Topics in Cryptography. Lecture 5: Basic Number Theory

Similar documents
Introduction to Cryptography. Lecture 6

Introduction to Cryptography. Lecture 8

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Number Theory. Modular Arithmetic

CIS 551 / TCOM 401 Computer and Network Security

Number Theory & Modern Cryptography

Public Key Cryptography

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Number Theory and Group Theoryfor Public-Key Cryptography

Numbers. Çetin Kaya Koç Winter / 18

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture 14: Hardness Assumptions

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

basics of security/cryptography

CPSC 467b: Cryptography and Computer Security

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

ECE596C: Handout #11

Discrete Mathematics GCD, LCM, RSA Algorithm

Basic elements of number theory

Basic elements of number theory

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Introduction to Information Security

Lecture Notes, Week 6

CSC 474 Information Systems Security

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Number Theory and Algebra: A Brief Introduction

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

CPSC 467b: Cryptography and Computer Security

Chapter 4 Asymmetric Cryptography

Computational Number Theory. Adam O Neill Based on

Asymmetric Cryptography

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Mathematics of Cryptography

Mathematical Foundations of Public-Key Cryptography

CPSC 467: Cryptography and Computer Security

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Public Key Encryption

Lecture 3.1: Public Key Cryptography I

Introduction to Public-Key Cryptosystems:

Applied Cryptography and Computer Security CSE 664 Spring 2017

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

CPSC 467: Cryptography and Computer Security

CS483 Design and Analysis of Algorithms

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Lecture 1: Introduction to Public key cryptography

Public Key Cryptography

CSC 5930/9010 Modern Cryptography: Number Theory

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

ECEN 5022 Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Introduction to Modern Cryptography. Benny Chor

CRYPTOGRAPHY AND NUMBER THEORY

Chapter 4 Finite Fields

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Applied Cryptography and Computer Security CSE 664 Spring 2018

Lecture 11: Number Theoretic Assumptions

Introduction to Elliptic Curve Cryptography. Anupam Datta

Ma/CS 6a Class 3: The RSA Algorithm

Introduction to Cybersecurity Cryptography (Part 4)

ALG 4.0 Number Theory Algorithms:

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

RSA: Genesis, Security, Implementation & Key Generation

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Introduction to Cryptology. Lecture 20

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

1 Number Theory Basics

Cryptography. pieces from work by Gordon Royle

CPSC 467b: Cryptography and Computer Security

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Discrete mathematics I - Number theory

Cryptography IV: Asymmetric Ciphers

ECE 646 Lecture 5. Mathematical Background: Modular Arithmetic

CPSC 467b: Cryptography and Computer Security

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Public Key Algorithms

RSA. Ramki Thurimella

Introduction to Number Theory 1. c Eli Biham - December 13, Introduction to Number Theory 1

10 Public Key Cryptography : RSA

Foundations of Network and Computer Security

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Aspect of Prime Numbers in Public Key Cryptosystem

Public-Key Cryptosystems CHAPTER 4

Encryption: The RSA Public Key Cipher

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Introduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key

Transcription:

Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1

Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating and distributing k. k Alice k Bob page 2 2

Diffie and Hellman: New Directions in Cryptography, 1976. We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science. page 3 3

Diffie-Hellman Came up with the idea of public key cryptography public key Bob Alice Bob secret key Bob Everyone can learn Bob s public key and encrypt messages to Bob. Only Bob knows the decryption key and can decrypt. Key distribution is greatly simplified. page 4 4

But before we get to public key cryptography Basic number theory Divisors, modular arithmetic The GCD algorithm Groups References: Many books on number theory Almost all books on cryptography Cormen, Leiserson, Rivest, (Stein), Introduction to Algorithms, chapter on Number-Theoretic Algorithms. page 5 5

Divisors, prime numbers We work over the integers A non-zero integer b divides an integer a if there exists an integer c s.t. a=c b. Denoted as b a I.e. b divides a with no remainder Examples Trivial divisors: 1 a, a a Each of {1,2,3,4,6,8,12,24} divides 24 5 does not divide 24 Prime numbers An integer a is prime if it is only divisible by 1 and by itself. 23 is prime, 24 is not. page 6 6

Modular Arithmetic Modular operator: a mod b, (or a%b) is the remainder of a when divided by b I.e., the smallest r 0 s.t. integer q for which a = qb+r. (Thm: there is a single choice for such q,r) Examples 12 mod 5 = 2 10 mod 5 = 0-5 mod 5 = 0-1 mod 5 = 4 page 7 7

Modular congruency a is congruent to b modulo n (a b mod n) if (a-b) = 0 mod n Namely, n divides a-b In other words, (a mod n) = (b mod n) E.g., 23 12 mod 11 4-1 mod 5 page 8 8

Modular congruency Modular congruency is an equivalence relation: a, (a a mod n) (a b mod n) implies (b a mod n) (a b mod n) and (b c mod n) imply (a c mod n) There are n equivalence classes modulo n [3] 7 = {,-11,-4,3,10,17, } If (a a mod n) and (b b mod n) then ((a+b) (a +b ) mod n) ((a b) (a b ) mod n) But ((a b) (c b) mod n) does not imply that (a c mod n) 3 2 = 15 2 = 6 mod 24. But, (3 15 mod 24). page 9 9

Greatest Common Divisor (GCD) d is a common divisor of a and b, if d a and d b. gcd(a,b) (Greatest Common Divisor), is the largest integer that divides both a and b. (a,b >= 0) gcd(a,b) = max k s.t. k a and k b. Examples: gcd(30,24) = 6 gcd(30,23) = 1 If gcd(a,b)=1 then a and b are said to be relatively prime. page 10 10

Facts about the GCD gcd(a,b) = gcd(b, a mod b) (interesting when a>b) Since (e.g., a=33, b=15) If c a and c b then c (a mod b) If c b and c (a mod b) then c a If a mod b = 0, then gcd(a,b)=b. Therefore, gcd(19,8) = gcd(8, 3) = gcd(3,2) = gcd(2,1) = 1 gcd(20,8) = gcd(8, 4) = 4 page 11 11

Euclid s algorithm Input: a>b>0 Output: gcd(a,b) Algorithm: 1. if (a mod b) = 0 return (b) 2. else return( gcd(b, a mod b) ) Complexity: O(log a) rounds Each round requires O(log 2 a) bit operations Actually, the total overhead can be shown to be O(log 2 a) page 12 12

The extended gcd algorithm Finding s, t such that gcd(a,b) = a s + b t Extended-gcd(a,b) /* output is (gcd(a,b), s, t) 1. If (a mod b=0) then return(b,0,1) 2. (d,s,t ) = Extended-gcd(b, a mod b) 3. (d,s,t) = (d, t, s - a/b t ) 4. return(d,s,t) Note that the overhead is as in the basic GCD algorithm page 13 13

Extended gcd algorithm Given a,b finds s,t such that gcd(a,b) = a s + b t In particular, if p is prime than gcd(a,p)=1, and therefore a s+p t=1. This implies that (a s 1 mod p) THM: There is no integer smaller than gcd(a,b) which can be represented as a linear combination of a,b. For example, a=12, b=8. 4= 1 12-1 8 There are no s,t for which 2=s 12 + t 8 page 14 14

Groups Definition: a set G with a binary operation :G G G is called a group if: (closure) a,b G, it holds that a b G. (associativity) a,b,c G, (a b) c = a (b c). (identity element) e G, s.t. a G it holds that a e =a. (inverse element) a G a -1 G, s.t. a a -1 = e. A group is Abelian (commutative) if a,b G, it holds that a b = b a. Examples: Integers under addition (Z,+) = {,-3,-2,-1,0,1,2,3, } page 15 15

More examples of groups Addition modulo N (G, ) = ({0,1,2,,N-1}, +) Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Trivial: closure (the result of the multiplication is never divisible by p), associativity, existence of identity element. The extended GCD algorithm shows that an inverse always exists: s a+t p = 1 s a = 1-t p s a 1 mod p page 16 16

More examples of groups Z N * Multiplication modulo a composite number N (G, ) = ({a s.t. 1 a N-1 and gcd(a,n)=1}, ) E.g., Z 10* = ( {1,3,7,9}, ) Closure: s a+t N = 1 s b+t N = 1 ss (ab)+(sat +s bt+ tt N) N = 1 Therefore 1=gcd(ab,N). Associativity: trivial Existence of identity element: 1. Inverse element: as in Z p * page 17 17

Subgroups Let (G, ) be a group. (H, ) is a subgroup of G if (H, ) is a group H G For example, H = ( {1,2,4}, ) is a subgroup of Z 7*. Lagrange s theorem: If (G, ) is finite and (H, ) is a subgroup of (G, ), then H divides G In our example: 3 6. page 18 18

Cyclic Groups Exponentiation is repeated application of a 3 = a a a. a 0 = 1. a -x = (a -1 ) x A group G is cyclic if there exists a generator g, s.t. a G, i s.t. g i =a. I.e., G= <g> = {1, g, g 2, g 3, } For example Z 7 * = <3> = {1,3,2,6,4,5} Not all a G are generators of G, but they all generate a subgroup of G. E.g. 2 is not a generator of Z 7 * The order of a group element a is the smallest j>0 s.t. a j =1 Lagrange s theorem for x Z p*, ord(x) p-1. page 19 19

Fermat s theorem Corollary of Lagrange s theorem: if (G, ) is a finite group, then a G, a G =1. Corollary (Fermat s theorem): a Z p *, a p-1 =1 mod p. E.g., for all a Z 7*, a 6 =1, a 7 =a. Computing inverses: Given a G, how to compute a -1? Fermat s theorem: a -1 = a G -1 (= a p-2 in Z p * ) Or, using the extended gcd algorithm (for Z p * or Z N *): gcd(a,p) = 1 s a + t p = 1 s a = -t p + 1 s is a -1!! Which is more efficient? page 20 20

Computing in Z p * P is a huge prime (1024 bits) Easy tasks (measured in bit operations): Adding in O(log p) (namely, linear n the length of p) Multiplying in O(log 2 p) (and even in O(log 1.7 p) ) Inverting (a to a -1 ) in O(log 2 p) Exponentiations: x r mod p in O(log r log 2 p), using repeated squaring page 21 21

Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication modulo a composite number N (G, ) = ({a s.t. 1 a N-1 and gcd(a,n)=1}, ) E.g., Z 10* = ( {1,3,7,9}, ) page 22 22

Euler s phi function Lagrange s Theorem: a in a finite group G, a G =1. Euler s phi function (aka, Euler s totient function), φ(n) = number of elements in Z * n φ(p) = p-1 for a prime p. n= i=1..k p e(i) i φ(n) = n i=1..k (1-1/p i ) φ(p 2 ) = p(p-1) for a prime p. n=p q φ(n) =(p-1)(q-1) (i.e. {x gcd(x,n)=1, 1 x n} Corollary: For Z n* (n=p q), Z n* = φ(n) =(p-1)(q-1). a Z n* it holds that a φ(n) =1 mod n For Z p* (prime p), a p-1 =1 mod p (Fermat s theorem). For Z n* (n=p q), a (p-1)(q-1) =1 mod n page 23 23

Finding prime numbers page 24 24

Finding prime numbers Prime number theorem: #{primes x} x / lnx as x How can we find a random k-bit prime? Choose x at random in {2 k,,2 k+1-1} (About 1 / ln(2 k ) of the numbers in that range are prime) Test if x is prime (more on this later in the course) The probability of success is 1/ln(2 k ) = O(1/k). The expected number of trials is O(k). page 25 25

Finding generators How can we find a generator of Z p*? Pick a random number a [1,p-1], check if is a generator Can check whether 1 i p-2 a i 1 We know that if a i =1 mod p then i p-1. Therefore need to check only i for which i p-1. Easy if we know the factorization of (p-1) For all a Z p*, the order of a divides (p-1) For every integer divisor b of (p-1), check if a b =1 mod p. If none of these checks succeeds, then a is a generator. a is a generator iff ord(a)=p-1. page 26 26

Finding prime numbers of the right form How can we know the factorization of p-1 Easy, for example, if p=2q+1, and q is prime. How can we find a k-bit prime of this form? 1. Search for a prime number q of length k-1 bits. (Will be successful after about O(k) attempts.) 2. Check if 2q+1 is prime (we will see how to do this later in the course). 3. If not, go to step 1. page 27 27

Hard problems in cyclic groups A hard problem can be useful for constructing cryptographic systems, if we can show that breaking the system is equivalent to solving this problem. page 28 28

The Discrete Logarithm Let G be a cyclic group of order q, with a generator g. h G, x [1,,q], such that g x =h. This x is called the discrete logarithm of h to the base g. log g h = x. log g 1 = 0, and log g (h 1 h 2 ) = log g (h 1 )+ log g (h 2 ) mod q. page 29 29

The Discrete Logarithm Problem and Assumption The discrete log problem Choose G,g at random (from a certain family G of groups), where G is a cyclic group and g is a generator Choose a random element h G Give the adversary the input (G, G,g,h) The adversary succeeds if it outputs log g h The discrete log assumption There exists a family G of groups for which the discrete log problem is hard Namely, the adversary has negligible success probability. page 30 30

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback