Introduction to Cryptography Vanessa VITSE Universit e Grenoble - - PowerPoint PPT Presentation

Introduction to Cryptography

Vanessa VITSE

Universit´ e Grenoble Alpes

M1 Maths – MSIAM 2020

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 1 / 23

Introduction

Lectures summary

7 sessions of 3h mix lectures and lab sessions in SageMath First concepts of cryptography, modular arithmetic and complexity (on slides) Prime numbers generation and primality testing Discrete logarithm as a primitive for public key cryptography Factorization and RSA Random Number Generators Error Correcting codes

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 2 / 23

Introduction

Lectures summary

7 sessions of 3h mix lectures and lab sessions in SageMath + 1 evaluated lab session (3h) + 1 final exam (3h) Bring your own laptop with sagemath/Jupyter already installed General instructions for installation at http://www.sagemath.org/download.html Notebook Jupyter for the interface https://jupyter.readthedocs.io/ If nothing works... https://sagecell.sagemath.org/

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 2 / 23

Introduction

Lectures summary

7 sessions of 3h mix lectures and lab sessions in SageMath + 1 evaluated lab session (3h) + 1 final exam (3h) Bring your own laptop with sagemath/Jupyter already installed General instructions for installation at http://www.sagemath.org/download.html Notebook Jupyter for the interface https://jupyter.readthedocs.io/ If nothing works... https://sagecell.sagemath.org/ Lectures notes (in english) + slides + lab session subjects available at https://www-fourier.ujf-grenoble.fr/~viva/teaching.php

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 2 / 23

First concepts in cryptography

Section 1 First concepts in cryptography

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 3 / 23

First concepts in cryptography

Fundamental goals in crypto

Alice and Bob want to exchange private information in presence of Eve (eavesdropper). They want: confidentiality of the private data transiting over non secure channels authenticity of these data, more precisely message integrity meaning that an attacker has no way of modifying the message without being noticed authentification of their interlocutor, i.e. they want to be sure of the identity of the person at the other end of the exchange

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 4 / 23

First concepts in cryptography

Fundamental goals in crypto

Alice and Bob want to exchange private information in presence of Eve (eavesdropper). They want: confidentiality of the private data transiting over non secure channels authenticity of these data, more precisely message integrity meaning that an attacker has no way of modifying the message without being noticed authentification of their interlocutor, i.e. they want to be sure of the identity of the person at the other end of the exchange

Tools

public encryption/decryption protocols, secret key(s) to recover the sensitive data

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 4 / 23

First concepts in cryptography

Fundamental goals in crypto

Alice and Bob want to exchange private information in presence of Eve (eavesdropper). They want: confidentiality of the private data transiting over non secure channels authenticity of these data, more precisely message integrity meaning that an attacker has no way of modifying the message without being noticed authentification of their interlocutor, i.e. they want to be sure of the identity of the person at the other end of the exchange

Tools

public encryption/decryption protocols, secret key(s) to recover the sensitive data security relies on the secret key

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 4 / 23

First concepts in cryptography

Symmetric cryptography

Alice and Bob already share a common secret key

Definition

Symmetric cipher “ pair pE, Dq of public algorithms such that E : pk, mq P K ˆ M c P C D : pk, cq P K ˆ C ÞÑ m P M @k P K, @m P M, Dpk, Epk, mqq “ m (correctness property)

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 5 / 23

First concepts in cryptography

Symmetric cryptography

Alice and Bob already share a common secret key

Definition

Symmetric cipher “ pair pE, Dq of public algorithms such that E : pk, mq P K ˆ M c P C D : pk, cq P K ˆ C ÞÑ m P M @k P K, @m P M, Dpk, Epk, mqq “ m (correctness property) usually M “ K “ C “ t0, 1un E can be non-deterministic, i.e. it can output different ciphertexts for a same input pk, mq D is deterministic, so realizes a math function security assumption: hard to recover m from c without knowing k

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 5 / 23

First concepts in cryptography

A classical example: the one-time-pad cipher

One-time-pad

M “ K “ C “ Fn

2 (vector space over field of char 2)

Epk, mq “ k ‘ m (XOR is addition without carry) Dpk, cq “ k ‘ c

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 6 / 23

First concepts in cryptography

A classical example: the one-time-pad cipher

One-time-pad

M “ K “ C “ Fn

2 (vector space over field of char 2)

Epk, mq “ k ‘ m (XOR is addition without carry) Dpk, cq “ k ‘ c Check correctness from properties of pFn

2, ‘q:

x ‘y “ y ‘x, x ‘py ‘zq “ px ‘yq‘z, x ‘0Fn

2 “ x

and x ‘x “ 0Fn

2. Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 6 / 23

First concepts in cryptography

Perfect secrecy

One-time-pad algorithm is optimal:

Perfect secrecy

Let pE, Dq be a cipher over pK, M, Cq, K, M, C random variables such that M “ DpK, Cq, K is uniformly distributed over K and K, M independent The cipher pE, Dq is perfectly secure if for all pm, cq P M ˆ C, PrrM “ m | C “ cs “ PrrM “ ms.

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 7 / 23

First concepts in cryptography

Perfect secrecy

One-time-pad algorithm is optimal:

Perfect secrecy

Let pE, Dq be a cipher over pK, M, Cq, K, M, C random variables such that M “ DpK, Cq, K is uniformly distributed over K and K, M independent The cipher pE, Dq is perfectly secure if for all pm, cq P M ˆ C, PrrM “ m | C “ cs “ PrrM “ ms. Otherwise said M (not uniformly distributed) and C are independent Ñ knowledge of c gives no information on m

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 7 / 23

First concepts in cryptography

Perfect secrecy

One-time-pad algorithm is optimal:

Perfect secrecy

Let pE, Dq be a cipher over pK, M, Cq, K, M, C random variables such that M “ DpK, Cq, K is uniformly distributed over K and K, M independent The cipher pE, Dq is perfectly secure if for all pm, cq P M ˆ C, PrrM “ m | C “ cs “ PrrM “ ms. Otherwise said M (not uniformly distributed) and C are independent Ñ knowledge of c gives no information on m The one-time-pad cipher is perfectly secure (and the only one to be!) [proof on blackboard]

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 7 / 23

First concepts in cryptography

Perfect secrecy

Shannon’s theorem

If a cipher pE, Dq defined over K, M, C is perfectly secure, then |K| ě |M|. [proof on blackboard]

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 8 / 23

First concepts in cryptography

Perfect secrecy

Shannon’s theorem

If a cipher pE, Dq defined over K, M, C is perfectly secure, then |K| ě |M|. [proof on blackboard] Problem of key distribution and storage, keys as long as messages/ciphertexts weaker security requirements: recovering some info about m from c should be not computationally feasible with real world resources replace one-time-pad secret by a short seed s to produce random-looking sequence (PRNG) stream cipher

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 8 / 23

First concepts in cryptography

Real life is more complicated!

If not used correctly, one-time-pad becomes totally insecure! E.g. Bob uses twice the secret key to encrypt two different messages... The one-time-pad is malleable: an attacker can cause predictable changes on the plaintext E.g. Eve changes c “ Epk, mq to c1 “ c ‘ δ, then Alice decrypts Dpk, c1q “ m ‘ δ...

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 9 / 23

First concepts in cryptography

Public key encryption

Limits of symmetric crypto

Alice and Bob need to share a secret key in the first place

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 10 / 23

First concepts in cryptography

Public key encryption

Limits of symmetric crypto

Alice and Bob need to share a secret key in the first place Idea of public-key crypto: reproduce the concept of classical mail boxes

Public key schemes (1976-1977)

Two keys needed: Alice’s public key (known to everybody) which is used to encrypt messages, Alice’s private key which is used to decrypt ciphertexts, and thus only known by Alice. These schemes rely on hard mathematic problems complexity notions needed

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 10 / 23

Modular arithmetic and complexity Large integer arithmetic

Large integer arithmetic

Crypto context

messages of size between 256 and 2048 bits ąą 64 bits size of register in modern computers Ñ specific libraries for operations over large integers addition/multiplication can no longer be considered as constant time

• perations when n grows

Ñ complexity measure of an algorithm needed

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 11 / 23

Modular arithmetic and complexity Large integer arithmetic

Large integer arithmetic

Crypto context

messages of size between 256 and 2048 bits ąą 64 bits size of register in modern computers Ñ specific libraries for operations over large integers addition/multiplication can no longer be considered as constant time

• perations when n grows

Ñ complexity measure of an algorithm needed

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 11 / 23

Modular arithmetic and complexity Large integer arithmetic

Large integer arithmetic

Crypto context

messages of size between 256 and 2048 bits ąą 64 bits size of register in modern computers Ñ specific libraries for operations over large integers addition/multiplication can no longer be considered as constant time

• perations when n grows

Ñ complexity measure of an algorithm needed

Big O notation

Let f , g be two real functions, with g ą 0. We note f “ Opgq if DC ą 0, @x large enough, |f pxq| ď Cgpxq.

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 11 / 23

Modular arithmetic and complexity Large integer arithmetic

Big O notation

Let f , g be two real functions, with g ą 0. We note f “ Opgq if DC ą 0, @x large enough, |f pxq| ď Cgpxq. f “ Op1q ð ñ f is bounded (away from 0) xa ` logpxqb “ Opxaq for any a, b, x ą 0

!

f “ Opgq and h “ Opgq œ f “ h or f “ Ophq

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 12 / 23

Modular arithmetic and complexity Large integer arithmetic

Big O notation

Let f , g be two real functions, with g ą 0. We note f “ Opgq if DC ą 0, @x large enough, |f pxq| ď Cgpxq. f “ Op1q ð ñ f is bounded (away from 0) xa ` logpxqb “ Opxaq for any a, b, x ą 0

!

f “ Opgq and h “ Opgq œ f “ h or f “ Ophq All complexities are given in the size of the input of algorithms Examples Addition/subtraction of size n integers in Opnq Standard multiplication/division of size n integers in Opn2q (better: Karatsuba’s method, in Opnlog2p3qq “ Opn1.584q) Multiplication of two polynomials of degree d with coeff smaller than B in Oppd log Bq2q.

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 12 / 23

Modular arithmetic and complexity Euclidean division and congruences

Euclidean division

For a, b P Z, b ‰ 0, there exists a unique couple pq, rq P Z2 s.t. a “ bq ` r and 0 ď r ă |b|. The integer r is the remainder of the division, and q is the quotient.

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 13 / 23

Modular arithmetic and complexity Euclidean division and congruences

Euclidean division

For a, b P Z, b ‰ 0, there exists a unique couple pq, rq P Z2 s.t. a “ bq ` r and 0 ď r ă |b|. The integer r is the remainder of the division, and q is the quotient. b divides a if remainder is zero, denoted b|a Let x, y, n P Z, n ‰ 0; x is congruent to y modulo n if their remainders in the division by n are the same, denoted x “ y mod n

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 13 / 23

Modular arithmetic and complexity Euclidean division and congruences

Euclidean division

For a, b P Z, b ‰ 0, there exists a unique couple pq, rq P Z2 s.t. a “ bq ` r and 0 ď r ă |b|. The integer r is the remainder of the division, and q is the quotient. b divides a if remainder is zero, denoted b|a Let x, y, n P Z, n ‰ 0; x is congruent to y modulo n if their remainders in the division by n are the same, denoted x “ y mod n

Congruence relation

equivalence relation Ñ Z{nZ set of residue class modulo n compatibility with add/mult Ñ Z{nZ is a commutative ring a “ b mod n ð ñ ac “ bc mod nc a “ b mod mn ù ñ pa “ b mod m and a “ b mod nq

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 13 / 23

Modular arithmetic and complexity Modular exponentiation

Modular exponentiation

Question:

given g P Z{nZ (or more generally in a group G) and e P N˚, how to compute ge mod n?

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 14 / 23

Modular arithmetic and complexity Modular exponentiation

Modular exponentiation

Question:

given g P Z{nZ (or more generally in a group G) and e P N˚, how to compute ge mod n? Na¨ ıve approach: multiply by g a total of e times, reducing modulo n at each step Ñ complexity is in Ope logpnq2q, exponential in size of e...

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 14 / 23

Modular arithmetic and complexity Modular exponentiation

Modular exponentiation

Question:

given g P Z{nZ (or more generally in a group G) and e P N˚, how to compute ge mod n? Na¨ ıve approach: multiply by g a total of e times, reducing modulo n at each step Ñ complexity is in Ope logpnq2q, exponential in size of e... Better idea: Let e “ ř

i ǫi2i be the binary expansion of e. Then

ge “ ź

ǫi“1

g2i mod n.

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 14 / 23

Modular arithmetic and complexity Modular exponentiation

Algorithm 1: “Right-to-left” fast exponentiation algorithm Input : g P Z{nZ, e, n P N˚ Output: ge mod n res Ð 1 t Ð g while e ‰ 0 do if e is odd then res Ð res ¨ t mod n e Ð te{2u t Ð t2 mod n return res

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 15 / 23

Modular arithmetic and complexity Modular exponentiation

Algorithm 1: “Right-to-left” fast exponentiation algorithm Input : g P Z{nZ, e, n P N˚ Output: ge mod n res Ð 1 t Ð g while e ‰ 0 do if e is odd then res Ð res ¨ t mod n e Ð te{2u t Ð t2 mod n return res

Complexity

Oplog eq multiplications in Z{nZ ` log e squarings g2i`1 “ ´ g2i¯2 Total complexity in Oplog eplog nq2q

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 15 / 23

Modular arithmetic and complexity Modular exponentiation

Reading the bits from left to right...

ge “ # pge{2q2 for even e, g ¨ pgpe´1q{2q2 for odd e. Algorithm 2: “Left-to-right” algorithm for modular exponentiation Input : g P Z{nZ, e, n P N˚ Output: ge mod n if e ““ 0 then return 1 res Ð g t Ð tlog2pequ B Ð list of bits of e (e “ řt

i“0 Bris2i with Brts “ 1)

while t ą 0 do t Ð t ´ 1 res Ð res2 mod n if Brts ““ 1 then res Ð res ¨ g mod n return res

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 16 / 23

Modular arithmetic and complexity Modular exponentiation

Polynomial vs Exponential complexities

Some figures

a 4-cores tabletop computer at 2.5 GHz can compute about 10 billions floating point operations by second: 236 FLOPS a modest computer cluster: 240 FLOPS supercomputers: 250 to 256 FLOPS

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 17 / 23

Modular arithmetic and complexity Modular exponentiation

Polynomial vs Exponential complexities

Some figures

a 4-cores tabletop computer at 2.5 GHz can compute about 10 billions floating point operations by second: 236 FLOPS a modest computer cluster: 240 FLOPS supercomputers: 250 to 256 FLOPS A single exponentiation of 80-bit integers done in several years (or even decades) with the na¨ ıve methode on a supercomputer Exponentiating 1000-bit integers done in a few milliseconds on a laptop computer with a square-and-multiply algorithm

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 17 / 23

Modular arithmetic and complexity Modular exponentiation

Polynomial vs Exponential complexities

Some figures

a 4-cores tabletop computer at 2.5 GHz can compute about 10 billions floating point operations by second: 236 FLOPS a modest computer cluster: 240 FLOPS supercomputers: 250 to 256 FLOPS A single exponentiation of 80-bit integers done in several years (or even decades) with the na¨ ıve methode on a supercomputer Exponentiating 1000-bit integers done in a few milliseconds on a laptop computer with a square-and-multiply algorithm Huge gap between Opnq and Op2nq complexities

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 17 / 23

Modular arithmetic and complexity Modular exponentiation

Polynomial vs Exponential complexities

Using a computer that makes 230 elementary op/s, how long to perform f pnq operations?

n log2pnq n n log2pnq n2 n3 2n n! 10 3 ns 9 ns 30 ns 90 ns 0.9 µs 0.9 µs 3 ms 20 4 ns 18 ns 80 ns 0.4 µs 7 µs 1 ms 70 years 30 4.5 ns 28 ns 140 ns 0.8 µs 25 µs 1 s ą age of universe 40 5 ns 37 ns 190 ns 1.5 µs 60 µs 1024 s – 50 5.2 ns 46 ns 260 ns 2.3 µs 0.1 ms 12 days – 60 5.5 ns 55 ns 330 ns 3.3 µs 0.2 ms 34 years – 80 5.8 ns 75 ns 470 ns 6 µs 0.4 ms 35 million years – 100 6.2 ns 93 ns 620 ns 9 µs 0.9 ms ą age of universe – 200 7.1 ns 186 ns 1.5 µs 37 µs 7 ms – – 1000 9.2 ns 0.9 µs 9 µs 1 ms 1 s – – 10000 12 ns 9 µs 0.1 ms 100 ms 1000 s – – Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 18 / 23

Modular arithmetic and complexity Modular exponentiation

Polynomial vs Exponential complexities

Using a computer that makes 230 elementary op/s, how long to perform f pnq operations?

n log2pnq n n log2pnq n2 n3 2n n! 10 3 ns 9 ns 30 ns 90 ns 0.9 µs 0.9 µs 3 ms 20 4 ns 18 ns 80 ns 0.4 µs 7 µs 1 ms 70 years 30 4.5 ns 28 ns 140 ns 0.8 µs 25 µs 1 s ą age of universe 40 5 ns 37 ns 190 ns 1.5 µs 60 µs 1024 s – 50 5.2 ns 46 ns 260 ns 2.3 µs 0.1 ms 12 days – 60 5.5 ns 55 ns 330 ns 3.3 µs 0.2 ms 34 years – 80 5.8 ns 75 ns 470 ns 6 µs 0.4 ms 35 million years – 100 6.2 ns 93 ns 620 ns 9 µs 0.9 ms ą age of universe – 200 7.1 ns 186 ns 1.5 µs 37 µs 7 ms – – 1000 9.2 ns 0.9 µs 9 µs 1 ms 1 s – – 10000 12 ns 9 µs 0.1 ms 100 ms 1000 s – –

First example of a one-way function (for asymmetric crypto)

fast exponentiation algorithms have polynomial complexity no efficient algorithm (in 2020) which computes x given n, g, gx mod n when n is a large prime (discrete logarithm problem)

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 18 / 23

Modular arithmetic and complexity Extended Euclid algorithm

Extended Euclid algorithm

What about division in the non integral domain Z{nZ?

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 19 / 23

Modular arithmetic and complexity Extended Euclid algorithm

Extended Euclid algorithm

What about division in the non integral domain Z{nZ?

gcd property

Let a and b two positive integers such that a ą b, then gcdpa, bq “ gcdpb, a mod bq.

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 19 / 23

Modular arithmetic and complexity Extended Euclid algorithm

Extended Euclid algorithm

What about division in the non integral domain Z{nZ?

gcd property

Let a and b two positive integers such that a ą b, then gcdpa, bq “ gcdpb, a mod bq. Let r0 :“ a and r1 :“ b, compute iteratively r0 “ r1 q1 ` r2 with 0 ď r2 ă |r1| Ñ gcdpa, bq “ gcdpr1, r2q r1 “ r2 q2 ` r3 with 0 ď r3 ă r2 Ñ gcdpr1, r2q “ gcdpr2, r3q . . . rn´1 “ rn qn ` rn`1 with rn`1 “ 0 Ñ gcdprn´1, rnq “ rn gcdpa, bq is equal to the last non-zero remainder rn

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 19 / 23

Modular arithmetic and complexity Extended Euclid algorithm

Euclid’s algorithm

Complexity

Euclid’s algorithm complexity is in Opplog Nq2q [complexity analysis on the blackboard] Algorithm 3: Euclid’s algorithm Input : a, b P N, a ą b Output: gcdpa, bq while b ą 0 do r Ð a mod b a Ð b b Ð r return a

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 20 / 23

Modular arithmetic and complexity Extended Euclid algorithm

Extended Euclid’s algorithm and modular inverse

B´ ezout lemma

For a, b P Z, there exist u, v P Z such that au ` bv “ gcdpa, bq.

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 21 / 23

Modular arithmetic and complexity Extended Euclid algorithm

Extended Euclid’s algorithm and modular inverse

B´ ezout lemma

For a, b P Z, there exist u, v P Z such that au ` bv “ gcdpa, bq. Direct application from B´ ezout: a mod n invertible ð ñ gcdpa, nq “ 1 Algorithm 4: Computation of inverse modulo n Input : a P Z, n P N˚ Output: a´1 mod n u0 Ð 1 u1 Ð 0 while b ‰ 0 do tmp Ð a a Ð b b Ð tmp%a q Ð tmp{a tmp Ð u0 ´ qu1 u0 Ð u1 u1 Ð tmp return u0

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 21 / 23

Modular arithmetic and complexity Extended Euclid algorithm

Invertible elements modulo n

Euler’s totient function

@n P N˚, ϕpnq “ |pZ{nZqˆ|. ϕpnq is the number of generators of any cyclic group of cardinality n

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 22 / 23

Modular arithmetic and complexity Extended Euclid algorithm

Invertible elements modulo n

Euler’s totient function

@n P N˚, ϕpnq “ |pZ{nZqˆ|. ϕpnq is the number of generators of any cyclic group of cardinality n Computation of ϕpnq easy if factorisation of n known: ϕpmnq “ ϕpmqϕpnq for all coprime positive integers n, m. ϕppeq “ pe ´ pe´1 “ pep1 ´ 1{pq for all prime p and positive integer e. ϕpnq “ n

r

ź

i“1

p1 ´ 1{piq where n “ pe1

1 . . . pek k is the factorisation of n

into distinct primes. n “ ř

d|n ϕpdq.

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 22 / 23

Modular arithmetic and complexity Extended Euclid algorithm

Another application of Extended Euclid algorithm

Chinese Remainder Theorem – CRT

Let n, m be two coprime integers and a, b two integers. Then the system # x “ a mod n x “ b mod n admits a unique solution mod mn. [Proof on the blackboard to be known!]

Vanessa VITSE (UGA) Introduction to Cryptography M1 Maths – MSIAM 2020 23 / 23