Introduction to Cryptography

Transcription

1 Introduction to Cryptography Hong-Jian Lai West Virginia University, Morgantown, WV Version 2007 March 2, 2007 TABLE OF CONTENTS I. Divisibility II. Congruences III. Numbers in Different Bases IV. Encryption and Decryption, Classical Cryptosystems V. Some Linear Algebra over Z m, Enciphering Matrices VI. Public Key Cryptosystems VII. The Primarity Test and Factorization VIII. RSA Algorithm IX. Discrete Logarithm X. Digital Signature XI. Elliptic Curves Appendix 1: Equivalence Relations Appendix 2: Measure of Difficulty Divisibility 1.1 Notation: Let Z denote the set of all integers and let N denote the set of all positive integers. For a, b Z, write a b if d Z such that b = ad; and we say a is a divisor of b and b is a multiple of a. If a is not a divisor of b, we write a b. If 1 < a < b and if a b, then a is a nontrivial divisor of b. An integer p N is a prime if b > 1 and b has no nontrivial divisors. Note that 0 zero is not a divisor of any nonzero number and that 0 is a multiple of any integer. On the other hand, 1 one is a divisor of any integer. 1

2 1.1A Exercise: Suppose that a, b, c Z, show that each of the following holds. i If a b, then a bc. ii If a b and if b c, then a c. iii If a b and if a c, then a b ± c. 1.2 Fundamental Theorem of Arithmetic: Let n N with n > 1. Then each of the following holds. A existence of factorization There exist primes p 1, p 2,, p m and natural numbers α 1, α 2,, α m N such that n = p α 1 1 pα 2 2 pαm m. B uniqueness of factorization If there are primes q 1, q 2,, q s and natural numbers β 1, β 2,, β s N such that n = q β 1 1 qβ 2 2 qβs s, then m = s and there is a permutation π on the set {1, 2,, m} such that q πi = p i and β πi = α i. 1.2 Another way of stating the Fundamental Theorem of Arithmetics: i Every positive integer other than 1 is product of primes. ii This factorization into primes is unique, up to a permutation of the factors. Remark: As a traditional convenience, we view a single number n as a product with only one factor. In plain language, any natural number n N can be written uniquely except for the order of factors as a product of prime numbers. Example: 2520 = A Exercise: If p is a prime, a, b Z, and if p ab, then either p a or p b. 1.3 Given a, b Z such that one of them is nonzero, the greatest common divisor of a and b, denoted by a, b, or by gcda, b is the largest integer d such that d a and d b; the least common multiple of a and b, denoted by [a, b], is the smallest positive integer m such that a m and b m. 1.3A Exercise: Show that for any integer a, b Z, [a, b]a, b = ab. 1.3B Exercise: Let a, b Z {0}. Then a, b = a, b. Similarly, [a, b] = [ a, b]. 1.3C Exercise: Suppose that a, c = 1. If a bc, then a b. 1.3D Exercise: Let n N be an integer and let φn be the number of integers m such that 1 m < n and such that n, m = 1. For example, φ1 = φ2 = 1, φ3 = φ4 = φ6 = 2. In general, one can easily show that if p is a prime, then φp = p 1. Show that if n = pq for two distinct primes p and q, then φn = p 1q 1. Let U p be the set of positive 2

3 multiples of p not bigger than n and U q be the set of positive multiples of q not bigger than n. Then U p U q = {n} and U p = q, U q = p. Thus φn = pq U p U q +1 = p 1q E Exercise: More generally, show that if n, m N and if n, m = 1, then φnm = φnφm. 1.3R Remark: The notation n, m is traditionally abused. It is here used to denote the greatest common divisor of n and m. It will later be used to mean a 2-dimensional vector in Section 5, and an ordered pair of enciphering or deciphering keys Section 6. It is some what lucky for us not to use any open intervals in this lecture note. However, I think the reader should have no confusion from the context what this notation will mean, and when confusion is likely to occur, we will use gcda, b. 1.4 The Division Division For any n Z and d N, there are unique integers q Z and r N such that n = dq + r and such that 0 r < d. q is the quotient and r is the remainder of the division. Example: n = 1547 and d = 560, then q = 2 and r = The Euclidean Algorithm: Objective: Find a, b for given a, b Z. Input: a, b with a > b > 0. Initialization: n := a, d := b. Iteration: Apply Long division to n and d to find n = dq + r, as described in 1.4. IF r = 0, then STOP: the current value d is a, b. OTHERWISE set n := d and d := r, and repeat the iteration. 1.5 Another way of stating the Euclidean Algorithm: Input: Positive integers a and b with a b. The Algorithm: Repeatedly apply integer division if needed to obtain the following: a = bq 1 + r 1 0 r 1 < b b = q 2 r 1 + r 2 0 r 2 < r 1 r 1 = q 3 r 2 + r 3 0 r 3 < r 2... r k 2 = q k r k 1 + r k 0 r k < r k 1 r k 1 = q k+1 r k Output: a, b = r k. If r 1 = 0, then a, b = b. 3

4 1.5A Example: Find 1547, = = = = = = , 7 = = = = = = = = = At the last interation left column, n = 21, d = 7, q = 3 and r = 0. Thus 1547,560=7. The right column will be used in 1.5D. 1.5B Exercise: Find 1428, C Exercise: Show that given a, b Z {0}, there exist u, v Z such that ua+vb = a, b. Hint: Revise the Algorithm 1.5 to find these u and v. 1.5D Example: 1547,560 = E Exercise: Show that given a, b Z {0}, a, b is the smallest positive integer that can be written in the form ua + vb for some integers u, v Z. Hint: Let d be the smallest positive integer that can be written in the form ua + vb for some integers u, v Z. Then d = ua + vb for certain u, v Z. Ask these questions: if d is a common divisor of d, must d d?; is d a common divisor of a and b? 1.5F Exercise: If for some integers u and v such that ua + vb = 1, then a, b = 1. Hint: use 1.5E. 1.5G Summary of Elementary Properties of gcd Let a and b be two integers with a + b > 0, and let d = a, b. i There exist integers s and t such that d = as + bt. ii a and b are relatively prime if and only if there exist integers s and t such that 1 = as+bt. iii Suppose d = a, b. Then a/d, b/d = 1. iv If a, b = 1, then [a, b] = ab. Remark: Therefore when a, b = 1, any common multiple of a and b is also a multiple of ab. This property will be used in 3.1 below. v ab = a, b[a, b]. 1.5H Exercise: Explain why Algorithm 1.5 can give you the right answer. 4

5 2. Congruences 2.1 Notation: Given a, b Z and m N, if m a b, then we write a b mod m or a m b and say that a is congruent to b modulo m. 2.1A Examples: 4 3 7; 14 2 mod B Exercise: Show m is an equivalence relation. 2.2 a m b if and only if there is an integer k such that a = b + km. 2.3 Properties Let a, b, c, d, m be integers with m 0. i a m 0 if and only if m a. ii a m a. iii a m b if and only if b m a. iv If a m b and if b m c, then a n c. v If a m b and c m d, then a + c m b + d, a c m b d, ac bd. Remark: Apply 2.1 and 2.2 to prove all these properties. Property 2.3v says that for addition, subtraction and multiplication, modulo n can be done just like those for integers. 2.3A Exercise: For fixed m N, show that each equivalence class of m has one and only one member in the set {0, 1,, m 1}. Notation: The set of all equivalence classes called residue classes will be denoted by Z m. We shall write Z m = { 0, 1,, m 1}, where ī denotes the equivalence class with i as a representative. 2.3B Exercise: Find Z C Exercise: Show that if a m b and c m d, then a ± c m b ± d and ac m bd. 2.3D Exercise: If c, m = 1, and if ac m bc, then a m b. Hint: Apply 1.3C. 2.3E Exercise: Find an example such that one may have ac m bc but not a m b. 5

6 2.4 Notation If ab m 1, then ā and b are inverse residue classes of each other. If ā has an inverse residue class, then by writing ā 1 in Z m we mean the n-th power of the inverse residue class or just inverse for short of ā in Z m. 2.5 Conditional Division Let a, b, c, d, m be integers with n m and with a, m = 1. If ab m ac, then b m c. That is, if a, m = 1, then we can divide both sides by a modulo m. Proof: Apply A Exercise: Find the inverse of 2 in Z 7, and write the fraction 3 2 in Z 7 as a member in Z 7. Can you find the inverse of 2 in Z 4? 2.5B Example: , since C Exercise: Show that if ā has an inverse in Z m, then the inverse is unique. In other words, if b and c are inverses of ā in Z m, then b = c. Hint: If ab m 1 m ac, then b m c. 2.5D Exercise: Show that ā has an inverse in Z m iff a, m = Exercise: If p is a prime, then every element in Z p has an inverse. Therefore one can do the usual arithmetic for numbers in Z p except the outcome must be modulo p. The Z p with the arithmetic addition and multiplication modulo p is called a field, or the field of p elements. 2.7 Summary of Some Basic Skills: i Skill 1 Finding a 1 mod m. This can be done only when a, m = 1. Step 1 Apply Euclidean Algorithm to find s and t so that as + mt = 1. Step 2 as m 1, that is, s m a 1. ii Skill 2 Solving equation ax m c when a, m = 1. Step 1 Find s m a 1. Step 2 Multiply a 1 to both sides of the equation to get x m a 1 c m cs. iii Skill 3 Solving equation ax m c when a, m > 1. Step 1 Compute d = a, m. If d b, then ax m b has no solution. Step 2 Suppose d b. Let a 1 = a/d, b 1 = b/d and m 1 = m/d. Then by 1.7, a 1, m 1 = 1, and so we can apply Skill 2 to find a solution x 0 for the equation a 1 x m1 b 1. Step 3 The complete set of solutions of the equation ax m b is then obtained as x 0, x 0 + m 1, x 0 + 2m 1,, x 0 + d 1m 1 mod m. 6

7 2.7A Example. Solve the equation 3x 6 mod 15. Solution: Here d = 3, 15 = 3. As 3 6, we reduce the equation to x 2mod5. Then we have a solution x 0 = 2 in Z 5. Then in Z 15, we have these solutions d = 3 of them: 2, = 7, = Given integers a and b with d = a, b, how to find integers x and y such that ax + by = d? Consider the case when d = 1 first. When d > 1, consider the equation a b x + y = 1, d d instead. Use Euclidean Algorithm and Exercise 1.5C. 2.9 Chinese Remainder Theorem: Two Equation Form Let m, n be integers with m, n = 1. Given integers a and b, there exists exactly one solution x mod mn to the simultaneous congruences { x m a, x n b. Existence of x As m, n = 1, we can apply Euclidean Algorithm to find integers s and t so that ms + nt = 1. Thus x = bms + ant satisfies both x m a and x n b. Uniqueness of x modulo mn Let x 1 be another solution. Then x x 1 m 0 and x x 1 n 0. Thus m x x 1 and n x x 1. Thus mn x x A Example: Solve x 2 mod 4 and x 5 mod 7. Note that 4, 7 = 1, and in fact, = 1. Thus x = = = Chinese Remainder Theorem: General Form Let m 1, m 2, m k be integers with m i, m j = 1 whenever i j. Given integers a 1, a 2,, a k, there exists exactly one solution x mod m 1 m 2 m k to the simultaneous congruences x m1 a 1, x m2 a 2,. x mk a k. 7

8 2.11 Algorithm Computing the unique solution guaranteed by the Chinese Remainder Theorem Step 1 Set m := m 1 m 2 m k and for i = 1, 2,, k, set z i := m/m i. Step 2 For i = 1, 2,, k, compute y i mi z 1 i. Step 3 The solution x = a 1 y 1 z 1 + a 2 y 2 z a k y k z k. 2.11A Example: Solve for x in the system x 1 mod 11 x 1 mod 13 x 1 mod 17. Solution: Here, a 1 = 1, a 2 = 1, a 3 = 1, and m 1 = 11, m 2 = 13 and m 3 = 17. Apply the algorithm. Step 1 Set m = m 1 m 2 m 3 = = 2431, and z 1 = = 221, z 2 = = 187 and z 3 = = 143. Step 2 For i = 1, as 11, 221 = 1 = , y 1 z mod 11. For i = 2, as 13, 187 = 1 = = , y 2 z mod 13. For i = 3, as 17, 143 = 1 = = , y 3 z mod 17. Step 3 A solution of the system is x = = = As 0 < 1871 < 2431 = m, this solution is unique modulo Fermat s Little Theorem: Let p be a prime and let a Z. Then each of these holds: i a p p a or write it another way: a p a mod p. ii If p a, then a p 1 p 1. Proof: It suffices to show that case when p a. By 2.4, az p = Z p as a set. Multiply the nonzero elements in these two sets to get a p 1 p 1! p p 1!. Then by 2.3D, a p 1 p A Exercise: What happens when p a in the proof of 2.12? of Give a detailed proof 8

9 2.12B Exercise: Suppose that p is a prime and p a. If n p 1 m, then a n p a m. Hint: Assume n > m. Note that p 1 n m, or n = m + cp 1. Thus a n p a m+cp 1 and so one can apply C Exercise: Find the remainder of when divided by 7. Hint: = Computational Properties of φn φn = n p n 1 1 p where the product is over the distinct prime factors of n. In particular, we have, when p and q are primes with p, q = 1 and k > 0 is an integer, i φp = p 1. ii φp k = p k p k 1. iii φpq = p 1q Euler s Theorem If a, n = 1, then a φn n Modular Exponentiation Let a, n, x, y be integers with n > 0 and a, n = 1. If x φn y, then a x n a y Modular Exponentiation Algorithm For positive integers a, x and n, this algorithm computes a x mod n. Step 1 Initialization: Set A := x, B := 1 and C := a. Step 2 If A is even, let A := A/2, B := B and C : n C 2. Step 3 If A is odd, let A : A 1, B : n BC and C := C. Step 4 If A 0, GOTO Step 2. Step 5 Output B = a x mod n Let n be a positive integer. If r is such an integer that the powers of r produces all the nonzero congruence classes modulo n, then r is a primitive root modulo n or for the integer n. In other words, r is primitive root modulo n if and only if the sequence r, r 2, r 3,, r n 1 has n 1 distinct elements in Z n. Example: p = 7 and r = 3. 9

10 2.17A Note that if r is a primitive root modulo n, then r, n = B For a fixed r and n such that r, n = 1, for a given x, an integer l is a discrete logarithm of x base r modulo n if r l x mod n. 2.17C Find primitive root modulo p = Let r be a primitive root mod p. i For any 0 < k < p 1, r k p 1 but r p 1 p 1. ii If n is an integer, then r n p 1 if and only if n p 1 0. iii If j and k are integers, then r j p r k if and only if j p 1 k. Proof: i By Fermat s little theorem, r p 1 p 1. Suppose that for some 0 < k < p 1, r k p 1. Then r k+1 p r, and so the sequence r 1, r 2, r p 1, has at most p 2 distinct elements in Z p {0}, and so r is not primitive. ii Suppose that r n p 1. Write n = qp 1 + b with 0 b < p 1. Then 1 p r n p r qp 1+b p r b. Since 0 b < p 1, and by i, b = 0. Conversely, suppose that n p 1 0. Then n = qp 1 for some integer q. Thus by Fermat s little theorem, r n p 1. iii Suppose that r i p r k. 1 p r j r k p r j k. By ii, j k p 1 0, or j p 1 k Example: For a prime p > 0, solve x 2 p 1. Suppose that for some ā Z p such that a 2 p 1. Then p a 2 1 and so p a 1 or p a + 1. Thus x = 1 or x = p A Example: Solve for x in x 2 1 mod 21. 5pt] Solution: Note that 21 = 37. As x mod x 2 1 either 3 x 2 1 or 7 x 2 1, the equation x 2 1 mod 21 is equivalent to the system { x 2 1 mod 3 x 2 1 mod 7. Since both 3 and 7 are primes, x mod 3 has solutions x = ±1 and x 2 1 mod 7 has solutions x = ±1. Apply the Chinese Remainder Theorem Algorithm and consider all 10

11 4 possible combinations of solutions: x 3 1 and x 7 1 = x 21 1 x 3 1 and x 7 1 = x x 3 1 and x 7 1 = x x 3 1 and x 7 1 = x 21 1 Therefore, the solutions for the equation are 1, 8, 13 and 20 modulo B Example: Solve for x in x mod pt] Solution: Note that 143 = As x mod x either 11 x or 13 x 2 133, the equation x mod 143 is equivalent to the system { x mod 11 x mod 13. Since both 11 and 13 are primes, x mod 11 has solutions x = ±1 and x mod 13 has solutions x = ±4. Apply the Chinese Remainder Theorem Algorithm and consider all 4 possible combinations of solutions: x 11 1 and x 13 4 = x 143? x 11 1 and x 13 4 = x 143? x 11 1 and x 13 4 = x 143? x 11 1 and x 13 4 = x 143? Therefore, the solutions for the equation are x , 43, 100, 87, respectively Example: Solve x Try all the elements in Z 15 to find that x = 1, 4, 11, 14 are all the solutions Partial Solution of x 2 m b. Let p 4 3 be a prime and let y be an integer, and y 0 4 y p+1/4. Then i If x 2 p y has an integral solution, then the solutions must be ±y 0 mod p. ii If x 2 p y has no integral solutions, then ±y 0 mod p are the solutions of the equation x 2 p y Matrix Inversion Mod n Let M be a matrix whose entries are in Z n such that detm n 0. Let M 1 denote the inverse of M over the reals R. Then the inverse of M in Z n can be obtained from M 1 by taking each entry of M 1 mod n. 11

12 2.23 The field GF 4 = GF 2 2. GF 4 = {0, 1, ω, ω + 1}. The addition and multiplication can be done as the elements are polynomials in ω over Z 2, subject to ω 2 = ω + 1. Therefore, if we replace the symbol ω by another symbol x, then GF 4 is Z 2 [x] modulo x 2 + x In general, if F is a field, and if px is an irreducible polynomial in F [x], then F [x] modulo px is a field in which every non zero element has an inverse The field GF 2 8. This is Z 2 [x] modulo x 8 + 8x 4 + x 3 + x 2 + x

13 3. Numbers in Different Bases 3.1 Fix an integer b N. A natural number n N written to the base b is a notation for n of the form d k 1 d k 2 d 1 d 0 b, where the d s are symbols for the integers between 0 and b 1 called the digits; this notation means that n = d k 1 b k 1 + d k 2 b k d 1 b + d 0. The notation d k 1 d k 2 d 1 d 0 b is called a base-b representation of n. When d k 1 0, n is a k-digit base-b number. Traditionally, we write d k 1 d k 2 d 1 d 0 for d k 1 d k 2 d 1 d A Example: Base-2 numbers are also called binary numbers. A k-digit base-2 number is also called a k-bit number, where the word bit is short for binary digit. A byte is an 8-bit number. ASCII, American Standard Code for Information Interchange, is a way to represent characters using 7-bit numbers. Thus is a 4-bit number, which represents the integer 11 since = = 13. of a positive num- 3.1B Exercise: What is the base-1 representation of the number 4? ber n? What is the base-b representation of the number 0? 3.2 Any English word with k letters can be viewed as a k-digit base-26 number. with A Z representing the digits 0-25, respectively. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z We can also use decimal point here as we are doing for base-10 integers. Therefore, BAD 26 = = = 679, whereas B.AD 26 = = When there is no confusion arises, we shall omit the subscript 26 in this representation of numbers. Hence BAD = 679 and B.AD = = B D BAA. 3.2A Exercise: Divide by Answer: B Exercise: Divide HAP P Y by SAD Answer: KD MLP SAD. in base c Exercise: Convert 1000 to base-2 and base-26 using letters A Z. Solution: To convert a number n to base b, one can use division 1.4 to find the reminder when n is divided by b, this reminder r will then be the last digit in the base-b representation of n. Hence one can use the following algorithm in 3.3 to find: 100 = = DW. 13

14 3.3 Converting Base-10 to Base-b Algorithm: We assume b > 1. See 3.1B for the case when b = 1. Input: The integers n > 0 and b > 1. Output: base-b representation of n. When the algorithm halts, it will output the base-b representation of n: d k 1 d k 2 d 1 d 0 b. Note that K = k 1 in the algorithm. Initialization: N := n, K := 0, d 0 := N. Iteration: If N < b, then d 0 b is the base-b representation of n. Otherwise do the following: Apply 1.4. Divide N by b to get quotient q and remainder r. Set d k := r; N := q and K := K + 1. Repeat the iteration. 3.3A Example: 100 = , 50 = , 25 = , 12 = , 6 = , 3 = 2 + 1, 1 = Thus 100 = B Example: 100 = and so 100 = DW. 3.3C Multiply Y ES by NO. Divide W V U by MAT H. 3.3D Multiply and E Exercise: The hexadecimal system means b = 16 with A F representing the tenth through fifteenth digits, respectively. Divide 131B6C3 16 by 1A2F F Exercise: Explain how to convert back and forth between binary and hexadecimal representations of an integer. Describe an algorithm to perform such conversions. 3.3G Exercise: Fix a natural number b > 2. Explain how to convert back and forth between binary and base-b representations of an integer. Describe an algorithm to perform such conversions. 3.3H Exercise: Explain why Algorithm 3.3 gives you the correct answer. 14

15 4. Encryption and Decryption, Classical Cryptosystems 4.1 Notation: The message we want to send is called plain text and the disguised message is called cipher text. Both the plain text and the cipher text are written in some alphabet consisting of N letters of characters, which could be the usual letters A Z, or numbers, or any other symbols, even blanks. The process of converting a plain text into a cipher text is called encryption and the reverse process is called decryption. The set of all plain text message units is denoted by P and the set of all cipher text is denoted by C. The whole process can be represented schematically by P C P. Any such setup is called a cryptosystem or just a cipher, in which the function f : P C is the enciphering function or the enciphering transformation, whereas its inverse function f 1 : C P is the deciphering function or the deciphering transformation. Note that any enciphering function must be a bijection. 4.1A Example: Let P = Z 26, which in turn represents the usual English alphabet A Z. Define f : P P by, P P, { P + 3 if 0 P < 23, fp = P 23 if 23 P 25. Then this defines a cryptosystem Why?. For example: Y ES = = BHV Y ES. 4.1B Exercise: Use the cryptosystem in 4.1A to decode ZKB. Answer: W HY. 4.2 The Caesar s Cipher also called the shift cipher: Let the alphabet be one with N letters with numerical equivalents 0, 1,, N 1. Let b N be a fixed integer, and let C = fp N P + b be the enciphering function. Then this defines a cryptosystem. Why? What is the deciphering function? The parameter b is called the enciphering key. 4.2A Example of Code Breaking by Frequency Analysis: Under the assumption that the letter E is the most frequently occurring letter in English this comes from statistics, and that Julius Caesar s Cryptosystem is used, one can pickup the most frequent occurring character in the intercepted message to find the enciphering key. Example : Assume that in the intercepting message, U occurs most frequently, and that part of the message is IUDT CEDUO. Then if E = 4 becomes E + b = U = 20, then in Z 26, b = 16. Therefore, IUDT CEDUO = = SENDMONEY 15

16 4.2B Exercise: Break the code by using the method in 4.2A: IUUOEKRUSAO. Answer: SEEY OU BECKY. 4.3 An affine cryptosystem uses the enciphering function C = fp = ap + b mod N. The ordered pair a, b here is the enciphering key. 4.3A Exercise: Encipher SENDMONEY by the affine cryptosystem with a = 7, b = 12 and N = B Exercise: Encipher the answer in 4.2B by the affine cryptosystem with a = 7, b = 12 and N = C Exercise: Show that in order for the function f in 4.3 to be an enciphering function, one must have a, N = 1. In this case, f 1 C = a 1 C + a 1 b mod N. 4.3D Exercise: Is affine cipher always a good one? Consider the situation that you have just received a coded message ERRER, instructing you to do something to a given data set. Assuming that you have already known the encoding system is an affine cipher with a = 13, b = 4 and N = 26. Can you decode this instruction? What happens if someone sends you both the message INPUT and ALTER to you using this cipher? 4.4 Digraph transformation. Message units can be represented by ordered pairs of letters called digraphs. Each digraph x, y is then assigned a numerical equivalent. The usual way of this assignment is x, y xn + y, where N is the number of letters in the alphabet. This represents the digraph x, y as a 2-digit base-n number. Note that x, y xn + y is a bijection between the set of all digraphs in the N-letter alphabet and the set of {0, 1, 2,, N 2 1}, or the 2-dimensional vector space Z 2 N. 4.4A Example: With N = 26 and the digraph enciphering transformation C P + 580, the message NO becomes QY. In this cipher, the key is the ordered pair 159, 580. Reason: NO = 352, = = = , and 440 = = QY. 4.4B Exercise: What does ON become with the same enciphering function in 4.4A? 4.4C Exercise: How to break a digraph cryptosystem? Any idea? 16

17 4.4D Remark: An ordered pair can viewed as a vector in Z 2 N, where vector addition and scalar multiplication are clearly defined in the usual way. Since in general Z N is only a commutative ring with unity, Z 2 N is usually called a Z N-module. A Z N -module becomes a vector space only when Z N is a field, that is, when N is a prime. 4.5 The k-graphs. Extending the thought of a digraph, one can represent a message unit by a k-tuple with entries in Z N. Often, a k-tuple x k 1, x k 2,, x 0 ZN k may be viewed as a k-digit base-n number x k 1 x k 2 x 1 x 0 N, which means x k 1 N k x 1 N + x A Example: Let N = 26. base 10-number answer: To encode Y ES into a 3-graph, one can do this with a Y ES = =

18 5. Some Linear Algebra Over Z m, Enciphering Matrices 5.1 Notation: M 2 Z m denotes the set of all 2 by 2 matrices over Z m. One can add, subtract and multiply two matrices in M 2 Z m and still end up with a matrix there. The elements in Z m with a multiplicative inverse form a set Z m, which is a multiplicative abelian group. By 2.5D, Z m = {ī : i, m = 1}. 5.1A Example: The inverse of the matrix A = M 2 Z 27 is A 1 = a b 5.1B Exercise: Let m N be an integer. Given a matrix A = M 2 Z m, the c d following are equivalent: i A has an inverse. ii ad bc, m = 1. The value deta = ad bc is called the determinant of A. iii If x 0 Z 2 m, then Ax 0. iv The map fx = Ax is a bijection from Z 2 m onto itself. Find a for- 5.1C Exercise: Assume that one of the conclusions listed in 5.1B holds. mula to compute A 1 in this case. 5.1D Exercise: Find the inverse of A in M 2 Z 5, where A = E Exercise: Solve the system in Z 9 : { x + 4y = 1 5x + 7y = Enciphering Matrices: Let A be an invertible matrix. The map defined in 5.1Biv defines an enciphering transformation, and the matrix A is the enciphering key. 5.2A Example: Work with the 27-letter alphabet where the letters A Z have numerical 2 3 equivalents 0 25, and blank =26. Let A =. Then the message NO ANSW ER 2 17 can be viewed as 5 2-letter units: NO, A, NS, W E, R. Note that the blank between O and A counts. Note also that a blank is added after R to make the number of characters even. Thus the message has numerical equivalent view each unit as a column vector: P =

19 Thus the enciphered message becomes: C = AP = = = OV ZZ ICEER. 5.2B Exercise: Use the same alphabet and the same matrix A as in 5.2A to decode the ciphertext: V XF SJQOQHW SE. Answer: SEE Y OU BECKY. Note that the blanks inside the message and after BECKY count. This comes from the following computation: = An example of Code Breaking: We shall use the 26-letter alphabet A Z. We intercept the ciphertext W KNCCHSSJH and we have learned that the first word is GIV E. To break the code, we need to find the deciphering matrix A 1. Let P = GIV E = , C = W KNC = , and A 1 = P C 1. However, detc = 18 and so by 5.1B, C 1 does not exist. To resolve this problem, we let A 1, P 1 and C 1 be the matrices of A, P, and C in Z 13, respectively. Then as A A 1 mod 13, we have A 1 A 1 1 mod 13, and so we can write A 1 = A A 0, for some A 0 M 2 Z 2. Taking modulo 13 both sides of C = AP to get C 1 = A 1 P 1, and so C = = A = A 1 P 1 13 A Here C 1 = and P 1 = As detc 1 = , and as The inverse of C 1 exists as using Therefore over Z 13, C 1 1 = A 1 1 = P 1 C 1 1 = =

20 Note that A 1 A 1 1 mod 13. As the entries in A 1 are elements in Z 26, and as these entries are now reduced in A 1 1 to elements in Z 13, it follows that 2 4 A 1 = + 13A 0, 3 2 where A 0 M 2 Z 2. There are 2 4 = 16 matrices in M 2 Z 2. As A 1 should be invertible to be a deciphering key, the determinant of A 1 should be relatively prime to 26, and in particular, relatively prime to 2. In other words, deta 1 should be an odd integer. We may assume that A 0 = x11 x 12 x 21 x 22, where each x ij Z 2. The fact that the determinant of A 1 should be an odd integer becomes which gives, in modulo 2, x x x x 21 1 mod 2, deta 1 x 11 x 22 x x 21 1 mod 2. There are only 6 possibilities of the values of A 0 such that this would be satisfied. We determine these possibilities, as follows. Determining A 0. Case 1: x 11 = 0. To get deta 1 2 1, we must have x 12 = 1 and x 21 = 0. However, x 22 can be either 0 or 1. Thus these are possible candidates for A 0 : or Case 2: x 11 = 1 and x 22 = 0. To get deta 1 2 1, we must have x 12 = 1 and x 21 = 0. Thus this is a possible candidate for A 0 : Case 3: x 11 = 1, x 22 = 1, and x 12 = 1. To get deta 1 2 1, we must have x 21 = 1. Thus this is a possible candidate for A 0 :

21 Case 4: x 11 = 1, x 22 = 1, and x 12 = 0. It does not matter if x 21 = 0 or x 21 = 1, we always have get deta Thus these are possible candidates for A 0 : or To further reduce the number of possibilities for A 0, we take modulo 2 both sides of 0 1 P = A 1 C for each of these six possibilities of A 0. As an example, for A 0 =, we 0 0 should have P A 1 C a contradiction. Thus A these six possibilities, only will satisfy the equation A 1 C = P mod mod 2. Similarly, we can exclude three others. Thus among and A Exercise: Substituting these six possible A 0 into A 1 and use A 1 C = P in M 2 Z 26 to show that the possibilities for A 0 can be reduced to the following two A 0 = or It follows that A 1 = or The first choice of A 1 yields the decoded message GIV EGHEMHP, which does not sound right. However, the second one gives GIV ET HEMUP, and so it must be the correct one. FACT: There are 175,248 invertible matrices in M 2 Z B Exercise: You intercepted the message!iwgviex!zradryd. You know that a linear enciphering transformation is being used with a 29-letter alphabet, in which A-Z have numerical equivalents 0-25, blank = 26,? = 27,! = 28. You further know that the last five letters of the plaintext are MARIA Find the deciphering matrix A 1 and the full plaintext message. 21

22 5.3C Exercise: You intercepted the message KVW? TA!KJB?FVR. The blanks after? and R are part of the message, but the final. is not. You know that a linear enciphering transformation is being used with a 30-letter alphabet, in which A-Z have numerical equivalents 0-25, blank = 26,? = 27,! = 28,.=29. You further know that the first six letters of the plaintext are C.I.A. Find the deciphering matrix A 1 and the full plaintext message. 22

23 6. Public Key Cryptography 6.1 Terminology: The letter b of the enciphering functions in 4.2, the pair a, b of the enciphering functions in 4.3, and the entries of the enciphering matrices in Section 5 regarded as components of a vector, are called the enciphering keys, and is denoted by K E. The corresponding parameters in the deciphering functions and matrices are the deciphering keys and denoted by K D. If the deciphering process takes about the same or similar level of difficulty as in the enciphering process, such a cryptosystem will be called a classical one. If the deciphering process is a lot harder than the enciphering process, then one can assume that even everybody knows how the messages are encoded, it is still difficult for those without deciphering keys to decode the cipher text. Therefore, such a cryptosystem is called a public key system. How to measure the level of difficulty? It is measured by the amount of time needed to solve the problem. Please see the last section for a brief introduction on that subject. 6.2 RSA Cryptosystem: RSA are from the names of its inventors: Rivest, Shamir, and Adleman. This system is based on the assumption that in Z m, it is relatively easier to compute modulo exponentiation thanks to Fermat and Euler, also see an algorithm in Section 2, but it is generally difficult to factor a large integer. Choosing System Parameters First, Bob chooses two distinct primes p and q. These primes are usually very large in order to add difficulty for breaking the ciphers. Let n = pq and randomly pick a number e between 1 and φn such that e, φn = 1, assume that there is an oracle, or a random number generator, helping Bob. Making Enciphering and Deciphering Keys Then, compute d φn e 1. Now Bob tells Alice the enciphering key K E = n, e please do not view this as a g.c.d!; and, he conceals the deciphering keys K D = n, d. He also assumes that Alice may not be able to keep the secret and the keys K D may be known by other people such as other boyfriends of Alice. The Encoding and Decoding Process Bob then tells Alice that the alphabet of both the cipher text and the plain text will be in Z n, the plain text may be represented by k-graph base N numbers, or k-digit base-n numbers, and the enciphering function is C = fp n P e, as long as Alice is careful enough to pick up P so that P, n = 1. However, the assumption P, n = 1 is not necessary, as we shall see later. When Bob receives such a coded message from Alice, Bob knows how to decode it, since he knows the deciphering function f 1 C n C d. This is because that as ed 1 mod φn, ed = sφn + 1, for some integer 23

24 s, and so by Euler, and as P, n = 1, P φn 1 mod n. It follows that f 1 C n C d = P e d = P sφn+1 = P φn s P P mod n. But the public must first factor n to find K D. Therefore, the harder the factorization of n is, the safer the code will be. 6.3 Example: Let p = 281, q = 167. Then n = Pick e = Thus the enciphering key is 46927, and the deciphering key is 46927, In order to use the English Alphabet in the messages, Bob also tells Alice to use base-n representation of the numerics with N = 26. To send a message Y ES to Bob, Alice first finds the numerical equivalent of Y ES = P = = in base-10. Next, Alice computes C = P m = in Z n, and then converts C to Base-26 numbers and their letter equivalents: C = = BF IC. And she transmits BF IC to Bob. Receiving the message BF IC from Alice, Bob converts it back to base-10 numbers BF IC = 21166, then applies the deciphering key to compute After he converts it to base-26 numbers, he recognizes that the message is Y ES, and is overjoyed. 6.4 The Knapsack Problem: Given a k-tuple {v i } = {v 0, v 1,, v k 1 } of positive integers and an integer V, find a k-bit number n = ɛ k 1 ɛ 1 ɛ 0 2 such that k 1 i=0 ɛ iv i = V, if such an n exists. 6.4A Example: For k = 4, v i = i + 1, 0 i 3, if V = 11, then no such n exists, but if V = 5, then one such solution is n = If V = 6, then both n = and n = are solutions. 6.4B Example: For fixed integer k > 1, let v i = 2 i, for 0 i k 1. Then the corresponding Knapsack Problem has a solution if and only if V 2 k 1 the answer is the binary representation of the base-10 integer V. 6.4C Note that there may or may not be a solution for given {v i } = {v 0, v 1,, v k 1 } and V. When there is a solution, there may be more than one solution. A k-tuple {v i } = {v 0, v 1,, v k 1 } is superincreasing if v 0 v 1 v k 1 and if, for each i = 1, 2, k, v i > v 0 + v 1 + v i D Example: {2, 3, 7, 15, 31} is superincreasing. The k + 1-tuple in 6.4B is also superincreasing. But the 4-tuple in 6.4A is not. 24

25 6.5 Superincreasing Knapsack Problem We provide an algorithm that runs in polynomial time and solves the Superincreasing Knapsack Problem. Assume that a superincreasing k-tuple {v 0,, v k 1 } and an integer V are given. INITIALIZATION: Set W := V and j := k. ITERATION 1 FOR i := 1 TO j, DO IF v j i > W, THEN set ɛ i := 0; OTHERWISE ɛ i := 1, W := W v i, j := i IF W > 0, GOTO 1 When the algorithm halts, either W = 0, in which case a solution ɛ k 1 ɛ 0 2 has been found, or W > 0, in which case no solution exists, since all of the remaining v i are > W. 6.5A Exercise: The solution given by 6.5, if exists, is unique. 6.5B Example: Let {v i } = {2, 3, 7, 15, 31} and V = 24. Apply Algorithm 6.5. Then First ɛ 4 = 0 and ɛ 3 = 1. Replace 24 by = 9 to get ɛ 2 = 1; replacing 9 by 9 7 = 2 to get ɛ 1 = 0 and ɛ 0 = 1. Thus the answer is n = = The Knapsack Cryptosystem is also known as the Merkle-Hellman system. Choosing System Parameters First, choose a superincreasing k-tuple {v 0, v 1,, v k 1 }, an integer m > k 1 i=0 v i, and an integer a with a, m = 1, with the help of an oracle, a random number generator. Making Enciphering and Deciphering Keys Then compute b m a 1 this is why we need a, m = 1 and w i m av i, 0 i k 1. The enciphering keys will then be K E = {w 0,, w k 1 }, and the deciphering key is K D = b, m. The Encoding and Decoding Process Bob makes all the above and he keeps K D a secret. After he has done it, he publicizes the encryption key K E. If Alice wants to send a plain text in a k-bit number form P = ɛ k 1 ɛ 0 2 to Bob, as she knows K E, she can computes C = fp = k 1 i=0 ɛ iw i and transmits C. Receiving the message C from Alice, Bob uses his key K D = b, m to find the least positive residue V of bc in Z m. Bob knows that since bc m ɛi bw i m ɛi v i, it must be the case that V = k 1 i=0 ɛ iv i. Here we need V < m, and i v i < m. Now Bob applies Algorithm 6.5 to find the unique solution ɛ k 1 ɛ 0 2 and recovers P. 25

26 6.6A Example: Let s use the same 5-tuple {2, 3, 7, 15, 31} again. Let m = 61, a = 17. Then b = 18, K E = 34, 51, 58, 11, 39 and K D = 18, 61. To send a message W HY to Bob, Alice first finds the equivalents: W = 22 = = 148, H = 7 = = 143, and Y = 24 = = 50. Then she transmits the sequence 148, 143, 50. Receiving 148, from Alice, Bob multiplies the sequence by 18 in Z 61 to get 41, 12, 46, respectively. Then Bob applies Algorithm 6.5 to V = 41 to get , to V = 12 to get , and to V = 46 to get , and so he knows the message. 26

27 7. The Primarity Test and Factorization 7.1 When an integer is a composite? Let n be an integer. Suppose that there exist integers x, y such that x 2 y 2 mod n but x ±y mod n. Then each of the following holds. i n is a composite. ii Let d = x y, n. Then 1 < d < n. Proof: Use the property that if n is a prime and if n ab, then n a or n b with a = x y and b = x + y to see that n must be a composite. d = n = n x y = x y mod n. Thus assume d = 1. Use the property that if a, b = 1 and if a bc, then a c. From n x 2 y 2 = x yx + y and d = 1, we have n x + y = x y mod n. 7.1A Example: For n = , we have been told the following mod n mod n mod n mod n Multiply these relations side by side to get mod n mod n. Let x = and y = We verify that x ±y mod n. Then we can factor n by computing x y, n = , = 1093, and = Hence n = = Example: As mod 15 and 7 ±2 mod 15, we conclude that 15 is a composite, and 5 = 7 2, 15 is a nontrivial factor of When an integer is a composite? We apply Fermat s Little Theorem 2.12, which states that if p > 2 is a prime, then 2 p 1 1 mod p. Suppose that 12 is a prime, then we should have mod 12. If this is not true, then 12 is a composite. Perform these computation: 2 4 = = =

28 Thus 12 must be a composite. This example is extended to the next test. 7.4 Miller-Robin Primarity Test. Input: An odd integer n > 1 such that for some integer k 0 and odd integer m, n 1 = 2 k m. Initialization: Choose a random integer a with 1 < a < n 1. Compute b 0 n a m. If b 0 n ±1, then STOP and output the message that n is probably a prime. Otherwise continue. Iteration: FOR i = 1, 2,..., k, DO Set b i n b 2 i 1. IF b i n 1, THEN STOP and output the message that n is a composite, and that b i 1 1, n is a nontrivial factor of n. IF b i n 1, THEN STOP and output the message that n is probably a prime. OTHERWISE continue. Reason: If b i n 1 but b i 1 n ±1, then b i 1 1b i n b 2 i 1 1 n b i 1 n 0 and so view x = b i 1 and y = 1 to see that if n were a prime, then at Step i 1, either b i 1 n 1 or b i 1 n 1, and so the Algorithm must have stopped. Since the algorithm did not stopped, we must have x n ±y, and so by 7.1, d = x y, n = d i 1 1, n must be a proper factor of n. 7.5 Example: Test if n = 561 is a composite. Then n 1 = 560 = 16 35, and so 2 k = 2 4, k = 4 and m = 35. Pick a = 2. Then b mod 561 b 1 b mod 561 b 2 b mod 561 b 3 b mod 561 Thus 561 is a composite and b 2 1, n = 66, 561 = 33 is a factor of If n is a composite and for some a with 1 < a < n 1, a n 1 1 mod n, then n is called a pseudo prime for the base a or a pseudo prime to the base a. If, in addition, that n passes the Miller-Robin test, then n is called a strong pseudo prime for the base a. In other words, pseudo primes are numbers that pretend to be primes. 7.6A Example: n = 561 is a pseudo prime for the base 2, but it is not a strong pseudo 28

29 prime for the base B Example: n = 91 is a pseudo prime for the base 3, as mod 91. But 91 is not a strong pseudo prime for the base 2, because mod 91. In fact, from mod 91 we know that 91 is not a prime. 7.6C Exercise: Find all bases b for which 15 is a pseudo prime. 7.7 When an integer is a prime? A straight forward fact is that if n > 1 is a composite, then n must have a nontrivial factor p such that 1 < p n. Therefore, one way to test if n is a prime is to perform the following. Input: Integer n > 0. Initialization: Let [ n] be the largest integer that is not bigger than n. Iteration: For k = 2,...[ n], use division to see if k n. Remark: The amount of computation may be too much. 7.8 Universal Exponent Factorization Method. Input: An integer n > 1 and an integer r > 0 such that for all a with a, n = 1, a r n 1. The number r is referred as the universal exponent. Initialization: Write r = 2 k m with m odd. Iteration: FOR a = 2,, n 2, DO IF a, n > 1, THEN STOP and output a message that a n. OTHERWISE Set b 0 n a m and FOR u = 0, 1,, k 1, DO Set b u+1 n b 2 u IF b 0 n 1 OR IF for some u > 0, b u n 1, THEN move to the next value of a. IF for some u 0, b u+1 n 1 but b u n ±1, THEN STOP and b u 1, n is a nontrivial factor of n. OTHERWISE continue. Remark: The existence of r guarantees that b u+1 n 1 for some u. Why does this work? See the reason for the Miller-Robin Primarity Test. 7.8A An application: Given n, e and d in the RSA, to factor n, we can set r = ed 1 and write r = 2 k m with m odd. Then apply 7.8 to find a proper factor of n. Example: In an RSA system, it is known that n = 221, e = 35 and d = 11. Factor n. Let r = ed 1 = 384 = Thus m = 3 and k = 7. Pick a = 2 and set b 0 = a m

30 Then compute b b b Thus 118 1, 221 = 13 is a proper factor of n = 221. It follows that 221 = Exponent Factorization Method. Input: Integer n > 0, and an integer r > 0 and an integer a such that a r n 1. Initialization: Write r = 2 k m with m odd. Iteration: Set b 0 n a m. FOR u = 0, 1,, k 1, DO Set b u+1 n b m u IF b 0 n 1, OR IF for some u > 0, b u n 1, THEN STOP, and the method does not factor n. IF for some u 0, b u+1 n 1 but b u n ±1, THEN STOP and b u 1, n is a nontrivial factor of n The p 1 Factoring Algorithm. Input: An integer n > 0, an integer a > 1 usually pick a = 2 as a start and a bound B > 0. Initialization: Set b 1 a mod n. Iteration: FOR j = 2,, B, DO Set b j n b j j 1. Note: b B n a B! Compute d = b j, n. IF 1 < d < n, THEN d is a proper factor of n. Reason: Suppose that p is a prime, p n and p 1 has small prime factors. Then when B is larger enough, B! will contain all the prime factors of p 1 and so p 1 B!. Thus we can write B! = p 1k for some integer k. Therefore, by Fermat, b B p a p 1k p 1. Thus p b 1 and p n, and so p b 1, n. 7.10A Example: n = 57. Pick a = 2 and B = 6. The first factor comes out at j = B Example: n = 133. Pick a = 2 and B = 5. Note that b but 4 1, 133 = 1; b , and 64 1, 133 = 7. hence 133 = C Example: n = 59. Pick a = 2 and B = 5. Compute b 1 = and 2, 59 = 1, b and 4, 59 = 1, b and 5, 59 = 1, b and 35, 59 = 1, b

31 and 54, 59 = 1. Therefore, the algorithm does not tell anything. However, the above shows that for p = 2, 3, 5, p 59. One can also check that Hence all prime number less than 59 cannot divide 59, and so 59 must be a prime Determining pseudo primes Let n be an odd composite integer. i n is a pseudo prime for the base b, where b, n = 1, if and only if the least positive power m of b for which b m 1 mod n satisfies m n 1. Such a number m is called the order of the element b in the multiplicative group Z n = {x Z n : n, x = 1}. Also recall that m =ord n b. ii If n is a pseudo prime for the base b 1 and b 2, where b 1, n = 1 and b 2, n = 1, then n is a pseudo prime for the base b 1 b 2 and for the base b 1 b 1 2, where b 1 2 is an integer such that b 2 b mod n. iii If for some base b Z n, b n 1 1 mod n, then for at least half of the members b Z n, b n 1 1 mod n A Carmichael number is a composite n such that for each b Z n, b n 1 1 mod n Example: n = 561 = is a Carmichael number. Note that 560 is divisible by 3 1, 11 1, let n be an odd composite integer. i If n is divisible by a perfect square > 1, then n is not a Carmichael number. ii If n is square free, then n is a Carmichael number if and only p 1 n 1 for every prime p dividing n A Carmichael number must have at least three distinct prime factors A generalization of Example 7.1A: Suppose we want to factor n = , and we have been told the following mod n mod n mod n mod n mod n mod n mod n 31

32 Represent these relations by a matrix B = b ij whose columns are labelled with the prime factors p 1, p 2, involved on the right side in these relations, and whose rows are labelled with the numbers n 1, n 2, on the left side of these relations, in such a way that the ith row, jth column entry of this matrix is b ij if p a ij j n i but p a ij+1 j n i. For this example, with n 1 = 9398, n 2 = 19095, n 3 = 1964, n 4 = 17078, n 5 = 8077, n 6 = 3397, n 7 = and p 2 = 2, p 2 = 3, p 3 = 5, p 4 = 7, p 5 = 11, p 6 = 13, p 7 = 17, p 8 = 19 the matrix B is B = We look for linear independencies mod 2 among the rows. As there are more columns than rows in this example, there will be such dependencies. Each of such dependency will give rise to a square relation mod n, which provides a possibly way to factor n with smaller numbers to manipulate. We make a few such attempts to factor n, as follows. Trail 1 Rows 1, 5 and 6 are linearly dependent mod 2, and multiply the corresponding relations side by side to get mod n mod n As mod n, 7.1 does not tell us anything. Trail 2 Rows 3 and 7 are linearly dependent mod 2, and multiply the corresponding relations side by side to get mod n mod n As mod n, we apply 7.1 to conclude that , n = 1093 is a proper factor of n. Remark: The above method is a special case of a method called the quadratic sieve. 32

33 Basically, we make use of linearly dependencies over Z 2 in the matrix B to get congruence relations like x 2 = product of small primes, and apply 7.1 or improvement form of 7.1 to this resulting congruence relation convert it to the form x 2 y 2 mod n. How do we get those useful relations? The main point is to produce squares that are slightly bigger than a multiple of n, and so that are small modulo n. Usually, it takes the form of [ an + b] for small values of a and b. Make some trials to find some that are useful in the quadratic sieve Let b > 1. Then for any two positive integers m, n, gcdb m 1, b n 1 = b gcdm,n 1. Proof: We argue by induction on max{m, n}. If m = n or if max{m, n} = 1, the assertion holds trivially. Assume that m n 1 and that the statement holds for smaller values of max{m, n}. Without loss of generality, we assume that m > n. Note that when m > n, b m 1 b m n b n 1 = b m n 1. Thus if an integer d divides two of the three integers b m 1, b n 1 and b m n 1, then d divides the third. It follows that gcdb m 1, b n 1 = gcdb n 1, b m n 1. Since m > n, max{m n, n} < max{m, n}. By induction, gcdb m 1, b n 1 = gcdb n 1, b m n 1 = b gcdm,m n 1. What is left is to show that gcdm, m n = gcdm, n Fix a positive integer b. Let n be a positive integer. If a prime p divides b n 1, then either p b d 1 for some proper factor d > 1 of n, or p 1 mod n. Proof: By Fermat, b p 1 1 mod p, and so p b p 1. Since p b n 1, by 7.17, p b gcdn,p 1 1. Let d = gcdn, p 1. If d < n, then d is a proper factor of n. If d = n, then n p 1 and so p 1 mod n When p is odd and n is odd, we have 2 p 1. Since gcd2, n = 1, if n p 1, we 33