THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission
(e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit information
(encrypted or not) in an efficient way such that occurring errors ("white noise") can be corrected
( error correcting codes). Any information can be converted into a number m (encoding).
Encryption: we use some function f that associates to m another number f(m). Then we send f(m).
Decryption: recipient has to compute m from f(m). That is, he must have a function g such that g(f(m)) = m
(we say that g is an inverse function of f ). Examples: 1) f(x) = x+1 g(x) = x - 1 2) f(x) = e x g(x) = log x
CLASSICAL ENCRYPTION Private Key Cryptography Both users know f and g, or g can be easily computed from f.
Example: 1) f(x) = x + 1 2) f is given by an invertible matrix, g is given by its inverse 3) ENIGMA basically, g=f (that is, f is an involution)
- but f may depend on other data, like the day, and may be combined with other scrambling.
Once Marvin knows g, he has broken the code.
SINCE 1970's Public Key Cryptography Alice knows f and g Bob only knows f
(Alice makes f available in a public directory, but nobody can determine g from f in reasonable time).
The public user Bob (e.g., internet shopper) can encrypt, but only Alice can decrypt ("Trapdoor"). Three problems where g is in general hard to find:
- the Knapsack Problem - RSA - the Discrete Logarithm Problem (DLP)
THE KNAPSACK PROBLEM We have a knapsack of volume V and pieces of volumes v 1,, v k.
Can we choose a subset of these pieces so that their volumes add up to V? That is, can we choose i {0, 1}, 1 i k,
such that i v i = V? Hard to solve, but easy if v 1,, v k is superincreasing, i.e., vi > v 1 +v 2 + +v i-1 for every i >1.
(Given V, look for largest i such that vi V, then repeat with V - vi and volumes v 1,, v i-1 ).
COMPUTATION IN Z/nZ All elements can be represented as numbers k such that 0 k < n.
Addition and multiplication: Compute k + l and k l then reduce modulo n, that is,
given any integer s, divide by n with remainder, such that the remainder r satisfies 0 r < n ;
then r is the reduction of s modulo n. We write s r mod n.
MERKLE-HELLMAN KNAPSACK CRYPTOSYSTEM Stanford Alice chooses v 1,, v k superincreasing, n such that n > vi, a s.t. (a,n)=1, 0<a<n.
Then a admits an inverse b modulo n, i.e., ab 1 mod n. Now Alice computes
av i, 1 i k, and their reductions w i modulo n, 1 i k. She sends the public key (encryption key)
w i,, w k to Bob. Bob takes his message, represented as a k-bit number k k-1 1 with i {0,1},
computes w 1 + + k w k and sends this number.
Alice multiplies the number with b to get b i w i b i av i = i bav i i v i mod n
and finds the i and hence Bob s message from V = i v i by the above algorithm.
NOTE: Even if Marvin knows w 1,, w k, he cannot find the i! Because of the reduction process, w 1,, w k is no longer superincreasing!
R S A R.L. Rivest A. Shamir L. Adleman MIT Idea: raise message m to a power e modulo n, then send remainder of m e modulo n.
To decrypt, we need to compute m from this remainder. We use
Fermat s (little)theorem: If p is a prime which does not divide m, then m p-1 1 mod p.
Note: 0 < m < p (p,m)=1, so if e d 1 mod p-1, that is, e d = k(p-1) + 1 for some k, then
(m e ) d = m e d = m k(p-1)+1 = (m p-1 ) k m 1 k m = m mod p.
How can we keep d secret? Choose n to be the product of two distinct large primes p and q.
Alice computes b = lcm (p-1, q-1) and finds d such that ed 1 mod b, so ed 1 mod p-1 ed 1 mod q-1
so (m e ) d m mod p (m e ) d m mod q so p (m e ) d m and q (m e ) d m so n (m e ) d m
so (m e ) d m mod n. Alice releases n and e, but keeps d, p, q secret. So Marvin does not know b and cannot find d.
He cannot find the prime factorization of the large number n in reasonable time. All known algorithms for prime factorization need exponential time.
Example. We choose p = 5, q = 17, e = 3. Then n = 5_17 = 85, b = lcm (5-1, 17-1) = 16, and d = 11 because 3_11 = 33 1 mod 16.
Take m = 5. Then 5 3 = 125 40 mod 85 40 has binary expansion Hence,
40 = ((40 ) ) 40 40 5 mod 85. Reduce modulo 85 before you iterate squaring and before you multiply!
DLP If p is prime, then Z/pZ = F p is a field. Work in the multiplicative group F p which has
p-1 elements and is cyclic, i.e., there is a generator g such that F p = {g 1, g 2,, g p-1 }.
If we are given g k, how can we find k? This is the Discrete Logarithm Problem.
DIFFIE-HELLMAN KEY EXCHANGE Alice and Bob want to agree on a key for a private key cryptosystem.
They agree on a prime p and a base element g. Alice chooses a secret number k A and sends g k to Bob. A
Bob chooses a secret number k B and sends g k to Alice. B Bob computes (g k A) k, B Alice computes (g k B) k. A
The number g k A k B = (g k A) k B = (g k B) k A is the desired secret private key.
Marvin only knows g k A and g k B, but cannot find k A and k B in reasonable time. So he cannot compute g k A k B.
El Gamal cryptosystem To send a message m to Alice, Bob sends (g k B, m g k A k B).
Since Alice knows g k A k B, she can divide m g k A k B by g k A k B in the field F p to obtain m.
Observe: g k k BEYOND F p F p {1,, p-1} (F p, ) (Z/p-1Z, + ) multiplicative additive
Here, computation in some cyclic group Z/nZ is given through computation in some field F p.
But we can get certain groups Z/nZ also in different ways, e.g., as subgroups of the groups of rational points of elliptic curves.
ELLIPTIC CURVE = set of all points (x, y) satisfying an equation y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6
This set has a group structure.