1 / 30

Cryptography

Cryptography. Lecture 16. Q and A; b ring the written answers to TA before the class. 1. What is Z N ? What is ℤ * N ? Write down and r emember them. What is GCD? What’s a prime number? Given some examples.

maloneyc
Download Presentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography Lecture 16

  2. QandA;bringthewrittenanswerstoTAbeforetheclass • 1.WhatisZN?Whatisℤ*N?Writedownandrememberthem. • WhatisGCD?What’saprimenumber?Givensomeexamples. • 2.CarefullyreadAppendixB1andB2.1andB2.2.WhatareEuclideanandExtendedEuclideanalgorithms?Whatcantheysolve,respectively?

  3. (Computational)number theory

  4. Why now? • We have not needed any number theory or “advanced math” until now • Practical private-key cryptography is based on stream ciphers, block ciphers, and hash functions • Lots of non-trivial crypto can be done without any number theory!

  5. Why now? • Reason 1: Culmination of “top-down” approach • For most cryptography, we ultimately need to assume some problem is hard • The “lowest-level” assumptions we can make relate to problems in number theory • These problems have often also been studied a long time

  6. Why now? • Reason 2: The public-key setting • Public-key cryptography requires number theory (in some sense)

  7. Our goal • Cover basic number theory quickly! • NoHWs;onequiz;readandrememberthebookdefinitions,examples,andtheorems • Cover the minimum needed for all the applications we will study • Some facts stated without proof • Can take entire classes devoted to this material • Abstracting some of the ideas makes things easier to understand

  8. Computational number theory • We will be interested in the computational difficulty of various problems • Different from most of mathematics! • Measure running times of algorithms in terms of the input lengths involved • ǁxǁ = O(log x); x = 2ǁxǁ

  9. Computational number theory • Our goal: classify various problems as either “easy” or “hard” • I.e., polynomial-time algorithms known or not • We will not focus on optimizations, although these are very important in practice • For “easy” problems: speed up cryptographic implementations • For “hard” problems: need to understand concrete hardness for concrete security

  10. Representing integers (e.g., in C) • Cryptography involves very large numbers! • Standard (unsigned) integers in C are small, fixed length (e.g., 16 or 32 bits) • For crypto, need to work with integers that are much longer (e.g., 2000 bits) • Solution: use an array • E.g., “bignum” = array of unsigned chars (bytes) • Useful to also maintain a variable indicating the length of the array

  11. Example: addition • Now need to define all arithmetic operations on bignums • E.g., how to add two bytes? • Note that C will discard the overflow, i.e., it does addition modulo 28

  12. Example: addition • Note a ≥ 27iffmsb(a)=1 • AddWithCarry(char a, char b, char carry) // carry is 0 or 1 • If a < 27 and b < 27res=a+b+carry, carry=0 • If a < 27 and b ≥ 27 res=a+(b-27)+carry • If res ≥ 27res=res-27, carry=1 • Else res=res+27, carry=0 • If a ≥ 27and b ≥ 27res=(a-27)+(b-27)+carry, carry=1

  13. Example: addition • Add(bignum a, l1, bignum b, l2) • Use grade-school addition, using AddWithCarry element-by-element… • Running time O(max{l1, l2}) = O(max{ǁaǁ,ǁbǁ}) • If ǁaǁ=ǁbǁ=n then O(n) • Is it possible to do better? • No – must read input (O(n)) and write output (O(n))

  14. Example: multiplication • What is the length of the result? • ǁabǁ=O(log ab)=O(log a + log b) =O(ǁaǁ+ǁbǁ) • Use grade-school multiplication… • Running time O(ǁaǁǁbǁ) • If ǁaǁ=ǁbǁ=n then O(n2) • Can we do better? • Surprisingly…yes! But we will not cover here…

  15. Basic arithmetic operations • Addition / subtraction / multiplication can all be done efficiently • Using grade-school algorithms • Division-with-remainder can also be done efficiently • Much less obvious!

  16. Modular arithmetic • Notation: • [a mod N] is the remainder of a when divided by N • Note 0 ≤ [a mod N] ≤ N-1 • a = b mod N  [a mod N] = [b mod N]

  17. Modular arithmetic • Note that [a+b mod N] = [[a mod N] + [b mod N] mod N][a-b mod N] = [[a mod N] - [b mod N] mod N]and[ab mod N] = [[a mod N][b mod N] mod N] • I.e., can always work with reduced intermediate values • This can be used to speed up computations

  18. Modular arithmetic • Not true for division! • I.e., [9/3 mod 6] = [3 mod 6] = 3but [[9 mod 6]/[3 mod 6] mod 6] = 3/3 = 1 • We will return to division later…

  19. Modular arithmetic • Modular reduction can be done efficiently • Use division-with-remainder • c=[amodN] • Modular addition / subtraction / multiplication can all be done efficiently • We will return to division later

  20. Exponentiation • Compute ab ? • ǁabǁ = O(b · ǁaǁ) • Just writing down the answer takes exponential time! • Instead, look at modular exponentiation • I.e., compute [ab mod N] • Size of the answer < ǁNǁ • How to do it? • Computing ab and then reducing modulo N will not work…

  21. Efficient exponentiation • Consider the following algorithm:exp(a, b, N) { // assume b  0ans = 1; for (i=1, i ≤ b; i++) ans = [ans * a mod N]; return ans; } • This is an exponential-time algorithm!

  22. Efficient exponentiation • Assume b = 2k for simplicity • The preceding algorithm roughly corresponds to computing a*a*a*…*a • Better: compute (((a2)2)2…)2 • 2k multiplications vs. k squarings • Note k = O(ǁbǁ)

  23. Efficient exponentiation • Consider the following algorithm:exp(a, b, N) { // assume b  0 x=a, t=1; while (b>0) { if (b odd) t = [t * x mod N], b = b-1; x = [x2 mod N], b = b/2;} return t;} • Why does this work? • Invariant: answer is [t xb mod N] • Running time is polynomial in ǁaǁ, ǁbǁ, ǁNǁ

  24. Primes and divisibility • Assume you have encountered this before… • Notation a | b • If a | b then a is a divisor of b • p>1 is prime if its only divisors are 1 and p • p is composite otherwise • d = gcd(a, b) if both: • d | a and d | b • d is the largest integer with that property

  25. Primes and divisibility • 1 | 8;3|21;4|9? • 1,2,3,5,7,11…areprimes • 2 = gcd(2, 4) • 1=gcd(7,11)

  26. Computing gcd? • Can compute gcd(a, b) by factoring a and b and looking for common prime factors… • This is not (known to be) efficient! • Can use the Euclidean algorithm to compute gcd(a, b) • One of the earliest nontrivial algorithms! • See book for details

  27. Proposition • Given a, b > 0, there exist integers X, Y such that Xa + Yb = gcd(a, b) • See book for proof • Can use the extended Euclidean algorithm to compute X, Y

  28. Modular inverses • b is invertible modulo N if there exists an integer a such that ab = 1 mod N • Let [b-1 mod N] denote the unique such b that lies in the range {0, …, N-1} • Division by b modulo N only defined when b is invertible modulo N • In that case, [a/b mod N] defined as [a b-1 mod N]

  29. Cancellation • “Expected” cancellation rule applies for invertible elements • I.e., if ab = cb mod N and b is invertible modulo N, then a = c mod N • Proof: multiply both sides by b-1 • Note: this is not true if b is not invertible • E.g., 3*2 = 15*2 mod 8 but 3  15 mod 8

  30. Invertibility • How to determine whether b is invertible modulo N? • Thm: b invertible modulo N iffgcd(b, N)=1 • To find the inverse, use extended Euclidean algorithm to find X, Y with Xb + YN = 1 • Then [X mod N] is b-1 mod N • Conclusion: can efficiently test invertibility and compute inverses!

More Related