700 likes | 970 Views
Products of Small Primes in Cryptology, Coding and Theoretical Computer Science. David Naccache ENS. Gödel Numbering. In 1930, Kurt Gödel proved that :
E N D
Products of Small Primes in Cryptology, Coding and Theoretical Computer Science David Naccache ENS
Gödel Numbering • In 1930, Kurt Gödel proved that : “In any consistent formalization of mathematics that is sufficiently strong to define the concept of natural numbers, one can construct a statement that can be neither proved nor disproved within that system”. This is Gödel’s famous incompleteness theorem
Gödel’s Theorem • Very much simplified, the proof of this theorem is the following. Encode (assign a positive integer to) each propositional calculus symbol: Logical symbols Encoding (integers 12) Meaning ¬ 1 not 2 for all 3 if, then ⋀ 4 and ⋁ 5 or ( 6 ) 7 … …
For Integers > 10 • Predicates symbols are encoded by multiples of 3 Symbol Encoding P 12 Q 15 R 18 • Variables are encoded by integers 1 mod 3 Symbol Encoding x 13 y 16 z 19 • Propositional symbols are encoded by integers 2 mod 3 Symbol Encoding E 14 F 17 G 20
Gödel’s Numbering Arithmetical statements are assigned unique Gödel numbers. This is based on a simple code which essentially reads prime1character[1] prime2character[2] … For example the statement x, P(x) Becomes 22 316 512 76 1116 137= 14259844433335185664666562849653536301757812500 Because character[]=2, character[x]=16, character[P]=12, character[(]= 6, character[x]=16, character[)]=7 We say that 142…2500 is the Gödel Number (GN) of x, P(x)
This Lecture Is About Applications of Gödel’s way of encoding information: prime1character[1] prime2character[2] …
Back to Gödel’s Theorem Sequences of statements are also assigned Gödel numbers. e.g. if : a=GN(x,P(x)), b=GN(x,¬P(x)), c=GN(x,¬Q(x)^P(x)) Then the sequence of statements: x,P(x) x,¬P(x) x,¬Q(x)^P(x) gets the GN 2a 3b 5c, which we will call d. The proof of the incompleteness theorem depends on the fact that, in formal arithmetic, some statement sequences logically entail (prove) other statements.
Gödel’s Theorem For example it might be shown that a, b, and c together, (i.e. d), prove e. Because this is a demonstrable relationship between numbers it is entitled to its own symbol, for example R. R(v,x) would then mean "x proves v". In the case where x and v are Gödel numbers e and d we would say R(e,d). Put more simply: R(e,d) means “the sequence of statements which GN is d is the proof of the statement which GN is e.”
Gödel’s Punchline • The punchline is that we can write the statement x,¬R(v,x) • which means: no proposition of type v can be proved • The Gödel number for this statement would be • 22 316 51 718 116 1312 1716 197 • but we will just call it r. • Now if we consider the statement x,¬R(r,x) we will realise that it says: no proposition that says 'no proposition of type v can be proved' can be proved. • This collapses into the statement this proposition cannot be proved, which is inconsistent, because if it is provable then it is not provable, and vice versa.
public key message More Than Forty Years Pass… Diffie and Hellman invent public-key cryptography. encryption algorithm secret key ciphertext decryption algorithm
Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange In reality, Diffie and Hellman provided a mathematical analogy to the protocol that we have just illustrated. Their solution is based on the assumption that the following problem (known as the Discrete Logarithm Problem) is hard: Given g, a, p find x such that gx = a mod p pick random x pick random y compute a=gx mod p compute b=gy mod p send a send b compute k=bx mod p compute k=ay mod p
Discrete Log “Gödel” Encryption Generate a public large prime integer p, select a large secret s and publish the public keys v1,…,vk where vis = pi mod p where pi stands for the ith prime (p1=2,p2=3,p3=5,…) To encrypt a message m (whose bits we denote m[1],…,m[k]) the sender computes the ciphertext: c= v1m[1]… vkm[k] mod p c is decrypted by computing d=cs mod p = p1m[1]… pkm[k] and factoring the result over the integers to determine m.
Discrete Log “Gödel” Encryption For this to work we need to have that p1… pk<p The security of this cryptosystem is based on the hardness of the discrete logarithm problem: Generate and public large prime p, select a largesecret sand publish the public keys v1,…,vk wherevis = pi mod p where pi stands for the ith prime (p1=2,p2=3,p3=5,…) Discrete Logarithm Problem: Given g, a, p find x such that gx = a mod p
As We Are In an ECC Conference We must say something about ECs.
As We Are In an ECC Conference We must say something about ECs. Can the previous encryption scheme run on an EC?
As We Are In an ECC Conference We must say something about ECs. Can the previous encryption scheme run on an EC? Answer is yes, but only in theory…
As We Are In an ECC Conference We must say something about ECs. Can the previous encryption scheme run on an EC? Answer is yes, but only in theory… We might use, instead of small primes, small rational points on an EC. Publish s pias public keys.
As We Are In an ECC Conference We must say something about ECs. Can the previous encryption scheme run on an EC? Answer is yes, but only in theory… We might use, instead of small primes, small rational points on an EC. Publish s pias public keys. As we get the ciphertext and multiply it over the curve by the inverse of s how do we see which rational points are in there?! Use height and projective coordinates!
As We Are In an ECC Conference Get ciphertext multiply by inverse of s and attempt to subtract each rational point from the result. Height decreases good guess Height increases bad guess
Problem We do not know ECs with enough independent small rational points on them. World record is 28. Meaning that we could “encode” 28 message bits in a 10000 bit ciphertext (plaintext too small to be secure). This can be improved slightly by using signed rational points (bandwidth improves to 28 log2 3). We can also shoot for low density message encoding - which allows to stuff more bits into the ciphertext using only 28 points but the price of ciphertext size explosion. Any more elegant ideas to make this fly?
“Gödel” Error-Correction Gödel’s encoding can also be used for error correction. In a very inefficient but yet rather curious way… Before we proceed a few reminders about error correcting codes.
e H l l o Ideal Communication
e H l l o Ideal Communication
e H l l o Ideal Communication
e H l l o Ideal Communication Ideal Noiseless World
e H l l o Real Communication
e H l l o Real Communication
e H l l o Real Communication
e H l l ! Real Communication
e H l l ! Real Communication
e H l l ! Real Communication ?!!
Real Communication Reality
e H l l o z 4 % J 9 d s Error Correcting Codes encoding algorithm
z 4 % J 9 d s Error Correcting Codes
z 4 % J 9 d s Error Correcting Codes
z 4 % J 9 d s Error Correcting Codes
z t % J x d s Error Correcting Codes
z t % J x d s Error Correcting Codes
z t % J x d s Error Correcting Codes
z t % J x d s e H l l o Error Correcting Codes decoding algorithm
Error Correcting Codes A bit of terminology. The number of errors correctable by a code is called the code’s correction capacity (denoted t). The ratio between the length of the encoded message and the original message (in our example 1.4=7/5) is called the code’s expansion rate (denoted r).