if a,a є QR then aa є QR If a є QR, then a - 1 є QR What is the size/order of QR p? 63

64 Example: QR 11 Z 11* : 1 2 f(x) = x 2 Observe: (p x) 2 = p 2-2px + x 2 = x 2 mod p 3 4 QR 11 : Lemma. QR p = Z p* / 2 = (p - 1) / 2 64

65 A proof that QR p = (p - 1) / 2 Claim Let g be a generator of Z p*. Then QR p ={g 2,g 4,...,g p- 1 exponents are even numbers }. Proof Every element x Є Z p * is equal to g i for some i. Hence: x 2 = g 2i mod (p- 1) = g j, where j is even. 65

66 Example: QR 11 = {1,4,5,9,3}!! 1 =1,10!! 3 = 5, !! 4 = 2,9 7 8!! 9 = 3, !! 5 = 4,7

67 Is it easy to test, whether a є QR p? Yes! Observa4on/Claim a є QR p if and only if a (p- 1)/2 = 1 (mod p) Proof ( ) If a є QR p, then a = g 2i. Hence a (p- 1)/2 = (g 2i ) (p- 1)/2 = Remember: Z* p = p- 1 g i(p- 1) = 1. 67

68 a (p- 1)/2 = 1 (mod p) à a є QR p ( ) Suppose a is not a quadra4c residue. Then a = g 2i+1. Hence a (p- 1)/2 = (g 2i+1 ) (p- 1)/2 = g i(p- 1) g (p- 1)/2 = g (p- 1)/2 Why? which cannot be equal to 1 since g is a generator. 68

69 Example Z 11 * (p- 1)/2=(11 1)/2 = is f(x) = x 5 = 1? another way to look at it: Not a coincidence: 1 1 (x (p- 1)/2 ) 2 = 1 implies that x (p- 1)/2 =±

70 Back to our problem g a generator of Z p * f: {0,...,p - 1} Z p * defined as f(x) = g x is a one- way func7on, but from f(x) one can compute the parity of x (by checking if f(x) Є QR)... For some applica7ons this is not good. (but some7mes people do not care) 70

71 How to mi7gate? Instead of working in Z p*, work in its subgroup: QR p How to find a generator of QR p? Choose p that is a safe prime ( strong ), that is: p = 2q + 1, with q prime. Hence QR p has prime order q. Remember: Every element (except of 1) of a group of prime order is its generator! Therefore: every element of QR p is a generator. Nice... 71

72 Example 11 is a safe prime (because 5 is a prime) Z * 11 QR

73 Given x є QR p, can we compute square roots modulo a prime p? Yes! We show it only for p = 3 (mod 4) (for p = 1 (mod 4) this fact also holds, but the algorithm and the proof are too complex). How to compute square root of x in real numbers? One method: compute x ½ Problem ½ doesn t make sense in Z p *...

74 Write p = 4m + 3. Claim: x = x m+1 Proof: (x m+1 ) 2 = x 2(m+1) Hence: order of QR p is equal to (p- 1)/2 = (4m+2)/2 = 2m + 1 x 2m+1 is equal to 1 because of this = x 2m+1+1 = x 2m+1 x 1 = x 1

75 Plan 1. Role of number theory in cryptography 2. Classical problems in computa7onal number theory 3. Finite groups 4. Cyclic groups, discrete log 5. Euler s φ func7on 6. Chinese Remainder Theorem, groups Z N *, and QR N, where N=pq

76 Euler s φ func7on Define φ(n) = Z N* = {a є Z N : gcd(a,n) = 1}. Euler s theorem: For every a є Z N*, we have a φ(n) = 1 mod N. (trivially follows from the fact that, for every g є G, we have g G = 1). Special case ( Fermat's likle theorem ) For every prime p and every a є {1,...,p- 1}, we have a p- 1 = 1 mod p. 76

77 Plan 1. Role of number theory in cryptography 2. Classical problems in computa7onal number theory 3. Finite groups 4. Cyclic groups, discrete log 5. Euler s φ func7on 6. Chinese Remainder Theorem, groups Z N *, and QR N, where N=pq

78 A cross product of groups ( direct product ) (G, ) and (H, ) groups Define a group (G H, ) as follows: the elements of G H are pairs (g,h), where g є G, and h є H. (g,h) (g,h ) = (g g, h h ). It is easy to verify that it is a group. 78

79 Chinese Remainder Theorem (CRT) Let N = pq, where p and q are two dis4nct primes. Define: f(x) := (x mod p, x mod q) Chinese Remainder Theorem (CRT): f is an isomorphism between 1. Z N and Z p Z q 2. Z N * and Z p * Z q * To prove, it we need to show that f is a homomorphism. between Z N and Z p Z q, and between Z N * and Z p * Z q *. f is a bijec4on: between Z N and Z p Z q, and between Z N * and Z p * Z q *. 79

80 f is a homomorphism Proof: f: Z N Z p Z q is an homomorphism f(a + b) = (a + b mod p, a + b mod q) = (((a mod p) + (b mod p)) mod p, ((a mod q) + (b mod q)) mod q) = (a mod p, a mod q) + (b mod p, b mod q) = f(a) + f(b) 80

81 f is a homomorphism Proof: f: Z N * Z p * Z q * is an homomorphism f(a b) = (a b mod p, a b mod q) = (((a mod p) (b mod p)) mod p, ((a mod q) (b mod q)) mod q) = (a mod p, a mod q) (b mod p, b mod q) = f(a) f(b) 81

82 CRT f(x): an example Z 15 : i i mod 5 i mod i mod i mod

83 If p and q are dis7nct primes, then f : Z N Z p Z q is a bijec7on f(x) := (x mod p, x mod q) Proof: We first show that it is injec7ve. If f(i) = f(j), then because p and q are dis7nct primes i mod p = j mod p p divides i- j and i mod q = j mod q q divides i- j N=pq divides i- j i- j=0 mod N à i = j mod N Since Z N = N = pq = Z p Z q à surjec7ve, and we are done! 83

84 f : Z N * Z p* Z q* is also a bijec7on Since we have shown that f is injec7ve, it is enough to show that Z N* = Z p* Z q* = (p- 1)(q- 1)? Look at Z 15 : Z 5 * Z 3 * Z 15 *

85 N = pq Which elements of Z N are not in Z N *? 0 mul7ples of p: {p,...,(q- 1)p} (there are q- 1 of them) mul7ples of q: {q,...,(p- 1)q} (there are p- 1 of them). These sets are disjoint since p and q are dis7nct prime Summing it up: 1 + (q - 1) + (p - 1) = q + p - 1 = pq - p - q + 1 = (p - 1)(q - 1) So, Z N * has pq - (q + p - 1) elements. Remember this for later! 85

86 How does it look for large p and q? Z N mod p mod q Z N * pq is called RSA modulus Z N * is called an RSA group p q 86

87 Fact (f(x) := (x mod p, x mod q)) f is easy to compute (this is trivial) f - 1 is also easy to compute

88 The inverse of f(x) := (x mod p, x mod q) Let X := p - 1 mod q Y := q - 1 mod p Then g(y 1,y 2 ) := ( p y 2 X + q y 1 Y ) mod pq is the inverse of f. Example p=3, q=5 X := 3-1 mod 5 = 2 Y := 2-1 mod 3 = 2 Then g(y 1,y 2 ) := (10 y y 2 ) mod 15 is the inverse of f(x) = (x mod 3, x mod 5). y 2 = x mod y 1 = x mod

89 More general version of CRT p 1,..., p n such that for every i and j we have gcd(p i,p j )=1 Define f(x) := (x mod p 1,..., x mod p n ) Let M = p 1,...,p n Then f is an isomorphism f : Z M Z p 1... Z pn and f : Z M * Z p 1 *... Z pn * Moreover f and f - 1 can be computed efficiently.

90 Why is it called Chinese theorem Ancient Chinese were using it to calculate the number of soldiers. Suppose we have a group of n soldiers. We know that n < 30 but we don t know n. Let 30 = f(x) = (x mod 2, x mod 3, x mod 5)

91 Example

92 n mod 2 = 1

93 n mod 3 = 1

94 n mod 5 = 3

95 Therefore mod 2 mod 3 mod 5 f - 1 (1,1,3) = 13 Answer: n = 13

96 How to compute φ(n), where N = pq? Of course: if p and q are known, then it is easy to compute φ(n), since φ(n) = (p- 1)(q- 1). Hence, compu7ng φ(n) cannot be more difficult than factoring. Claim Compu7ng φ(n) is as difficult as factoring N. 96

97 Compu7ng φ(n) is as hard as factoring N. Suppose: we can compute φ(n). We know that (p-1)(q-1) = φ(n) pq = N (1) (2) It is a system of 2 equa7ons with 2 unknowns (p and q). We can solve it: (2) (1) p = N/q (N/q - 1)(q - 1) = φ(n) it is a quadra7c equa7on, so we can solve it (in R) q 2 + (φ(n) N 1)q + N = 970

98 Which problems are easy and which are hard in Z N * (N = pq)? mul4plying elements? easy! finding inverse? easy! (Euclidean algorithm) compu4ng φ(n)? hard! - as hard as factoring N raising an element to power e (for a large e)? easy! compu4ng eth root (for a large e)? 98

99 Compu7ng e th root easy or hard? Suppose gcd(e, φ(n)) = 1 We can show that the func7on f(x) = x e mod N (defined over Z N *) has an inverse, namely: f - 1 (y) = y d mod N, where d is the inverse of e in Z φ(n) * In other words: e Є Z φ(n) * (note: a new group!) Moral: If we know φ(n), we can compute roots efficiently. What if we do not know φ(n)?

100 Can we compute the eth root, if we do not know φ(n)? It is conjectured to be hard. This conjecture is called the RSA assump4on. More precisely: RSA assump4on For all probabilis7c polynomial 7me algorithm A, we have: P(x e = y mod N : x := A(y, N, e))=ε( N ) where N = pq with p and q random primes and p = q, y is a random element of Z N *, and e is random element of Z φ(n) *.

101 Ques7on Does the RSA assump4on follow from the assump7on that factoring is hard? We don t know... What can be shown is that compu4ng d from e is not easier than factoring N.

102 f(x) = x e easy Z * N easy (if you know p,q) Z * N believed to be hard (otherwise) Remember: Func7ons like this are called trap- door one- way permuta4ons. f is called RSA func4on. 102

103 Some context N a product of two large primes factoring N is hard P NP compu7ng eth roots in Z N * is hard compu7ng φ(n) hard compu7ng d from e is hard

104 Square roots modulo N=pq So, far we discussed a problem of compu7ng the eth root modulo N. What about the special case with e = 2? Strange: As gcd(2, φ(n)) 1, 2 does not have an inverse in Z φ(n) *. Ques4on Which elements have a square root modulo N?

105 Quadra4c Residues modulo pq Z 15 *: and not p! a a QR(15): 1 4 Observa4on: every quadra7c residue modulo 15 has exactly 4 square roots, and hence QR(15) = Z 15 * / 4.

106 A lemma about QRs modulo pq Claim: For N=pq, we have QR(N) = Z N * / 4. Proof: x є QR(N) iff x = a 2 mod N, for some a iff (by CRT) x = a 2 mod p and x = a 2 mod q iff x mod p є QR(p) and x mod q є QR(q) Z N *: QR(p) mod p QR(q) mod q QR(n)

107 QRs modulo pq an example Z 15 : 1 2 mod mod 5 QR(5) mod mod QR(3) mod mod QR(15) Z 15 *

108 Every z є QR N has exactly 4 square roots More precisely, every z=x 2 has the square roots x ++ and x +-,x - +,x - - such that: x ++ = x (mod p) and x ++ = x (mod q) x +- = x (mod p) and x +- = - x (mod q) x - + = - x (mod p) and x - + = x (mod q) x - - = - x (mod p) and x - - = - x (mod q) equals to x equals to - x

109 Jacobi Symbol + 1 if x Є for any prime p define J QR p p (x) := - 1 otherwise for N=pq define J N (x) := J p (x) J q (x) QR(p) mod p J N (x) := QR(q) mod q QR(N) It is a subgroup of Z N * Z N + := {x : J n (x) = +1} Jacobi symbol can be computed efficiently! (even if p and q are unknown)

110 Algorithmic ques7ons about QR Suppose N=pq Is it easy to test membership in QR(N)? Fact: if one knows p and q yes! Because: 1. tes7ng membership modulo a prime is easy 2. the CRT func7on f(x) := (x mod p, x mod q) can be efficiently computed in both direc7ons What if one does not know p and q?

111 Quadra7c Residuosity Assump7on Z N *: QR(p) QNR(p) a є Z N +? QR(q) QR(n) QNR(q) Quadra4c Residuosity Assump4on (QRA): For a random a є Z N+, it is computa4onally hard to determine whether a є QR(N). Formally: for every polynomial- 4me probabilis7c algorithm D the value: P(D(N, a) = Q(N, a)) 0.5 =ε( N ) Q(N,a) = 1 if a Є QR(N) Q(N,a) = 0 otherwise

112 Conclusion Groups that we have seen: Z p * hard problem: discrete log Z N * for N=pq hard problem: compu4ng the eth root subgroups: QR p and QR N

113 End of Class

114 Other interes7ng groups mul7plica7ve groups of a field GF(2 p ), groups based on the ellip4c curves advantage: much smaller key size in prac7ve

115 Plan 1. Role of number theory in cryptography 2. Classical problems in computa7onal number theory 3. Finite groups 4. Cyclic groups, discrete log 5. Euler s φ func7on, group isomorphism, product of groups 6. Chinese Remainder Theorem, groups Z N *, and QR N, where N=pq 7. Ellip7c curves

116 Ellip7c curves over the reals Let a,b R be two numbers such that 4a b 2 0 A non- singular ellip4c curve is a set E of solu7ons (x,y) R 2 to the equa7on y 2 = x 3 + ax + b together with a special point O called the point at infinity.

117 Infinity (any parallel to y- axis!) Example y 2 = 4x 3-4x + 4

118 An abelian group over an ellip7c curve E ellip7c curve (E,+) a group neutral element: O. P inverse of P = (x,y): P = (x,- y). - P

119 Addi7on Suppose P,Q E \ {O} where P=(x 1,y 1 ) and Q=(x 2,y 2 ). Consider the following cases: 1. x 1 x 2 2. x 1 = x 2 and y 1 = - y 2 3. x 1 = x 2 and y 1 = y 2

120 Case 1: x 1 x 2 P=(x 1,y 1 ) and Q=(x 2,y 2 ) L line through P and Q Q.. R L Fact L intersects E in exactly one point R = (x 3,y 3 ). where:. P P + Q = - R. x 3 = λ 2 - x 1 - x 2 y 3 = λ(x 1 - x 3 ) - y 1 and λ = (y 2 - y 1 )/(x 2 - x 1 )

121 Case 2: x 1 = x 2 and y 1 = - y 2 P=(x 1,y 1 ) and Q=(x 2,y 2 ) P + Q = O. P. Q

122 Case 3: P=(x 1,y 1 ) and Q=(x 2,y 2 ) x 1 = x 2 and y 1 = y 2 L line tangent to E at point R P=Q.. R Fact L intersects E in exactly one point R = (x 3,y 3 ). where: P + Q = - R. x 3 = λ 2 - x 1 - x 2 y 3 = λ(x 1 - x 3 ) - y 1 and λ = (3x 1 2 y 2 + a)/(2y 1 )

123 How to prove that this is a group? Easy to see: addi7on is closed on the set E addi7on is commuta7ve O is an iden7ty every point has an inverse What remains is associa4vity (exercise).

124 How to use these groups in cryptography? Instead of the reals use some finite field. For example Z p, where p is prime. All the formulas remain the same!

125 p +1 2 p E p p Hasse s Theorem Let E be an ellip7c curve defined over Z p where p > 3 is prime.

126 How to use the ellip7c curves in (E,+) - ellip7c curve cryptography? Some7mes (E,+) is cyclic or it contains a large cyclic group (E,+). There are examples of such (E,+) or (E,+) where the discrete- log problem is believed to be computa7onally hard!