Cryptography. Lecture 8. Arpita Patra
|
|
- Jacob Watkins
- 5 years ago
- Views:
Transcription
1 Crytograhy Lecture 8 Arita Patra
2 Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous Finite grous Finite cyclic grous Finite Cyclic grous of rime orders (secial advantages)
3 Division for Modular Arithmetic q If b is invertible modulo N (i.e. b -1 exists) then division by b modulo N is defined as: def [a/b mod N] = [ab -1 mod N] Ø If ab = cb mod N and if b is invertible then a = c mod N v Dividing each side by b (which actually means multilying both sides by b -1 ) q Which integers b are invertible modulo a given modulus N? Proosition: Given integers b and N, with b 1 and N > 1, then b is invertible modulo N if and only if gcd(b, N) = 1 (i.e. b & N are relatively rime). Proof (<=): Inverse finding algorithm (if the number is invertible) --- Extended Euclid (GCD) algorithm Ø Given any b, N, the Extended Euclid algorithm oututs X and Y such that bx + NY = gcd(b, N) Ø If gcd(b, N) = 1 then above equation imlies that bx + NY = 1 Ø Taking mod N both sides gives bx = 1 mod N b -1 = [X mod N]
4 Algorithms for Modular Arithmetic q --- set of integers modulo N: {0, 1,, N - 1} N q Let N = n --- number of bits to reresent N : n = Θ(log N) q Let a, b --- each reresented by at most n bits N Theorem: Given integers N > 1, a and b, it is ossible to erform the following oerations in oly time in a, b and n: >> a mod N >> a+b mod N, a-b mod N, ab mod N >> Determining if a -1 mod N exists (if it exists) >> a -1 mod N (if it exists) >> a b mod N >> Choosing a random element of N
5 Grou Definition(Grou): A grou is a set G along with a binary oeration o satisfying the following axioms : Ø Closure : for every g, h G, the value g o h G Ø Associativity: for every g 1, g 2, g 3 G, (g 1 o g 2 ) o g 3 = g 1 o (g 2 o g 3 ) Ø Existence of Identity Element: there exists an identity element e G, such that for all g G v (e o g) = g = (g o e) Ø Existence of Inverse: for every g G, there exists an element h G, such that v (g o h) = e = (h o g) Definition (Order of a Grou:) If G has finite number of elements, then G denotes the number of elements in G and is called the order of G Definition(Abelian Grou:) If G satisfies the following additional roerty then it is called a commutative (Abelien) grou: For every g, h G, (g o h) = (h o g) Proosition: There exists only one identity element in a grou. Every element in a grou has a unique inverse
6 Grou Theory q The set of integers Z is an abelian grou with resect to the addition oeration (+) Ø Closure and associativity holds Ø The integer 0 is the identity element --- for every integer x, 0 + x = x = x + 0 Ø For every integer x, there exists an integer x, such that x + (-x) = 0 = (-x) + x Ø For any two integers x, y, we have x + y = y + x --- commutativity We are interested only in Finite grous
7 Finite Grous q Finite grous using modular arithmetic. q Define Z N = {0, 1,, N-1} and the oeration + in Z N as Ø Closure, commutative and associativity holds --- trivial to verify def a + b = (a + b) mod N, for every a, b N Ø 0 Z N is the identity element --- for every a Z N, (a + 0) mod N = (0 + a) mod N = a Ø Element (N - a) is additive inverse of a modulo N u Inverse of a will be (N - a) N --- (a + N - a ) mod N = (N - a + a) mod N = 0 q The set Z N = {0, 1,, N-1} is a grou with resect to addition modulo N def q Define oeration in Z N as a b = (ab) mod N, for every a, b N Ø The identity element is 1 as for every a Ø Will every element have an inverse? N, we have (a. 1) = (1. a) = (a mod N) = a u Element 0 will have no inverse --- a Z N such that (a0 mod N) = 1 u Element a will have an inverse if and only if gcd(a, N) = 1 Ø So N is not a grou with resect to multilication modulo N Ø Can we construct a set from which will be a grou with resect to multilication modulo N? N
8 Finite Grous q Let Z N = {b: {1,, N-1} gcd(b, N) = 1). Then Z N is a grou with resect to multilication modulo N Ø The set Z N is the set of integers relatively rime to N Ø Element 1 is the identity element. Every element is invertible. Associativity holds. Ø Is closed with resect to multilication mod N? --- given a, b, will [ab mod N] N N N Ø Claim: gcd(n, [ab mod N]) = element [ab mod N] has multilicative inverse [b -1 a -1 mod N]
9 Grou Exonentiation in Grous q Exonentiation: alying same oeration on the same element a number of times in a grou (G, o) Using Multilication Notation: Ø g m def = g o g o o g (m times) Ø g -m def = (g -1 o g -1 o o g -1 ) (m times) Ø g 0 def = e, the grou identity element Using Addition Notation: def Ø mg = def Ø -mg = def Ø 0g = g o g o o g (m times) (-g + -g + + -g) (m times) e, the grou identity element
10 Grou Order and Identity Element Theorem: Let (G, o) be a grou of order m, with identity element e. Then for every element g G: g o g o o g = e m times I.e. Any grou element comosed with itself m times results in the identity element Proof: Let G = {g 1,, g m } --- for simlicity assume G to be an Abelian grou Let g be an arbitrary element of G Ø Claim: elements (g o g 1 ), (g o g 2 ),, (g o g m ) are all distinct v On contrary if for distinct g i, g j, we have (g o g i ) = (g o g j ) (g -1 o g o g i ) = (g -1 o g o g j ) g i = g j Ø Thus {(g o g 1 ), (g o g 2 ),, (g o g m )} = G Ø So g 1 o g 2 o o g m = (g o g 1 ) o (g o g 2 ) o o (g o g m ) -- (both side we have all the elements of G) = (g o g o o g) o (g 1 o g 2 o o g m ) - (by associative and commutative roerty) e = (g o g o o g) o e -- (multily by (g 1 o g 2 o o g m ) -1 both sides) e = (g o g o o g) -- (a o e = a)
11 Order of Imortant Finite Grous N = {b: {1,, N-1} gcd(b, N) = 1). It is a grou with resect to multilication modulo N ϕ(n) = order of the above grou q N is a rime number, say Ø = {1, 2,, -1} --- every number from 1 to -1 is relatively rime to q N =.q, where and q are rimes Ø N = (-1)(q-1) --- follows from the rincile of mutual inclusion-exclusion Ø Which numbers in {1, 2,, N-1} are not relatively rime to N? v Numbers which are divisible by --- q-1 such numbers v Numbers which are divisible by q such numbers v Numbers which are divisible by both and q such number Ø How many numbers in {1, 2,, N-1} are not relatively rime to N? q - 2 Ø How many numbers in {1, 2,, N-1} are relatively rime to N? --- N -1 - q + 2 = (-1)(q-1)
12 Grou Order and Identity Element Theorem: Let (G, o) be a grou of order m, with identity element e. Then for every element g G: g o g o o g = e m times I.e. Any grou element comosed with itself m times results in the identity element q Imlications of the above theorem in the multilicative grou Ø Take any arbitrary N > 1 and any a. Then: N N v [[[[[a. a mod N]. a mod N]. a mod N]. a mod N].. a mod N] = [a ϕ(n) mod N] = 1 ϕ(n) times Ø If N is a rime number, say, then for any a {1, 2,, -1}, we have : Ø [a -1 mod ] = 1 Ø If N is a comosite number,.q, then for any a we have : Ø [a ( -1)(q-1) mod N] = 1
13 Subgrou of a Grou & Cyclic Grou q Let (G, o) be a grou q Let H G G Definition (Subgrou): If (H, o) is also a grou, then H is called a subgrou of G w.r.t oeration o H q Every grou (G, o) has two trivial subgrous: Ø The grou (G, o) itself and the grou (e, o) Ø A grou may/may not have subgrous other than trivial subgrous q Given a finite grou (G, o) of order m and an arbitrary element g G, define <g> = {g 0, g 1,, } --- elements generated by different non-negative owers of g Ø The sequence is finite as g m = 1 and g 0 is also 1 Ø Let i m be the smallest ositive integer such that g i = 1. Then: <g> = {g 0, g 1,, g i-1 } --- as g i = 1, after which the sequence starts reeating Proosition: (<g>, o) is a subgrou of (G, o) of order i Definition (Order of an element): Smallest ositive integer i such that g i = 1 Definition (Generator): If g has order m, then <g> = G --- then g is called a generator of G and G is called a cyclic grou generated by g
14 Examles q Consider (, mod 7) --- it is a grou with resect to multilication modulo 7 7 Ø Does 2 belong to the grou? --- Yes, as gcd(2, 7) = 1; 2 is relatively rime to 7 Ø What is <2>? --- <2> = {2 0 mod 7, 2 1 mod 7, 2 2 mod 7} = {1, 2, 4} Ø Is (<2>, mod 7) a subgrou of (, mod 7)? ü Closure ü Associativity ü Identity ü Inverse v 1-1 = 1, 2-1 = 4, 4-1 = 2 Ø Does 3 belong to the grou? --- Yes, as gcd(3, 7) = 1; 3 is relatively rime to 7 Ø What is <3>? --- <3> = {3 0 mod 7, 3 1 mod 7, 3 2 mod 7, 3 3 mod 7, 3 4 mod 7, 3 5 mod 7, 3 6 mod 7 } = {1, 3, 2, 6, 4, 5} = the original grou Ø 2 does not generate the entire grou Ø 3 generates the entire grou is a generator
15 Imortant Finite Cyclic Grous Theorem: The grou (, mod ) is a cyclic grou of order 1. v Every element need not be a generator v Ex: (, mod 7) is a cyclic grou with generator 3 7 o Element 2 is not a generator for this grou --- <2> = {1, 2, 4}
16 Useful Proositions on Order of a Grou Element q Let (G, o) be a grou of order m and let g G such that g has order i (1 i m) --- g i = e Proosition: For any integer x, we have g x = g [x mod i] x times g x = (g o g o g) o (g o g o o g) o o (g o g o o g) i times i times x mod i times e o e o o g [x mod i] = g [x mod i] Proosition: For any integer x, y, we have g x = g y if and only if x = y mod i; i.e. [x mod i] = [y mod i] Proof: If [x mod i] = [y mod i], then from the revious claim g x = g y If g x = g y -> g x-y = g x-y mod i = 1 -> x - y mod i =0 Proosition: The order of g divides the order of G --- i divides m Proof: Element g has order i g i = e v For any g, we have g m = e v So g m = g i [m mod i] = [i mod i] [m mod i] = 0 The last claim has several interesting imlications
17 Finite Cyclic Grous of Prime Order Corollary: If (G, o) is a grou of rime order then G is cyclic and all elements of G, excet the identity element will be generators of G v Any arbitrary element g G aart from the identity element will have order --- the only ositive numbers which divides a rime are 1 and v Ex: consider the grou ( 1, 2, 3, 4, 5 and 6 7, + mod 7) --- cyclic grou, with identity element 1 and generators Instances of Cyclic grous of rime order?? Theorem: The grou (, mod ) is a cyclic grou of order 1. We can construct cyclic grous of rime order from the above grou when has a secific format
18 Prime-order Cyclic Subgrou of Definition (Safe Primes): Prime numbers in the format = 2q+1 where q is also a rime. Ø Examle (5, 11), (11, 23), several such airs Definition (Quadratic Residue Modulo ): Call y a quadratic residue modulo if there exists an x, with y = x 2 mod. x is called square-root of y modulo Theorem: The set of quadratic residues modulo is a cyclic subgrou of of order q. I.e. Q = {x 2 mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q Proof: Ste I: To show that (Q, mod ) is a subgrou of (, mod ) Ste II: Show that (Q, mod ) is of order q
19 Prime-order Cyclic Subgrou of Theorem: The set of quadratic residues modulo is a cyclic subgrou of of order q. I.e. Q = {x 2 mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q Proof: Ste I: To show that (Q, mod ) is a subgrou of (, mod ) Ø Closure: (Q, mod ) satisfies the closure roerty v Given arbitrary y 1, y 2 Q, show that (y 1 y 2 ) mod Q o y 1 Q y 1 = x 2 1 mod, for some x 1 o y 2 Q y 2 = x 2 2 mod, for some x 2 o o (y 1 y 2 ) mod = (x 1 x 2 ) 2 mod = (x 3 ) 2 mod, where x 3 = (x 1 x 2 ) So (y 1 y 2 ) mod Q
20 Prime-order Cyclic Subgrou of Theorem: The set of quadratic residues modulo is a cyclic subgrou of of order q. I.e. Q = {x 2 mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q Proof: Ste I: To show that (Q, mod ) is a subgrou of (, mod ) Ø Closure: (Q, mod ) satisfies the closure roerty Ø Associativity: trivial to verify that given arbitrary y 1, y 2, y 3 Q, we have (y 1 y 2 ) y 3 mod = y 1 (y 2 y 3 ) mod Ø Identity: The element 1 will be resent in Q, which will be the identity element for Q 1 = 1 2 mod Ø Inverse: Show that every element y Q has a multilicative inverse y -1 Q, with (y y -1 mod ) = 1 y Q y = (x 2 mod ), for some x What can you say about z = (x -1 ) 2 mod? o x x -1, which imlies that z Q o From the above we get that (y z mod ) = 1
21 Prime-order Cyclic Subgrou of Theorem: The set of quadratic residues modulo is a cyclic subgrou of of order q. I.e. Q = {x 2 mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q Proof: Ste I: To show that (Q, mod ) is a subgrou of (, mod ) Ste II: Show that (Q, mod ) is of order q Ø We will show that f: Q is a 2-to-1 function --- exactly 2 elements have the same image = ( -1), the above will imly that Q = ( - 1)/2 = q Ø Let g be a generator of --- = {g 0, g 1,, g -2 } Ø Consider an arbitrary element g i in Ø Claim: there exists only one more element g j in and its corresonding image (g i ) 2 mod in Q, with (g i ) 2 mod = (g j ) 2 mod v If (g i ) 2 mod = (g j ) 2 mod [2i mod -1] = [2j mod -1] ( - 1) divides (2i 2j) q (i - j) v The above imlies that for a fixed i {0,, -2}, there is only 1 ossible j, namely (i + q) mod -1 o (i + 2q) mod ( 1) = i
22 Generalization For Prime numbers in the format = rq+1 where q is also a rime. Theorem: The set of rth residues modulo is a cyclic subgrou of of order q. I.e. Q = {x r mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q
23 Easy Problems in Finite Cyclic Grous (of Prime Order) 1. Generating Cyclic Grous / Cyclic Grous of Prime Order >> How to samle a rime number of n bits / how to samle rimes of secific format (safe rimes) (Miller-Rabin, Agrawal-Kayal-Saxena) >> Finding a generator >> Given generator, how to generate an element of the grou (requires exonentiation) 2. Samling an uniform random grou element Cyclic Grou Prime Order Cyclic Grou Q = {x r mod x } There exists a generator Grou order (-1) is not a rime. Every exonent may not have multilicative inverse modulo (-1) If grou order (-1) has small rime factors, there exists no-trivial algo to break the hard roblems that we discuss next Every element excet the identity element is a generator Grou order q. Every exonent have multilicative inverse modulo q and easy to comute The attacks does not work here
24 Discrete Logarithm q Let (G, o) be a cyclic grou of order q (with q = n bits) and with generator g Ø {g 0, g 1, g 2,, g q-1 } = G --- g has order q as it is the generator Ø Given any element h G, it can be exressed as some ower of g v a unique x q = {0, 1,, q-1}, such that h = g x v x is called the discrete log of h with resect to g --- exressed as log g h q Discrete log follows certain rules of standard logarithms Ø log g e = 0 Ø log g h r = [r log g h mod q] Ø log g [h 1 o h 2 ] = [(log g h 1 + log g h 2 ) mod q]
25 Discrete Logarithm Problem q How difficult is it to comute the DLog of a random grou element? For certain grous, there exists no better algorithm than the inefficient brute-force Modeled as a challenge-resonse exeriment: DLog A, G (n) (G, o, g, q) outut by an grou gen algo PPT A y Find log g y [y R G] DLog solver for G x Exeriment outut Challenger 1, if g x = y 0, otherwise q DLog roblem is hard relative to the grou G, if for every PPT algorithm A, there exists a negligible function negl(), such that: Pr[DLog A, G (n) = 1] negl() q DLog Assumtion: there exists some grou G, relative to which DLog roblem is hard Ø We have seen will see such candidates earlier
26 Comutational Diffie-Hellman (CDH) Problem q Given a cyclic grou (G, o) of order q and a generator g for G. q The CDH roblem for the grou (G, o) is to comute g x. y for random grou elements g x, g y Modeled as a challenge-resonse exeriment: CDH A, G (n) (G, o, g, q) PPT A g x, g y x, y R CDH solver for G g z Exeriment outut Challenger q 1, if g x. y = g z 0, otherwise CDH roblem is hard relative to the grou G, if for every PPT algorithm A: Pr[CDH A, G (n) = 1] negl()
27 Relation between CDH and DLog Problems q Given a cyclic grou (G, o) of order q and a generator g for G: Hardness of CDH? Hardness of DLog q If CDH is hard in (G, o) then DLog is hard in (G, o). g x, g y R G g x (g y ) x x q Algorithm A CDH PPT Algorithm A DLog q Advantage of same as q If DLog is hard in (G, o) then CDH is hard in (G, o)? --- nothing is known q CDH (hardness) is a stronger assumtion than DLog (hardness) assumtion Ø CDH might be solved even without being able to solve the DLog roblem
28 Decisional Diffie-Hellman (DDH) Problem q The DDH roblem for the grou (G, o) is to distinguish g x. y from a random grou element g z, if g x, g y are random DDH roblem is hard relative to (G, o) if for every PPT algorithm A: Pr[A(G, o, q, g, g x, g y, g xy ) = 1] - Pr[A(G, o, q, g, g x, g y, g z ) = 1] negl() Probability over uniform choice of x and y Probability over uniform choice of x, y and z q Claim: If DDH is hard relative to (G, o) then CDH is also hard relative to (G, o) Ø If CDH can be solved, then given g x and g y, comute g xy and comare it with the third element q Nothing is known regarding the converse --- DDH is a stronger assumtion than CDH Ø DDH might be solved even without being able to solve CDH
29 Crytograhic Assumtions in Cyclic Grous DDH CDH DL Cyclic Grous of Prime Order is best choice. >> DL is harder in this grou comared to cyclic grou (Pohlig-Hellman Algo) >> DDH can be broken in cyclic grou but believed to hold good it its rime order subgrou 6 th Chalk and Talk toic Attacks on Discrete Log Assumtions- (i) Pohlig-Hellman Algorithm (ii) Shanks Baby-ste/Giant-ste algorithm (iii) Discrete Logs from Collisions
30 Diffie-Hellman Key-Exchange Protocol Idea illustration through colors Common colors (ublicly known) + + Secret colors = = Public exchange Assume mixture searation is exensive + + Original secret colors = = Common secret color
31 Diffie-Hellman Key-Exchange Protocol Actual Protocol (G, o) is a cyclic grou of order q with generator g ((G, o), g, q) Common arameters colors (ublicly (ublicly known) known) ((G, o), g, q) + + x q Secret colors exonents y q = = h S := g x h R := gy Public exchange Assume mixture comuting searation x, y from h R := g y is g x, exensive g y is exensive h S := g x + + x Original secret colors exonents y = = k:= (h R ) x = g xy Common Common secret key color k:= (h S ) y = g xy
32 Key-Exchange Protocol: Security k Protocol transcrit k q Given an arbitrary key-exchange rotocol, whose execution is monitored by a PPT eavesdroer Ø What security roerty we demand from such a rotocol? v Otion I: the outut key k should remain hidden from the eavesdroer v Otion II: the outut key k should remain indistinguishable for the eavesdroer from a uniformly random key from the key-sace Ø We actually want to have otion II v If we want the key to be used as the secret-key for some higher level rimitive
33 Key-Exchange Protocol: Security Exeriment Key-exchange rotocol Π k Protocol transcrit k Should not be able to distinguish k from a random element in eav Exeriment KE (n) k A, Π trans k PPT attacker A trans k, if b = 0 k R, if b = 1 I can break Π b {0, 1} q Exeriment outut is 1 if and only if b = b eav Pr q Π is a secure KE rotocol if: KE A, Π (n) = 1 Let me verify ½ + negl(n) Runs an instance of Π in mind simulating the role of S, R
34 Diffie-Hellman Key-Exchange Protocol: Security h S = g x, where x q h R = g y, where y q k = (h S ) x = g xy Protocol transcrit k = (h R ) y = g xy h S = g x Should not be able to distinguish k = g xy from a random element g z in G q Same as the DDH roblem h R = g y eav k = (h Exeriment KE (n) S ) x k = (h R ) y A, DH PPT attacker A I can break Π h S = g x, h R = g y g xy, if b = 0 g z R G, if b = 1 b {0, 1} Let me verify Runs an instance of DH in mind simulating the role of S, R q What is the robability that the outut of the exeriment is 1? Ø Same with which A can distinguish g xy from a random grou element g z
35 Uniform Grou Elements vs Uniform Random Strings q DH key-exchange rotocol enables the arties to agree on a (seudo)random grou element g xy q In reality, the arties would like to agree on (seudo)random bit string which can be used as a secret-key for higher level rimitive, such as PRF, MAC, etc q Required: a method of deriving (seudo)random bit strings from (seudo)random grou elements Ø Potential solution (used in ractice) v Use the binary reresentation of the grou element g xy as the required key v Claim: the resultant bit-string will be (seudo)random if the grou element is (seudo)random Ø The above claim need not be true --- dangerous solution Ø Ex: consider the rime-order q A suitable grou key-derivation (, mod function ), where (KDF) = 2q+1 is is a safe rime alied to g xy Ø Subgrou (Q, mod ), where Q = {x 2 to derive seudorandom key mod x } --- order of Q is q Ø Tyically KDFs are based on hash functions v In ractice, the DH rotocol is executed over (Q, mod ) v The agreed key g xy Ø Details out of scoe of this course is a (seudo)random element of Q --- g is a generator of Q, x, y v Number of bits to reresent elements of Q = Number of bits to reresent elements of o But Q does not contain all ossible bit-strings of length log --- Q = q 2 log 2 / 2 q o So binary reresentation of the agreed key does not corresond to a random log 2 -bit string
36 Active Attacks Against DH Key-Exchange Protocol q DH key-exchange rotocol assumes a assive attacker --- only listens the conversation q In reality, the attacker may be malicious/active --- can change information, inject its own messages, etc q Two tyes of active attacks against DH key-exchange rotocol Ø Imersonation attack : c Enc k (m) k = g xy DH key-exchange rotocol k = g xy m:= Dec k (c) k = g xy
37 Active Attacks Against DH Key-Exchange Protocol q DH key-exchange rotocol assumes a assive attacker --- only listens the conversation q In reality, the attacker may be malicious/active --- can change information, inject its own messages, etc q Two tyes of active attacks against DH key-exchange rotocol Ø Imersonation attack : Ø Man-in-the-middle attack : h S = g x Comlete control h S = g x 1 h R = g y 1 h R = g y x q k S = (h R ) x = g xy 1 x 1 q k R = (h R ) x 1 = g x 1 y y q k R = (h S ) y = g x 1 y y 1 q k S = (h S ) y 1 = g xy 1 k S k R q In ractice, robust mechanisms are used in the DH key-exchange rotocol to deal with the man-in-themiddle attack --- ex: TLS rotocol
38 The Public-key Revolution q In their seminal aer on the key-exchange, Diffie-Hellman also roosed the notion of ublic-key crytograhy (asymmetric-key crytograhy) Public domain m c m Enc Dec k sk
39 Public-key Cryto vs Private-key Cryto Private-Key Cryto Public-Key Cryto - Key distribution has to be done ariori. - In multi-sender scenario, a receiver need to hold one secret key er sender - Well-suited for closed organization (university, rivate comany, military). Does not work for oen environment (Internet Merchant) + Very fast comutation. Efficient Communication. Only way to do cryto in resource-constrained devices such as mobile, RFID, ATM cards etc + only those who shares a key can send a message + Key distribution can be done over ublic channel!! + One receiver can setu a single ublic-key/ secret key and all the senders can use the same ublic key + Better suited for oen environment (Internet) where two arties have not met ersonally but still want to communicate securely (Internet merchant & Customer) - Orders of magnitude slower than Private-key. Heavy even for deskto comuters while handling many oerations at the same time - Anyone can send message including unintended ersons - Relies on the fact that there is a way to correctly send the ublic key to the senders (can be ensured if the arties share some rior info or there is a trusted arty) q Diffie and Hellman could not come u with a concrete construction; though a ublic-key encrytion scheme was hidden in their key-exchange rotocol q Crytograhy sread to masses just due to advent of ublic-key crytograhy
40
CDH/DDH-Based Encryption. K&L Sections , 11.4.
CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be
More informationCS 6260 Some number theory. Groups
Let Z = {..., 2, 1, 0, 1, 2,...} denote the set of integers. Let Z+ = {1, 2,...} denote the set of ositive integers and = {0, 1, 2,...} the set of non-negative integers. If a, are integers with > 0 then
More informationElliptic Curves and Cryptography
Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a
More informationCryptanalysis of Pseudorandom Generators
CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we
More informationCryptography Assignment 3
Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationTanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationA Public-Key Cryptosystem Based on Lucas Sequences
Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 8 Markus Bläser, Saarland University Weak factoring experiment The weak factoring experiment 1. Choose two n-bit integers x 1, x 2 uniformly.
More informationCSC 5930/9010 Modern Cryptography: Number Theory
CSC 5930/9010 Modern Cryptography: Number Theory Professor Henry Carter Fall 2018 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant
More informationImproved Hidden Vector Encryption with Short Ciphertexts and Tokens
Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic
More information1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings
Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based
More informationMath 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,
MATH 4400 roblems. Math 4400/6400 Homework # solutions 1. Let P be an odd integer not necessarily rime. Show that modulo, { P 1 0 if P 1, 7 mod, 1 if P 3, mod. Proof. Suose that P 1 mod. Then we can write
More informationPublic Key Cryptosystems RSA
Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public
More informationANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM
ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM JOHN BINDER Abstract. In this aer, we rove Dirichlet s theorem that, given any air h, k with h, k) =, there are infinitely many rime numbers congruent to
More informationA Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem
A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationIntroduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016
Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication
More informationAdvanced Cryptography Midterm Exam
Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationRandomness Extraction in finite fields F p
Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn,
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationBilinear Entropy Expansion from the Decisional Linear Assumption
Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo
More informationA CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract
A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS CASEY BRUCK 1. Abstract The goal of this aer is to rovide a concise way for undergraduate mathematics students to learn about how rime numbers behave
More informationGalois Fields, Linear Feedback Shift Registers and their Applications
Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationLecture 14: Hardness Assumptions
CSE 594 : Modern Cryptography 03/23/2017 Lecture 14: Hardness Assumptions Instructor: Omkant Pandey Scribe: Hyungjoon Koo, Parkavi Sundaresan 1 Modular Arithmetic Let N and R be set of natural and real
More information.4. Congruences. We say that a is congruent to b modulo N i.e. a b mod N i N divides a b or equivalently i a%n = b%n. So a is congruent modulo N to an
. Modular arithmetic.. Divisibility. Given ositive numbers a; b, if a 6= 0 we can write b = aq + r for aroriate integers q; r such that 0 r a. The number r is the remainder. We say that a divides b (or
More informationSQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)
SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the
More informationElementary Analysis in Q p
Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationHotelling s Two- Sample T 2
Chater 600 Hotelling s Two- Samle T Introduction This module calculates ower for the Hotelling s two-grou, T-squared (T) test statistic. Hotelling s T is an extension of the univariate two-samle t-test
More information3 Properties of Dedekind domains
18.785 Number theory I Fall 2016 Lecture #3 09/15/2016 3 Proerties of Dedekind domains In the revious lecture we defined a Dedekind domain as a noetherian domain A that satisfies either of the following
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr
More informationMAS 4203 Number Theory. M. Yotov
MAS 4203 Number Theory M. Yotov June 15, 2017 These Notes were comiled by the author with the intent to be used by his students as a main text for the course MAS 4203 Number Theory taught at the Deartment
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationMersenne and Fermat Numbers
NUMBER THEORY CHARLES LEYTEM Mersenne and Fermat Numbers CONTENTS 1. The Little Fermat theorem 2 2. Mersenne numbers 2 3. Fermat numbers 4 4. An IMO roblem 5 1 2 CHARLES LEYTEM 1. THE LITTLE FERMAT THEOREM
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationAlgebraic Number Theory
Algebraic Number Theory Joseh R. Mileti May 11, 2012 2 Contents 1 Introduction 5 1.1 Sums of Squares........................................... 5 1.2 Pythagorean Triles.........................................
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationPredicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationConversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs
Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial
More informationOutline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding
Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift
More informationBy Evan Chen OTIS, Internal Use
Solutions Notes for DNY-NTCONSTRUCT Evan Chen January 17, 018 1 Solution Notes to TSTST 015/5 Let ϕ(n) denote the number of ositive integers less than n that are relatively rime to n. Prove that there
More informationCERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education
CERIAS Tech Reort 2010-01 The eriod of the Bell numbers modulo a rime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education and Research Information Assurance and Security Purdue University,
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationMATH342 Practice Exam
MATH342 Practice Exam This exam is intended to be in a similar style to the examination in May/June 2012. It is not imlied that all questions on the real examination will follow the content of the ractice
More informationPractice Final Solutions
Practice Final Solutions 1. True or false: (a) If a is a sum of three squares, and b is a sum of three squares, then so is ab. False: Consider a 14, b 2. (b) No number of the form 4 m (8n + 7) can be written
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationTests for Two Proportions in a Stratified Design (Cochran/Mantel-Haenszel Test)
Chater 225 Tests for Two Proortions in a Stratified Design (Cochran/Mantel-Haenszel Test) Introduction In a stratified design, the subects are selected from two or more strata which are formed from imortant
More informationMultiplicative group law on the folium of Descartes
Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013
18.782 Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013 In this lecture we lay the groundwork needed to rove the Hasse-Minkowski theorem for Q, which states that a quadratic form over
More informationNumber Theory Naoki Sato
Number Theory Naoki Sato 0 Preface This set of notes on number theory was originally written in 1995 for students at the IMO level. It covers the basic background material that an IMO
More informationQUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES
0 th March 0. Vol. No. 00-0 JATIT & LLS. All rights reserved. ISSN: -86 www.jatit.org E-ISSN: 87- QUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES XIAOYU LI, LIJU CHEN School of Information
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationQUADRATIC RESIDUES AND DIFFERENCE SETS
QUADRATIC RESIDUES AND DIFFERENCE SETS VSEVOLOD F. LEV AND JACK SONN Abstract. It has been conjectured by Sárközy that with finitely many excetions, the set of quadratic residues modulo a rime cannot be
More informationAlmost 4000 years ago, Babylonians had discovered the following approximation to. x 2 dy 2 =1, (5.0.2)
Chater 5 Pell s Equation One of the earliest issues graled with in number theory is the fact that geometric quantities are often not rational. For instance, if we take a right triangle with two side lengths
More informationThe Arm Prime Factors Decomposition
The Arm Prime Factors Decomosition Arm Boris Nima arm.boris@gmail.com Abstract We introduce the Arm rime factors decomosition which is the equivalent of the Taylor formula for decomosition of integers
More information(Workshop on Harmonic Analysis on symmetric spaces I.S.I. Bangalore : 9th July 2004) B.Sury
Is e π 163 odd or even? (Worksho on Harmonic Analysis on symmetric saces I.S.I. Bangalore : 9th July 004) B.Sury e π 163 = 653741640768743.999999999999.... The object of this talk is to exlain this amazing
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationSums of independent random variables
3 Sums of indeendent random variables This lecture collects a number of estimates for sums of indeendent random variables with values in a Banach sace E. We concentrate on sums of the form N γ nx n, where
More information4. Score normalization technical details We now discuss the technical details of the score normalization method.
SMT SCORING SYSTEM This document describes the scoring system for the Stanford Math Tournament We begin by giving an overview of the changes to scoring and a non-technical descrition of the scoring rules
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationComputational Number Theory. Adam O Neill Based on
Computational Number Theory Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Secret Key Exchange - * Is Alice Ka Public Network Ka = KB O KB 0^1 Eve should have a hard time getting information
More information#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS
#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt
More informationON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS
#A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,
More informationCourse Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week
Course Business Homework 3 Due Now Homework 4 Released Professor Blocki is travelling, but will be back next week 1 Cryptography CS 555 Week 11: Discrete Log/DDH Applications of DDH Factoring Algorithms,
More informationA secure approach for embedding message text on an elliptic curve defined over prime fields, and building 'EC-RSA-ELGamal' Cryptographic System
International Journal of Comuter Science an Information Security (IJCSIS), Vol. 5, No. 6, June 7 A secure aroach for embeing message tet on an ellitic curve efine over rime fiels, an builing 'EC-RSA-ELGamal'
More informationLattice Attacks on the DGHV Homomorphic Encryption Scheme
Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationAN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction
J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly
More informationNUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:
NUMBER SYSTEMS Number theory is the study of the integers. We denote the set of integers by Z: Z = {..., 3, 2, 1, 0, 1, 2, 3,... }. The integers have two oerations defined on them, addition and multilication,
More informationGOOD MODELS FOR CUBIC SURFACES. 1. Introduction
GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in
More informationMAT 311 Solutions to Final Exam Practice
MAT 311 Solutions to Final Exam Practice Remark. If you are comfortable with all of the following roblems, you will be very well reared for the midterm. Some of the roblems below are more difficult than
More informationPOINTS ON CONICS MODULO p
POINTS ON CONICS MODULO TEAM 2: JONGMIN BAEK, ANAND DEOPURKAR, AND KATHERINE REDFIELD Abstract. We comute the number of integer oints on conics modulo, where is an odd rime. We extend our results to conics
More informationUnit 1 - Computer Arithmetic
FIXD-POINT (FX) ARITHMTIC Unit 1 - Comuter Arithmetic INTGR NUMBRS n bit number: b n 1 b n 2 b 0 Decimal Value Range of values UNSIGND n 1 SIGND D = b i 2 i D = 2 n 1 b n 1 + b i 2 i n 2 i=0 i=0 [0, 2
More informationCOMMUNICATION BETWEEN SHAREHOLDERS 1
COMMUNICATION BTWN SHARHOLDRS 1 A B. O A : A D Lemma B.1. U to µ Z r 2 σ2 Z + σ2 X 2r ω 2 an additive constant that does not deend on a or θ, the agents ayoffs can be written as: 2r rθa ω2 + θ µ Y rcov
More informationPractice Final Solutions
Practice Final Solutions 1. Find integers x and y such that 13x + 1y 1 SOLUTION: By the Euclidean algorithm: One can work backwards to obtain 1 1 13 + 2 13 6 2 + 1 1 13 6 2 13 6 (1 1 13) 7 13 6 1 Hence
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationCharacteristics of Fibonacci-type Sequences
Characteristics of Fibonacci-tye Sequences Yarden Blausa May 018 Abstract This aer resents an exloration of the Fibonacci sequence, as well as multi-nacci sequences and the Lucas sequence. We comare and
More informationThe Hasse Minkowski Theorem Lee Dicker University of Minnesota, REU Summer 2001
The Hasse Minkowski Theorem Lee Dicker University of Minnesota, REU Summer 2001 The Hasse-Minkowski Theorem rovides a characterization of the rational quadratic forms. What follows is a roof of the Hasse-Minkowski
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationVarious Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various Families of R n Norms and Some Open Problems
Int. J. Oen Problems Comt. Math., Vol. 3, No. 2, June 2010 ISSN 1998-6262; Coyright c ICSRS Publication, 2010 www.i-csrs.org Various Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various
More informationPretest (Optional) Use as an additional pacing tool to guide instruction. August 21
Trimester 1 Pretest (Otional) Use as an additional acing tool to guide instruction. August 21 Beyond the Basic Facts In Trimester 1, Grade 8 focus on multilication. Daily Unit 1: Rational vs. Irrational
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationAn Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security
An extended abstract of this aer aears in the Proceedings of the 35th Annual Crytology Conference (CRYPTO 2015), Part I, Rosario ennaro and Matthew Robshaw (Eds.), volume 9215 of Lecture Notes in Comuter
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationAlmost All Palindromes Are Composite
Almost All Palindromes Are Comosite William D Banks Det of Mathematics, University of Missouri Columbia, MO 65211, USA bbanks@mathmissouriedu Derrick N Hart Det of Mathematics, University of Missouri Columbia,
More informationMATH 361: NUMBER THEORY ELEVENTH LECTURE
MATH 361: NUMBER THEORY ELEVENTH LECTURE The subjects of this lecture are characters, Gauss sums, Jacobi sums, and counting formulas for olynomial equations over finite fields. 1. Definitions, Basic Proerties
More informationApproximating min-max k-clustering
Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost
More information