Cryptography Some Mathematical Definitions and Concepts Revisited - - PowerPoint PPT Presentation

Cryptography Some Mathematical Definitions and Concepts Revisited

Uwe Egly

Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group

Disclaimer

◮ Some concepts are discussed which are used later ◮ Most of them have been taught in other courses

(like the different math courses for CS)

◮ Slides are a remainder for the students . . . ◮ . . . and provide some starting points to search for deeper

explanations of the concepts

Divisibility

◮ Let N = {1, 2, . . .}, Z = {0, ±1, ±2, , . . .} and a, b ∈ Z

a divides n (a | n), if there is an integer b such that n = ab

◮ Example: 13 | 182, since 182 = 14 · 13

−5 | 30, since 30 = (−5) · (−6)

◮ Every integer a divides 0, because 0 = a · 0 ◮ 0 is the only integer which is dividable by 0

(because a = 0 · b → a = 0) holds

◮ Properties: For all a, b, c ∈ Z, the following holds

• 1. a | a
• 2. a | b and b | c imply a | c
• 3. a | b implies ac | bc for all c
• 4. c | a and c | b imply c | (da + eb) for all d, e ∈ Z
• 5. a | b and b = 0 imply |a| ≤ |b|
• 6. a | b and b | a imply a = ±b

(Greatest) Common Divisor (GCD)

An integer c is a common divisor of a and b, if c | a and c | b hold A non-negative integer d is the greatest common divisor of a and b (d = gcd(a, b)), if

• 1. d is a common divisor of a and b and
• 2. if c | a and c | b hold, then c | d holds

Example: Common divisors of 12 and 18 are ±1, ±2, ±3, ±6 The greatest common divisor of 12 and 18 is 6

Quotient and Remainder

Let a, b ∈ Z, b > 0. Then there are unique q, r ∈ Z, s.t. a = qb + r and 0 ≤ r < b, where q = ⌊a/b⌋ and r = a − bq

◮ The integer q is called quotient, r is called remainder ◮ Example: Let a = −50 and b = 8. Then q = −7 and r = 6 ◮ For all a, b ∈ Z with b = 0, a div b = ⌊a/b⌋ and

a mod b = a − b⌊a/b⌋ hold

◮ The replacement of a by a mod b is often called the

reduction a modulo b

Complexity of Operations in Z

◮ Asymptotic upper bound (O notation)

f(n) ∈ O(g(n)) (often f(n) = O(g(n))), if there are pos- itive constants c, n0 ∈ Z, such that 0 ≤ f(n) ≤ cg(n) holds for all n ≥ n0

◮ Number of bits to represent n: ⌊ld n⌋ + 1 ◮ Complexity of classical algorithms for operations

(for a, b ∈ Z with 0 ≤ a, b ≤ n)

• peration

bit complexity Addition a + b O(ld a + ld b) = O(ld n) Subtraction a − b O(ld a + ld b) = O(ld n) Multiplication a · b O(ld a ld b) = O((ld n)2) Division a = qb + r O(ld a ld b) = O((ld n)2)

Congruences

◮ Let a, b ∈ Z, let m be a positive integer

a is congruent to b modulo m (a ≡ b mod m), if m divides b − a

◮ b is called the residue of a modulo m; m is the modulus ◮ Exa: −2 ≡ 19 mod 21, since 19 − (−2) is divided by 21 ◮ The congruence mod m is an equivalence relation on Z

• 1. Reflexivity: Every number is congruent to itself modulo m
• 2. Symmetry: (a ≡ b mod m) → (b ≡ a mod m)
• 3. Transitivity:

(a ≡ b mod m) ∧ (b ≡ c mod m) → (a ≡ c mod m)

◮ From a ≡ b mod m and c ≡ d mod m, it follows that

• 1. −a ≡ (−b) mod m
• 2. a + c ≡ (b + d) mod m
• 3. ac ≡ (bd) mod m

Motivation for the Modular Arithmetic

◮ Good for implementation, since (intermediate) results have

restricted length

◮ Add, sub, mult mod n on k bit numbers yield at most 2k bit

(➥ Exponentiation mod n does not result in big numbers)

◮ There are fast algorithms for modular arithmetic and

exponentiation mod n

(e.g., 1072 mod 257 is easy to compute)

◮ Security issue: Computation of discrete logarithm and

square root mod n computationally expensive

(e.g., find square root of 107 mod 257 is computationally hard, i.e., find x, such that x2 ≡ 107 mod 257)

Rules for the Modular Arithmetic

◮ Let a, b, c, n ∈ Z, n > 0 ◮ Associative law:

((a + b) + c) mod n = (a + (b + c)) mod n ((a · b) · c) mod n = (a · (b · c)) mod n

◮ Commutative law:

(a + b) mod n = (b + a) mod n (a · b) mod n = (b · a) mod n

◮ Distributive law:

(a · (b + c)) mod n = (a · b + a · c) mod n

◮ Reducibility:

(a + b) mod n = ((a mod n) + (b mod n)) mod n (a · b) mod n = ((a mod n) · (b mod n)) mod n

Residue Classes (RCs)

◮ Equivalence class of a mod m: {b | b ≡ a mod m} = a + mZ ◮ This is the residue class of a mod m ◮ Exa: RC of 1 mod 4: {1, 1 ± 4, 1 ± 2 · 4, . . .} = {1, −3, 5, . . .} ◮ RCs mod 4 are: 0 + 4Z, 1 + 4Z, 2 + 4Z, 3 + 4Z ◮ Set of all RCs mod m: Z/mZ (has m elements) ◮ System of representatives (for mod m)

Set of integer with exactly 1 element from every RC a mod m

The integers modulo m, Zm, is the set {0, 1, . . . , m − 1}. Add, sub and mult in Zm are performed modulo m.

Definition of a Semigroup (SG)

◮ A semigroup H = (S, ◦) consists of a nonempty set S and

an operation ◦ such that:

• 1. S is closed under ◦, i.e., ∀a, b (a, b ∈ S → a ◦ b ∈ S)
• 2. The operation ◦ is associative

◮ A SG is commutative (or abelian) if ◦ is commutative ◮ Let H be a semigroup

◮ An element e ∈S is called the identity of H, if

a ◦ e = e ◦ a = a holds ∀a ∈S

◮ An element a−1 ∈S is called the inverse of a ∈S, if

a ◦ a−1 = a−1 ◦ a = e

◮ A semigroup with an identity is called a monoid

Exa: Set of all strings with concatenation and ǫ as identity

Definition of a Group

◮ A group consists of a set G and an operation ◦ such that:

• 1. (G, ◦) is a semigroup with identity e
• 2. For every a ∈G, there is its inverse a−1 ∈G

◮ A group is abelian if the underlying semigroup is abelian ◮ The order of a finite group is the number of its elements ◮ Cancelation: Let G be a group and a, b, c ∈ G

If c ◦ a = c ◦ b or a ◦ c = b ◦ c hold, then a = b holds

◮ Exa: (Z, +) with e = 0 and a−1 = −a (∀a ∈ Z) is a group

(Zm, + mod m) with e = 0 and a−1 = m − a (∀a ∈ Z) also (N, +) is not a group

◮ A group is cyclic, if there is an α ∈ G s.t. for each b ∈ G,

there is an int i with b = αi (α is called a generator of G)

Multiplicative Inverses and Division

Let a ∈ Zm. The multiplicative inverse of a mod m is an integer x ∈ Zm, such that the following holds: a ◦ x ≡ 1 mod m. If such an x exists, then it is unique and a is called invertible (or unit). Let a, b ∈ Zm. The division of a by b mod m is the “product”

• f a and b−1 mod m (only defined, if b−1 exists!).

Let a ∈ Zm. Then a is invertible iff gcd(a, m) = 1 holds, i.e., if a and m are coprime. Exa: (Zm \ {0}, · mod m) (m prime) is a group of order m − 1

The Multiplicative Group Z∗

m

◮ Z∗ m = {a ∈ Zm | gcd(a, m) = 1} ◮ If m is prime, then Z∗ m = {1, . . . , m − 1} and it is a group

(the multiplicative group of Zm where ◦ is multiplication modm)

◮ The Euler function ϕ(n) (of n ∈ N) is defined to be the number

• f positive integers < n that are coprime to n.

◮ Therefore, ϕ(m) specifies the number of elements in Z∗

m

◮ For ϕ(n), the following holds:

• 1. If n is a prime number, then ϕ(n) = n − 1
• 2. It is multiplicative: If gcd(m, n) = 1 then ϕ(mn) = ϕ(m)ϕ(n)
• 3. If n is of the form pk1

1 · . . . · pkl l with p1, . . . , pl prime numbers

and all different, then ϕ(Ql

i=1pki i )

=

l

i=1 pki−1 i

· (pi − 1) = n · l

i=1 (pi − 1)/pi

Definition of a Ring

◮ A ring is a triple (R, +, ·) with:

• 1. (R, +) is an abelian group with an identity denoted by 0
• 2. (R, ·) is a semigroup with identity denoted by 1 (0 = 1)
• 3. The law of distributivity holds for all a, b, c ∈ R

◮ a · (b + c) = a · b + a · c ◮ (a + b) · c = a · c + b · c

◮ The ring is commutative, if the semigroup is commutative ◮ An element a ∈ R of a ring is called a unit or (multiplicative

invertible), if there is an a−1 ∈ R s.t. a · a−1 = a−1 · a = 1

◮ Examples

◮ (Z, +, ·) is a commutative ring ◮ (Zm, + mod m, · mod m) is a commutative ring

Fields

◮ A field is a ring in which all non-zero elements are

multiplicative invertible

◮ The characteristic of a field is 0, if m i=1 1 = 0 for every

m ≥ 1. Otherwise, it is the least m ∈ Nat, s.t. m

i=1 1 = 0 ◮ The field is finite if it has only finitely many elements ◮ The order of a field is the number of its elements ◮ Examples

◮ The field of rational numbers ◮ (Zm, + mod m, · mod m) is a field if m is prime.

Then the characteristic of (Zm, + mod m, · mod m) is m.

◮ (Z, +, ·) is not a field

Polynomial Rings (PRs)

◮ Let R be a ring, ai ∈R, n ≥ 0. A polynomial in x over R is

f(x) = anxn + an−1xn−1 + · · · + a2x2 + a1x + a0

◮ ai is the coefficient of xi in f(x) (0 ≤ i ≤ n) ◮ Degree of f(x) (deg(f(x))): largest m such that am = 0 ◮ f(x) is called monic, if its leading coefficient is 1 ◮ Let R be a commutative ring.

◮ The polynomial ring R[x] is the ring of all polynomials in x

with coefficients from R.

◮ The 2 operations are add and mult of polynomials ◮ The coefficient arithmetic is performed in R

◮ Example: f(x) = x3 + x + 1, g(x) = x2 + x ∈ Z2[x]

f(x) + g(x) = x3 + x2 + 1 (since 1 · x + 1 · x = 0 in Z2) f(x) · g(x) = x5 + x4 + x3 + x2 + x2 + x = x5 + x4 + x3 + x

Division of Polynomials

◮ Let F be an arbitrary field, F[x] a PR and f(x) ∈ F[x] ◮ Let deg(f(x)) ≥ 1. f(x) is irreducible over F if:

f(x) cannot be written as the product of 2 poly. from F[x], where each of these polynomials has a positive degree

◮ Let g(x), h(x) ∈ F[x] and h(x) = 0. Polynomial division of

g(x) by h(x) yields 2 unique poly q(x), r(x) ∈ F[x], s.t. g(x) = q(x)h(x) + r(x) where deg(r(x)) < deg(h(x))

◮ q(x) is called quotient, r(x) is called remainder ◮ Quotient as g(x) div h(x); remainder as g(x) mod h(x)

Division of Polynomials: An Example

◮ Let g(x), h(x) ∈ Z2[x] with

g(x) = x6 + x5 + x3 + x2 + x + 1 h(x) = x4 + x3 + 1

◮ Polynomial division of g(x) by h(x) yields

g(x) = x2h(x) + (x3 + x + 1)

◮ Hence, g(x) mod h(x) = x3 + x + 1 and g(x) div h(x) = x2 ◮ Observe that deg(x3 + x + 1) < deg(h(x)) as required

Congruences Again

◮ Let g(x), h(x) ∈ F[x].

◮ h(x) divides g(x) (h(x) | g(x)), if g(x) mod h(x) = 0 ◮ g(x) is congruent to h(x) modulo f(x), if f(x) | (g(x) − h(x)) ◮ This congruence is denoted by g(x) ≡ h(x) mod f(x)

◮ Properties of congruences again:

• 1. g(x) ≡ h(x) mod f(x) iff g(x) and h(x) leave the same

remainder upon division by f(x)

• 2. Reflexivity, symmetry, transitivity hold
• 3. If g(x) ≡ g1(x) mod f(x) and h(x) ≡ h1(x) mod f(x), then

g(x) + h(x) ≡ g1(x) + h1(x) mod f(x) and g(x)h(x) ≡ g1(x)h1(x) mod f(x)

Some Implications

◮ Construction of equivalence classes (ECs) like above ◮ F[x]/(f(x)) denotes the set of ECs of polynomials over

F[x] with degree smaller than deg(f(x)). Addition and multiplication are performed modulo f(x)

◮ F[x]/(f(x)) is a commutative ring ◮ If f(x) is irreducible over F, then F[x]/(f(x)) is a field

Finite Fields

◮ Existence and uniqueness of finite fields (FFs)

◮ If F is a finite field, then it has pm elements (p prime, m ≥ 1) ◮ For every pm, there exists a unique (up to isomorphism)

finite field of order pm

◮ This field is denoted by Fpm or GF(pm)

◮ If Fpm is a finite field of order pm, p prime, then the

characteristic of Fpm is p

◮ The nonzero elements of Fq form a group under

multiplication called the multiplicative group, F ∗

q, of Fq ◮ F ∗ q is a cyclic group of order q − 1. Hence, aq = a for all

a ∈ F ∗

q ◮ A generator of F ∗ q is called a primitive element or generator

• f Fq

Arithmetic of Polynomials (1)

◮ Polynomial basis representation of Fpm (p prime) possible ◮ This representation becomes important for AES ◮ Let f(x) ∈ Zp[x] be an irreducible polynomial of degree m

◮ Then Zp[x]/(f(x)) is a finite field of order pm ◮ Add of polynomials: componentwise in Zp ◮ Multiplication of polynomials are performed modulo f(x)

◮ For each m ≥ 1, there exists a monic irreducible

polynomial of degree m over Zp

◮ Therefore, any ele of Fpm has representation as polynomial ◮ Multiplicative inverse in Fpm can be computed with the

extended Euclidean algorithm for the polynomial ring Zp[x]

Arithmetic of Polynomials (2)

◮ An irreducible polynomial f(x) ∈ Zp[x] of degree m is

called primitive, if x is a generator of F ∗

pm ◮ F ∗ pm: Multiplicative group of all nonzero elements in

Fpm = Zp[x]/(f(x))

◮ The irreducible polynomial f(x) ∈ Zp[x] of degree m is

primitive iff f(x) divides xk − 1 for k = pm − 1, but for no smaller positive k

◮ For each m ≥ 1, there exists a monic primitive polynomial

• f degree m over Zp

Arithmetic of Polynomials: An Example

Finite field F24 of order16 and characteristic 2 (p = 2, m = 4)

◮ Consider polynomial f(x) = x4 + x + 1 (irreducible over Z2) ◮ F24 can be represented as the set of all polynomials over

F2 of degree < 4

➥ F24 = {a3x3 + a2x2 + a1x + a0 | ai ∈ {0, 1}}

◮ More compact notation: F24 = {(a3, a2, a1, a0) | ai ∈ {0, 1}} ◮ Add: (1011) + 1001 = (0010) (add. componentwise in F2)

Arithmetic of Polynomials: An Example (cont’d)

◮ Mult: (1101) · (1001) = (1111)

• 1. Multiply as polynomials:

(x3 + x2 + 1) · (x3 + 1) = x6 + x5 + x2 + 1

• 2. Divide product by f(x) and take the remainder

x6 + x5 + x2 + 1 = x2(x4 + x + 1) + x5 + x3 + 1 x5 + x3 + 1 = x(x4 + x + 1) + x3 + x2 + x + 1 = ⇒ (x3 + x2 + 1) · (x3 + 1) ≡ x3 + x2 + x + 1 mod f(x)

◮ The multiplicative identity is (0001) ◮ The multiplicative inverse of (1011) is (0101)

(x3 + x + 1) · (x2 + 1) = x5 + x2 + x + 1 ≡ 1 mod f(x) = ⇒ (1011) · (0101) = (0001)

◮ x = (0010) is a generator for F ∗ 24 (i.e., f(x) is primitive)

Crypto System

A crypto system is a five-tuple (P, C, K, E, D) such that:

• 1. P: Set of all possible plain texts
• 2. C: Set of all possible cipher texts
• 3. K: Set of all possible keys
• 4. E = {Ek | k ∈ K}: Family of encryption functions of the

form Ek : P → C

• 5. D = {Dk | k ∈ K}: Family of decryption functions of the

form Dk : C → P

• 6. ∀e ∈ K ∃d ∈ K ∀p ∈ P . Dd(Ee(p)) = p

Alphabets and Strings

Alphabet Σ: finite and nonempty set of characters Let Σ be an alphabet

• 1. String: finite sequence of characters from Σ; the empty

sequence is ǫ

• 2. |w|: Length of string w = number of character occurrences

in w; |ǫ| = 0.

• 3. Σ∗: Set of all strings over Σ (ǫ is included)
• 4. vw = v ◦ w: Concatenation of v, w ∈ Σ∗

It holds that v ◦ ǫ = ǫ ◦ v = v

• 5. Σn: Set of all strings of length n over Σ (n ∈ N ∪ {0})

(Σ, ◦) forms a monoid (SG with an identity element (here: ǫ))

Permutations

Let X be a set

◮ A permutation of X is a bijective mapping f : X → X ◮ The set of all permutation of X is denoted by S(X) ◮ Exa: Let X = {0, 1, 2, 3, 4, 5}. A permutation of X is

1 2 3 4 5 1 2 4 3 5

• Replace elements above by corresponding elements below

◮ S(X) forms a group (with the usual composition of mappings) ◮ Sn: Group of permutations of the set {1, 2, . . . , n} (n ∈ N) ◮ The group Sn has exactly n! = 1 · 2 · · · · · n elements