Understanding Cryptography Lecture 16
Discover the fundamentals of number theory in cryptography, including ZN and *N concepts, GCD, prime numbers, and Euclidean algorithms. Delve into the importance of number theory in private-key and public-key cryptography, emphasizing computational number theory's significance.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Cryptography Lecture 16
Q and A; bring the written answers to TA before the class 1. What is ZN? What is *N? Write down and remember them. What is GCD? What s a prime number? Given some examples. 2. Carefully read Appendix B 1 and B 2.1 and B 2.2. What are Euclidean and Extended Euclidean algorithms? What can they solve, respectively?
(Computational) number theory
Why now? We have not needed any number theory or advanced math until now Practical private-key cryptography is based on stream ciphers, block ciphers, and hash functions Lots of non-trivial crypto can be done without any number theory!
Why now? Reason 1: Culmination of top-down approach For most cryptography, we ultimately need to assume some problem is hard The lowest-level assumptions we can make relate to problems in number theory These problems have often also been studied a long time
Why now? Reason 2: The public-key setting Public-key cryptography requires number theory (in some sense)
Our goal Cover basic number theory quickly! No HWs; one quiz; read and remember the book definitions, examples, and theorems Cover the minimum needed for all the applications we will study Some facts stated without proof Can take entire classes devoted to this material Abstracting some of the ideas makes things easier to understand
Computational number theory We will be interested in the computational difficulty of various problems Different from most of mathematics! Measure running times of algorithms in terms of the input lengths involved x = O(log x); x = 2 x
Computational number theory Our goal: classify various problems as either easy or hard I.e., polynomial-time algorithms known or not We will not focus on optimizations, although these are very important in practice For easy problems: speed up cryptographic implementations For hard problems: need to understand concrete hardness for concrete security
Representing integers (e.g., in C) Cryptography involves very large numbers! Standard (unsigned) integers in C are small, fixed length (e.g., 16 or 32 bits) For crypto, need to work with integers that are much longer (e.g., 2000 bits) Solution: use an array E.g., bignum = array of unsigned chars (bytes) Useful to also maintain a variable indicating the length of the array
Example: addition Now need to define all arithmetic operations on bignums E.g., how to add two bytes? Note that C will discard the overflow, i.e., it does addition modulo 28
Example: addition Note a 27iff msb(a)=1 AddWithCarry(char a, char b, char carry) // carry is 0 or 1 If a < 27and b < 27res=a+b+carry, carry=0 If a < 27and b 27res=a+(b-27)+carry If res 27res=res-27, carry=1 Else res=res+27, carry=0 If a 27and b 27res=(a-27)+(b-27)+carry, carry=1
Example: addition Add(bignum a, l1, bignum b, l2) Use grade-school addition, using AddWithCarry element-by-element Running time O(max{l1, l2}) = O(max{ a , b }) If a = b =n then O(n) Is it possible to do better? No must read input (O(n)) and write output (O(n))
Example: multiplication What is the length of the result? ab =O(log ab)=O(log a + log b) =O( a + b ) Use grade-school multiplication Running time O( a b ) If a = b =n then O(n2) Can we do better? Surprisingly yes! But we will not cover here
Basic arithmetic operations Addition / subtraction / multiplication can all be done efficiently Using grade-school algorithms Division-with-remainder can also be done efficiently Much less obvious!
Modular arithmetic Notation: [a mod N] is the remainder of a when divided by N Note 0 [a mod N] N-1 a = b mod N [a mod N] = [b mod N]
Modular arithmetic Note that [a+b mod N] = [[a mod N] + [b mod N] mod N] [a-b mod N] = [[a mod N] - [b mod N] mod N] and [ab mod N] = [[a mod N][b mod N] mod N] I.e., can always work with reduced intermediate values This can be used to speed up computations
Modular arithmetic Not true for division! I.e., [9/3 mod 6] = [3 mod 6] = 3 but [[9 mod 6]/[3 mod 6] mod 6] = 3/3 = 1 We will return to division later
Modular arithmetic Modular reduction can be done efficiently Use division-with-remainder c = [a mod N] Modular addition / subtraction / multiplication can all be done efficiently We will return to division later
Exponentiation Compute ab? ab = O(b a ) Just writing down the answer takes exponential time! Instead, look at modular exponentiation I.e., compute [abmod N] Size of the answer < N How to do it? Computing aband then reducing modulo N will not work
Efficient exponentiation Consider the following algorithm: exp(a, b, N) { // assume b 0 ans = 1; for (i=1, i b; i++) ans = [ans * a mod N]; return ans; } This is an exponential-time algorithm!
Efficient exponentiation Assume b = 2kfor simplicity The preceding algorithm roughly corresponds to computing a*a*a* *a Better: compute (((a2)2)2 )2 2kmultiplications vs. k squarings Note k = O( b )
Efficient exponentiation Consider the following algorithm: exp(a, b, N) { // assume b 0 x=a, t=1; while (b>0) { if (b odd) t = [t * x mod N], b = b-1; x = [x2mod N], b = b/2; } return t; } Why does this work? Invariant: answer is [t xbmod N] Running time is polynomial in a , b , N
Primes and divisibility Assume you have encountered this before Notation a | b If a | b then a is a divisor of b p>1 is prime if its only divisors are 1 and p p is composite otherwise d = gcd(a, b) if both: d | a and d | b d is the largest integer with that property
Primes and divisibility 1 | 8; 3 | 21; 4 | 9? 1, 2, 3, 5, 7, 11 are primes 2 = gcd(2, 4) 1 = gcd (7, 11)
Computing gcd? Can compute gcd(a, b) by factoring a and b and looking for common prime factors This is not (known to be) efficient! Can use the Euclidean algorithm to compute gcd(a, b) One of the earliest nontrivial algorithms! See book for details
Proposition Given a, b > 0, there exist integers X, Y such that Xa + Yb = gcd(a, b) See book for proof Can use the extended Euclidean algorithm to compute X, Y
Modular inverses b is invertible modulo N if there exists an integer a such that ab = 1 mod N Let [b-1mod N] denote the unique such b that lies in the range {0, , N-1} Division by b modulo N only defined when b is invertible modulo N In that case, [a/b mod N] defined as [a b-1mod N]
Cancellation Expected cancellation rule applies for invertible elements I.e., if ab = cb mod N and b is invertible modulo N, then a = c mod N Proof: multiply both sides by b-1 Note: this is not true if b is not invertible E.g., 3*2 = 15*2 mod 8 but 3 15 mod 8
Invertibility How to determine whether b is invertible modulo N? Thm: b invertible modulo N iff gcd(b, N)=1 To find the inverse, use extended Euclidean algorithm to find X, Y with Xb + YN = 1 Then [X mod N] is b-1mod N Conclusion: can efficiently test invertibility and compute inverses!
