Lecture 11: Number Theoretic Assumptions

Similar documents
Lecture 10: HMAC and Number Theory

Lecture 14: Hardness Assumptions

Lecture 3.1: Public Key Cryptography I

Topics in Cryptography. Lecture 5: Basic Number Theory

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

Computational Number Theory. Adam O Neill Based on

4 Powers of an Element; Cyclic Groups

Lecture 17: Constructions of Public-Key Encryption

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

CSC 5930/9010 Modern Cryptography: Number Theory

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cryptography. Lecture 8

Introduction to Cybersecurity Cryptography (Part 4)

Practice Number Theory Problems

Introduction to Cryptology. Lecture 20

Introduction to Cryptography. Lecture 6

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Basic elements of number theory

Basic elements of number theory

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Number Theory. Modular Arithmetic

Lecture 10: NMAC, HMAC and Number Theory

Applied Cryptography and Computer Security CSE 664 Spring 2018

CPSC 467: Cryptography and Computer Security

Public Key Cryptography

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

14 Diffie-Hellman Key Agreement

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

9 Modular Exponentiation and Square-Roots

Chapter 5. Modular arithmetic. 5.1 The modular ring

CPSC 467b: Cryptography and Computer Security

MATH 25 CLASS 21 NOTES, NOV Contents. 2. Subgroups 2 3. Isomorphisms 4

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Discrete Mathematics GCD, LCM, RSA Algorithm

CSC 373: Algorithm Design and Analysis Lecture 30

Lecture Notes, Week 6

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Introduction to Number Theory. The study of the integers

Basic Algorithms in Number Theory

Lecture 1: Introduction to Public key cryptography

Lecture 10: NMAC, HMAC and Number Theory

Ma/CS 6a Class 2: Congruences

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Security II: Cryptography exercises

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

CPSC 467b: Cryptography and Computer Security

CS483 Design and Analysis of Algorithms

Katz, Lindell Introduction to Modern Cryptrography

Number Theory and Group Theoryfor Public-Key Cryptography

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

MATH 145 Algebra, Solutions to Assignment 4

1 Structure of Finite Fields

A Few Primality Testing Algorithms

For your quiz in recitation this week, refer to these exercise generators:

Introduction to Cryptology. Lecture 19

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Discrete Mathematics with Applications MATH236

Discrete Logarithm Problem

LECTURE NOTES IN CRYPTOGRAPHY

Introduction to Cybersecurity Cryptography (Part 5)

Introduction to Elliptic Curve Cryptography. Anupam Datta

Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 3

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Arithmetic Algorithms, Part 1

Ch 4.2 Divisibility Properties

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Notes for Lecture 17

Lecture 6: Cryptanalysis of public-key algorithms.,

Number Theory A focused introduction

FERMAT S TEST KEITH CONRAD

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

NOTES ON SIMPLE NUMBER THEORY

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

Lecture 7: ElGamal and Discrete Logarithms

Lecture Note 3 Date:

Chapter 5. Number Theory. 5.1 Base b representations

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Ma/CS 6a Class 2: Congruences

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Public-Key Cryptosystems CHAPTER 4

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

2WF15 - Discrete Mathematics 2 - Part 1. Algorithmic Number Theory

Number theory (Chapter 4)

Public Key Encryption

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

Public Key Algorithms

Transcription:

CS 6903 Modern Cryptography April 24, 2008 Lecture 11: Number Theoretic Assumptions Instructor: Nitesh Saxena Scribe: Robert W.H. Fisher 1 General 1.1 Administrative Homework 3 now posted on course website. Due: 5/1/2008 at 5:30pm, in class. For problem 8 in the homework, we are to read a paper by M. Bellare. For this paper, focus primarily on understanding the significance of the results, rather than the specific details of the proofs. Everyone should have received a response for the project updates. Anyone who has not submitted a project update or received a response should contact the professor. Presentations will be in the week of the finals, and they should be 25-30 minutes in length. 1.2 Review of Last Week Definitions and constructions of NMAC and HMAC Definitions of groups Introduction of modular operations and analysis of costs ( a represents the length of a in digits) Mod: a mod N : Running time O( N 2 ) Mod Addition: (a + b) mod N : Running time O( N ) if a, b < N Mod Multiplication: (ab) mod N : Running time O( N 2 ) Mod Exponentiation: a n mod N : Running time O( n N 2 ) 11-1

2 Modular Arithmetic (Continued) 2.1 Greatest Common Denominator Given a, b N, gcd(a, b) represents the greatest common denominator that these two numbers share. The naive solution to this problem would be to simply try all values from 1 to max( a, b). For numbers that may be hundreds of digits long, this is not feasible. Therefore, we will improve upon this algorithm by using the Euclidean Algorithm. Before we introduce this algorithm, we must prove a related fact. Claim: gcd(a, b) = gcd(a b, b) Proof: To show this, we will break the proof into 2 parts. We show that (1)gcd(a, b) gcd(a b, b) (2)gcd(a, b) gcd(a b, b) Proof of (1) We define CD a,b = {k N : k a and k b}, this is the set of all common divisors of a and b. Similarly, CD a b,b = {k N : k (a b) and k b}. Consider some k in CD a,b. We know that: a = ka b = kb for some A, B N. We therefore know that: a b = ka kb = k(a B) We can therefore conclude that k CD a b,b. Therefore, CD a,b CD a b,b. We therefore see that the largest elements of CD a,b must be at least as large as the largest element of CD a b,b. We therefore conclude gcd(a, b) gcd(a b, b) Proof of (2) We now consider some element k CD a b,b. We know that a b = ka Therefore we can see that: b = kb a = ka + kb = k(a + B ) We therefore know that if some element k is in CD a b,b, then it is also in CD a,b, meaning CD a b,b CD a,b. We can therefore conclude that: gcd(a, b) gcd(a b, b) 11-2

From (1) and (2), we know that CD a,b = CD a b,b and we also see that: gcd(a, b) = gcd(a b, b) We see a corollary of this result is: gcd(a, b) = gcd(a mod b, b). (We can say that a > b without loss of generality). In order to find the gcd of two arbitrary numbers, we will continually use this fact until one of the two numbers is a multiple of the other one. Example: We will use the Euclidean algorithm to find gcd(37, 15). We see that 37 mod 15 = 7, so, gcd(37, 15) = gcd(7, 15) 1 = 7 mod 15 gcd(7, 15) = gcd(7, 1) = 1 We can see this algorithm another way using the Euclidean remainder. Recall that every pair of natural numbers, a, b, (with a b) can be written uniquely as a = kb + r. gcd(37, 15) 37 = 2 15 + 7 15 = 2 7 + 1 7 = 1 7 + 0 gcd(37, 15) = 1 The running time of this algorithm will be O( N 2 ). We do not provide a complete analysis here, but we can see that we will be recursively cutting the size of the input in half at every step (one can easily show that a (mod b) a/2). We recall the geometric series: 1 i = 1 i=2 And we see that we are doing O( N 2 ) work at every step, because each step requires a gcd computation. 2.2 Modular Multiplicative Inverse We are given a N, and we want to find a 1 mod N. Recall that the inverse of a group element is the group element such that aa 1 = 1 = a 1 a, even in non-abelian groups. Because we are trying to find x = a 1 mod N, this is equivalent to saying xa = 1 mod N. Therefore xa = yn + 1 for some y N, we can also say xa yn = 1. Note: Such an inverse only occurs when a and N are relatively prime, so gcd(a, N) = 1. To find the inverse, we use the extended Euclidean algorithm, as we will demonstrate in the following example. 11-3

Example: 15 1 mod 37 We begin as we would with the standard Euclidean algorithm for gcd: gcd(37, 15) 1. 37 = 2 15 + 7 2. 15 = 2 7 + 1 This is the step we are interested in, because the remainder is 1 15 = 2 7 + 1 15 2 7 = 1 7 = 37 15 2 (from step 1) 15 2(37 15 2) = 1 5 15 2 37 = 1 This is the form we described before (xa yn = 1), so we conclude that x = 15 1 mod 37 = 5. The running time of this algorithm is O( N 2 ). 3 Number Theory Definitions Order of a group: The order of group G, denoted G, represents the number of elements in G. e.g. Z 11 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} Z 11 = 10 Order of an element: Given group element a in G, the order of a, denoted o(a), is the smallest i N such that a i = 1. Note that only the identity element of the group is of order 1. e.g. The element 2 Z 3. 2 2 = 1, so o(2) = 2. Lagrange s Theorem: The order of an element divides the order of the group. e.g. In Z 11, the order of any element (or in fact any subgroup) can only be 1, 2, 5, or 10. 11-4

Euler s Theorem: For some group G, this theorem states that a G a G = 1. Proof: Let i be the order of a, so a i = 1. From Lagrange s theorem, G = k i for some k. a G = a i k = (a i ) k = 1 k = 1 Fermat s Little Theorem: If p is a prime number, then a p 1 = 1 mod p. Generator of a group: For group G, g G is said to be a generator if: {g 0, g 1, g 2...g G 1 } = G Intuitively, this means that we can find every other element of G by continuing to multiply g to itself. An element is a generator if and only if the order of the element equals the order of the whole group. A group is said to be cyclic if it contains a generator element. e.g. We consider the group Z 11, and we see that 2 is a generator of this group: 2 1 = 2 2 6 = 9 2 2 = 4 2 7 = 7 2 3 = 8 2 8 = 3 2 4 = 5 2 9 = 6 2 5 = 10 2 10 = 1 We do not need to check all G exponents of every element to find a group generator, there is a faster algorithm that is made possible by Lagrange s theorem. Begin by consider the unique prime factorization of the order of the group: G = We will say that m i = G p i. Now, because of Lagrange, some element g will be a generator if and only if g mi 1 for all i [1, n]. e.g. We will once again consider Z 11. The order is 10, and the prime factorization is 10 = 2 5. Therefore: m 1 = 10 2 = 5 m 2 = 10 5 = 2 All we need to do is find some g such that g 2 1 and g 5 1. We see that 2 satisfies these conditions as expected. 11-5 n i=1 p αi i

4 Number Theoretic/Computational Assumptions 4.1 Discrete Logarithmic Setting We will consider the group G, such that G = m and G is cyclic (has a generator). If the generator is g, then: G = {g 0, g 1...g m 1 } Now we will consider some x Z m, such that y = g x. Given g and y, it should be difficult to find x. The brute force approach will simply try every element in G, giving a running time of O(m) = O(2 m ) which will be infeasible if m 128. DL Assumption: We will now define an experiment Exp DL (A) for adversary A. We will describe the experiment with the following image: A g, y, m x b = 1 if x = x Otherwise b = 0 Chall Challenger Picks a group ( G = m) with a generator g $ x Z m y g x The DL assumption is said the hold in a group G, if A Adv DL (A) ɛ, meaning P r(exp DL (A) = 1) ɛ. 4.2 Computational Diffie-Hellman Assumption (CDH) In this case, the challenger is going to pick 2 group elements at random, x and y. The challenger will then send the adversary g x and g y, and the adversary will have to try and compute g xy. The image of the experiment Exp CDH (A) is as follows: 11-6

A m, g, X, Y Z Chall $ x, y Z m X = g x Y = g y Return 1 if Z = g xy, else return 0 The CDH assumption is said to hold on a group if A Adv CDH (A) ɛ. 4.3 Decisional Diffie-Hellman Assumption (DDH) In this problem, the adversary will simply be tasked with differentiating two different scenarios. In scenario 1, the challenger sends over a group element g xy for some x and y, while in scenario 2 the challenger sends over a random group element. The experiment Exp 0/1 DDH (A) is shown below: m, g, X, Y, Z A b Chall $ x, y Z m X = g x Y = g y If world 1: Z = g xy $ If world 0: z Z m and Z = g z Return b The adversary will return a guess b {0, 1}, for which world the experiment took place in. We see that the advantage of the adversary is: Adv(A) = P r(exp 1 DDH(A) = 1) P r(exp 0 DDH(A) = 1) The DDH assumption holds on group G if this advantage is negligible. 11-7

4.4 Relations Between the Assumptions We can state the relationship between the assumptions with the following implication series: DDH CDH DL We first show that DDH CDH, using the contrapositive CDH DDH. We will show that if some adversary A can defeat CDH, we can construct another adversary B that can defeat DDH. The construction works as follows: CDH DDH X, Y, m X, Y, Z, m A B Chall (g xy ) b b = 1 if (g xy ) = Z We see that B succeeds whenever A does, unless we are in world 0, but g z = g xy by chance. Therefore: Adv DDH (B) = Adv CDH (A) 1 G We can therefore conclude that if the advantage of A is non-negligible, then so is the advantage of B. The proof that DL CDH is fairly trivial, and it is omitted here. The converse is not true: Now we show that this implication is uni-directional. Specifically: DL DDH. We will show this by counter example, using the group Z p, where p is a prime. It has been shown previously that the DL assumption holds with this group. Now we will show that the DDH assumption does not hold here. We begin by proving the following lemma: Lemma: For group generator g and prime p: g p 1 2 = 1 mod p Proof: We will say that y = g p 1 2. We know that y 2 = g p 1 = 1 (by Little Fermat), so y {1, 1}. However, g is a generator, so the only exponents i [0, p] that make g i = 1 are 0 and p. But p 1 falls strictly into this range, so g p 1 2 1. Therefore g p 1 2 = 1. 2 Now for DDH, we are given X = g x, Y = g y, and Z {g z, g xy }. We begin by computing X p 1 2 = g x p 1 p 1 2k 2. If x is even (x = 2k), then g 2 = (g p 1 ) k = 1. Otherwise, if x is odd, then g x p 1 2 = ( 1) x = 1. Using these facts, we can determine the parity of x. Following the same procedure, we can determine the polarities of y and the exponent of Z. We now use the following table of elementary multiplications: 11-8

x y xy even even even even odd even odd even even odd odd odd So, we check if the parity of xy matches the parity of the exponent of Z. If it does not, we declare that we are in world 0. When the parities do not match, we are completely certain with our outcome. The only error comes when Z = g z, and z happens to have the same polarity as xy. This will happen around 50% of the time. Therefore: Adv DDH (A) = 1 1 2 = 1 2 11-9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback