Cryptography
Prof. Dr. Joachim RosenthalHS11
Typed by Felix Fontein in 04/05Re-typed and updated by Rabia-Sami Akkawi in HS11Revised by Anna-Lena Trautman in HS11Universitat Zurich
For corrections and notes, please e-mail [email protected]
Contents
0 Road Map to Cryptography 50.1 Historical Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1 Introduction to Secret Key Systems 9
2 Introduction to Public Key Cryptography 13
3 RSA systems 193.1 How difficult is it to compute me and cd? . . . . . . . . . . . . . 213.2 How hard is it to find large primes (ě 10100)? . . . . . . . . . . . 22
3.2.1 The Fermat Test . . . . . . . . . . . . . . . . . . . . . . . 223.2.2 The Solovay-Strassen Test (1977) . . . . . . . . . . . . . . 243.2.3 The Miller-Rabin Test . . . . . . . . . . . . . . . . . . . . 273.2.4 Deterministic Primality Tests . . . . . . . . . . . . . . . . 30
3.3 How hard is factorization? . . . . . . . . . . . . . . . . . . . . . . 313.3.1 Security Issues of RSA . . . . . . . . . . . . . . . . . . . . 31
3.3.1.1 Implementation Weaknesses . . . . . . . . . . . 32p and q should be sufficiently apart . . . . . . . . . 32Pollards pp´ 1q Factoring Attack . . . . . . . . . . 32Common Modulus Attack . . . . . . . . . . . . . . 32Short Message Encryption . . . . . . . . . . . . . . 33Bleichenbacher Attack (1998) . . . . . . . . . . . . 33Low Public Key . . . . . . . . . . . . . . . . . . . . 33Low Decryption Exponent . . . . . . . . . . . . . . 34
3.3.2 How Hard is Factoring Integers? . . . . . . . . . . . . . . 343.3.2.1 Improvements to find numbers x, s.t. x2 pmod nq
is pt-smooth . . . . . . . . . . . . . . . . . . . . 353.3.2.2 Remarks about complexity of quadratic sieve . . 35
4 Secret Key Ciphers 374.1 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.1.1 AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394.2 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5 Discrete Logarithm Problem and Public Key Cryptography 475.1 Which groups have hard DLP? . . . . . . . . . . . . . . . . . . . 505.2 Construction of one-way trapdoor functions using a hard DLP
(El-Gamal 1985) . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1
5.3 Solving the DLP (How Difficult is it?) . . . . . . . . . . . . . . . 505.3.1 Index Calculus . . . . . . . . . . . . . . . . . . . . . . . . 505.3.2 Pollard ρ Method . . . . . . . . . . . . . . . . . . . . . . . 525.3.3 Baby-Step Giant-Step Method . . . . . . . . . . . . . . . 535.3.4 Pohlig-Hellman Method . . . . . . . . . . . . . . . . . . . 53
6 Alternative Public-Key Systems 556.1 Rabin System (1981) . . . . . . . . . . . . . . . . . . . . . . . . . 576.2 Merkle-Hellman System . . . . . . . . . . . . . . . . . . . . . . . 58
6.2.1 Attacks in Merkel-Hellman System . . . . . . . . . . . . . 596.2.1.1 Attack by Adi Shamir (1984) . . . . . . . . . . . 596.2.1.2 Attack Based on Short Vector Search (Lagarias
and Odlyzko 1985) . . . . . . . . . . . . . . . . . 596.3 One-Way Functions from Semi-Group-Actions . . . . . . . . . . . 60
6.3.1 Extended Diffie-Hellman Key Exchange . . . . . . . . . . 606.3.2 Extended El-Gamal Protocol . . . . . . . . . . . . . . . . 61
6.4 McEliece Crypto-System . . . . . . . . . . . . . . . . . . . . . . . 636.4.1 Information Set Decoding Attack . . . . . . . . . . . . . . 64
6.5 Niederreiter Crypto-System . . . . . . . . . . . . . . . . . . . . . 65
7 Hash Functions 677.1 Chaum-van Heijst-Pfitzmann System . . . . . . . . . . . . . . . . 697.2 Hash Function Construction . . . . . . . . . . . . . . . . . . . . . 70
8 Various Schemes and Protocols 718.1 Secret Sharing System . . . . . . . . . . . . . . . . . . . . . . . . 73
8.1.1 Threshold Scheme of A. Shamir . . . . . . . . . . . . . . . 738.2 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 73
8.2.1 First Attempt . . . . . . . . . . . . . . . . . . . . . . . . . 738.2.2 El-Gamal Signature Scheme . . . . . . . . . . . . . . . . . 748.2.3 DSA and ECDSA . . . . . . . . . . . . . . . . . . . . . . 74
8.3 Zero Knowledge Proofs . . . . . . . . . . . . . . . . . . . . . . . . 768.4 Digital Cash System - DigiCash . . . . . . . . . . . . . . . . . . . 77
8.4.1 Brands System . . . . . . . . . . . . . . . . . . . . . . . . 778.5 Flipping Coins over Large Distance . . . . . . . . . . . . . . . . . 78
A Repetition of Introduction to Finite Fields 80A.1 Properties of Finite Fields . . . . . . . . . . . . . . . . . . . . . . 82A.2 Construction of Finite Fields . . . . . . . . . . . . . . . . . . . . 83A.3 Inversion in Finite Fields . . . . . . . . . . . . . . . . . . . . . . 84
A.3.1 Extended Euclidean Algorithm (EEA) . . . . . . . . . . . 84A.3.2 Little Fermat or Lagrange’s Theorem . . . . . . . . . . . 84
B Entropy 86B.1 What is Entropy? . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
C Quick Review of Complexity Theory 90
2
D Lattices and Lattice Problems 94D.1 Approximating the Shortest Vector with respect to the Euclidean
Norm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97D.1.1 The Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 100
D.2 Application: Factorization of Integers with the method of ClausSchnorr (1993) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
E Basics of Coding Theory 104E.1 Linear Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106E.2 Goppa Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107E.3 Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . . . . . 107
3
4
Chapter 0
Road Map to Cryptography
5
6
The area of cryptology contains lots of different subareas:
CyptologyArt of ciphers
CryptographyDesign of secret ciphers
CryptoanalysisTry to break ciphers
SteganographyHide messages
Secret key ciphersHash functions, Design of one-way functions
Public key ciphersBased on one-way trapdoor functions
Watermarking
In this lecture, we will concentrate on cryptography. But what exactly is cryp-tography? We want to cite a definition from the Handbook of Applied Cryptog-raphy , the “bible” for applied cryptography:
Definition 0.1.
Cryptography is the study of mathematical techniques related to aspects of infor-mation security such as confidentiality in point-to-point communication, dataintegrity and authentication.
0.1 Historical Remarks
• Around 1900 B.C., Egyptians used hieroglyphs to communicate secretlywith their gods.
• The Romans used Caesar ciphers: By identifying the alphabet with Z26,that is the integers modulo 26, the cipher works by translating every letterby an offset, the secret key k P Z26:
ϕ : Z26 Ñ Z26
m ÞÑ m` kThis is a weak scheme, since by trying a maximum of 26 possibilities theplaintext can be found.
• Around 1600, Vigenere proposed the following improvement of the Caesarcipher: Instead of encrypting one letter at a time and using one key forall letters, his scheme encrypts n letters at a time, where each of them istranslated by a (not necessarily) different key:
ϕ : Zn26 Ñ Zn26
m ÞÑ m` k where k P Zn26
This might look more complex than the Caesar cipher, but by employingstatistical analysis like frequency analysis of letters, one can also defeatthis scheme.
7
• In 1930, D. Hill proposed a systemϕ : Zn26 Ñ Zn26
m ÞÑ Am where A P GLnpZ26q1
This is a weak scheme because of so called plaintext attacks: If the attackerknows a long enough sequence of pairs pmi,miq such that mi “ Ami, hecan compute A by applying basic linear algebra.
• In the Second World War, many new systems evolved. An example is theGerman Enigma machine.
• In 1949, C. Shannon published his article Communication theory of secretsystems. He showed the existence of provably secure (secret key) crypto-systems.
• In 1976, Diffie and Hellmann came up with the first public key system.
– An example of how public key systems work is the following:If Alice wants to send a message to Bob, she encrypts the messagewith her own key and sends it to Bob. Bob receives the encryptedmessage and re-encrypts it with his own key and sends it back toAlice. Now Alice decrypts the message with her key, leaving themessage encrypted with Bob’s key and sends it back for him to de-crypt and read.
1 With GLnpRq we denote the invertible n ˆ n-matrices over a ring R. Also note thatA P Rnˆn is invertible if and only if its determinant is a unit in R, i.e. detA P R˚.This can be shown as follows: If A is invertible, then 1 “ det In “ detpAA´1q “
detA ¨ detA´1, so detA P R˚. Conversely, we use Cramer’s Rule which states that ifAx “ b thenxi “
detpra1,...,ai´1,b,ai`1,...,ansq
detpAqto find X in AX “ In by finding each xi)
Furthermore, note that an element x P Zn is invertible if and only if gcdpx, nq “ 1, i.e. ifx and n are co-prime. This can be proven by using the Bezout identity.
8
Chapter 1
Introduction to Secret KeySystems
9
10
Definition 1.1.
Let X and Y be arbitrary sets. A function ϕ : X Ñ Y is called a one-wayfunction if ϕpxq can be effectively computed for every x P X, and it is practicallynot possible to compute ϕ´1pyq for almost all y P Im ϕ.One of its applications is password storage.
Example 1.1.
1. Let G be a finite group with |G| ě 2100, like Z{2100, pF2100q˚ or GL11pF2q,and e P N. Also efficient multiplication should be possible. Define
ϕ : G Ñ Gg ÞÑ ge
This is a good one-way function if |G| is unknown! If n “ |G| is known, thenby Lagrange we have gn “ 1G for all g P G. If e and n are co-prime, theextended Euclidan algorithm delivers a Bezout equation
ed` nb “ 1, with d, b P Z
Then we have
ϕpgqd “ pgeqd “ ged “ g1´nb “ gpgnq´b “ g1´bG “ g.
If n and e are not co-prime, with the same method one can recover ggcdpn,eq
from ge, but in general not g itself, since ϕ is not one-one, i.e. not injective.Such ϕ functions with G “ Z{NZ, where N “ pq and both p and q are prime,are called RSA1.
2. Let G “ xgy be a cyclic group with generator g, and |G| ě 2100. Assumeagain that multiplication in G is efficient. Let
ϕ : ZÑ Gm ÞÑ gm
As a notation: If h “ gm, we call m the discrete logarithm of h with base g,written m “ logg h. It is important to note that similar to the complex
logarithm, the discrete logarithm is multi-valued, as for example gm “ gm`|G|.For many groups, the discrete log problem (DLP) “given h and g, computelogg h” is considered a very hard problem. It is easy for G “ pZ{NZ,`q,where you just need to find m such that mg “ h. It is hard for a cyclicG Ď ppZ{NZq˚, ¨q and even harder for G “ EpFqq (elliptic curve over Fq).2
3. We want to define a one-way function ϕ : X Ñ Y , where X “ Y “ Z642 .
This scheme mimics the methods used by secret ciphers like Rijndael, thecipher behind AES (Advanced Encryption Standard). Consider the followingmultiplications on Z64
2 :
(a) By interpreting Z642 as Z264 , for example by the bijection
paiqi ÞÑř
i ai2i´1, one can define a Z264-like multiplication on Z64
2 . Wewill denote this by ¨.
1 |G| “ φpNq “ pp´ 1qpq ´ 1q2 EpFqq “ tpa, bq P F2
q | b2 “ a3 ´ au
11
(b) Another way to interpret Z642 is by selecting a F2-basis ofF264 and by
this defining a mapping between the two spaces; we will denote the F264-multiplication on Z64
2 by ˆ.
(c) Consider the mapping
pxiqi ÞÑ
¨
˚
˚
˚
˝
x1 ¨ ¨ ¨ x8
x9 ¨ ¨ ¨ x15
.... . .
...x57 ¨ ¨ ¨ x64
˛
‹
‹
‹
‚
P Z8ˆ82
We denote the Z8ˆ82 -multiplicationon Z64
2 by ˝.
Given an x P X, the cipher works by first doing a key expansion:
x0 :“ x, xt`1 :“ xt ˝ pxt ¨ xtq ` xt ˆ xt for t “ 0, . . . , 4
Then, the one-way function ϕ can for example be defined like
ϕpxq “ x0 ` x1 ˝ x3 ` x2 ˆ x4
The security of this scheme lies in the fact that, though the multiplicationson Z264 , F264 and Z8ˆ8
2 alone can be described algebraically very well, themixing of these operations makes it very hard or even impossible to employalgebraic methods to compute the pre-image of an image element.
A more sophisticated version of one-way functions are the one-way functionswith a secret key : Let M , K and C be sets; we will call M the message space,K the key space and C the cipher space.
Definition 1.2.
A secret key system consists of maps
ϕ : M ˆK Ñ C and ψ : C ˆK ÑM
called encryption and decryption, such that:
1. For all m PM and all k P K, we have ψpϕpm, kq, kq “ m
2. For a fixed m P M , the function ϕm : K Ñ C given by k ÞÑ ϕpm, kq is aone-way function
Remark: The second condition guarantees that ϕpm, kq “ x will not reveal k.
Famous examples are:
• the Enigma machine
• the 1975 Data Encryption Standard (DES), where K “ Z256 , M “ Z264
and C “ Z264
• the 2001 Advanced Encryption Standard (AES), where K “ Z2128 or Z2256
12
Chapter 2
Introduction to Public KeyCryptography
13
14
Definition 2.1.
A one-way trapdoor function is a one-way function ϕ : X Ñ Y having twoadditional properties:
1. The function ϕ is one-one (injective)
2. The designer has a trapdoor which allows the computation ϕ´1pyq @y P ϕpXq
If one has such a function, it can be applied for example as follows:
1. Secret key exchange: Alice publishes a one-way trapdoor function ϕ : X Ñ Y .Bob wants to send k P X to Alice, which should serve as the secret key fora symmetric encryption scheme. Instead of k he sends ϕpkq to Alice, if ϕ isindeed a one-way function only Alice can compute ϕ´1pϕpkqq.
2. Digital signatures: Alice deposits a one-way trapdoor function ϕ : X Ñ Ywith a trusted party. She signs a letter with:
s “ ϕ´1p“Alice, Zurich 27. September 2011”q
Anybody can go to the trusted authority and obtain ϕ and compute ϕpsq.This is why it is very important to have a time stamp in this application.
In 1976, Diffie and Hellmann realized the importance of one-way trapdoor func-tions. In 1978, Rivest, Shamir and Adleman proposed the RSA system, whichwas the first instantiation of a one-way trapdoor function. The idea behind it isas follows: The designer (Alice) constructs a finite group G, where he/she knowsthe group order |G| “ N , the public however cannot feasibly compute N , thisis the trapdoor. The designer chooses an e P N such that gcdpN, eq “ 1 Thenϕ : G Ñ G given by g ÞÑ ge is a one-way trapdoor function.
Remark:
1. The mapping ϕ is one-one. This follows directly from the next point!
2. The extended Euclidan algorithm delivers some d P Z such that ed`bN “ 1,where b P Z. Then we have ϕ´1 : G Ñ G given by h ÞÑ hd since
pgeqd “ ged “ g1´bN “ gpgN q´b “ g
3. In RSA, one chooses G “ Z˚n, where n is the product of two large distinctprimes p and q.
Definition 2.2.
For a natural number n P Ną0, define the Euler φ-function as follows:
φ : Ną0 Ñ N, n ÞÑ |Z˚n|
The next theorem will show how to compute φpnq, if n “ pq and p, q are un-known.
15
Theorem 2.1 (Chinese Remainder Theorem).
Assume n “ pe11 ¨ ¨ ¨ ¨ ¨ pekk “ n1 ¨ ¨ ¨ ¨ ¨ nkThen Zn – Zn1 ˆ ¨ ¨ ¨ ˆ Znk
Proof.
Let n “ pe11 ¨ ¨ ¨ pekk with pi pairwise distinct primes and ei P Ną0. We will show
the case where ni :“ peii ; the general case follows directly from this one. Definethe function ϕ : ZÑ Zn1
ˆ ¨ ¨ ¨ ˆ Znk given by a ÞÑ pa, . . . , aq.It is clear that ϕ is a ring homomorphism, and one directly sees that kerϕ “Ş
i
kerpx ÞÑ x` niZq “Ş
i
niZ “ nZ
since n is the least common multiple of the ni. By the isomorphism theorem,we have Z{nZ “ Z{kerpϕq – Impϕq Ď Zn1 ˆ ¨ ¨ ¨ ˆ ZnkWe will show that ϕ is surjective, which completes the proof.Since Z{nZ – Impϕq, it is |Impϕq| “ |Z{nZ| “ n. Now we also have |Zn1
ˆ¨ ¨ ¨ˆ
Znk | “kś
i“1
ni “ n, and since n is finite, we get Impϕq “ Zn1 ˆ ¨ ¨ ¨ ˆ Znk .
For n “ n1 ¨ ¨ ¨nk P Z, where the ni are relatively co-prime, the Chinese Remain-der Theorem gives Zn – Zn1
ˆ ¨ ¨ ¨ ˆ Znk which implies Z˚n – Z˚n1ˆ ¨ ¨ ¨ ˆ Z˚nk .
Therefore, we get the following corollary of the Chinese Remainder Theorem:
Corollary 2.1.
If n1, . . . , nk P Z are pairwise co-prime and n “ n1 ¨ ¨ ¨nk, it is
φpnq “kź
i“1
φpniq “kź
i“1
φppeii q “kź
i“1
ppeii ´ pei´1i q
Theorem 2.2.
If n “kś
i“1
peii P Ną0, where the pi are pairwise distinct primes and ei P Ną0,
then
φpnq “kź
i“1
pei´1i ppi ´ 1q “ n
kź
i“1
pi ´ 1
pi.
The proof of this theorem consists of two parts, one using elementary combina-torics and one employing the Chinese Remainder Theorem.
Proof #1.
Assume n “ p1 ¨ ¨ ¨ pk, by employing the inclusion/exclusion principle. DefineAi :“ ta P Zn | pi � au. It is easy to see that Z˚n “ AA1 X ¨ ¨ ¨ X AAk, where
16
AAi “ ZnzAi. This gives:
|Z˚n| “ |pA1 Y ¨ ¨ ¨ YAkqA| “ n´ |A1 Y ¨ ¨ ¨ YAk|
“ n´ÿ
i
|Ai| `ÿ
iăj
|Ai XAj | ´ÿ
iăjăk
|Ai XAj XAk| ` ¨ ¨ ¨ ` p´1qk|č
i
Ai|
“ n´ÿ
i
n
pi`
ÿ
iăj
n
pipj´
ÿ
iăjăk
n
pipjpk` ¨ ¨ ¨ ` p´1qk
“ n´ÿ
i
p1 . . . pi´1pi`1 . . . pk `ÿ
iăj
p1 . . . pi´1pi`1 . . . pj´1pj`1 . . . pk ` ¨ ¨ ¨ ` p´1qk
“ np1´ 1p1q ¨ ¨ ¨ p1´ 1
pkq “ pp1 ´ 1q ¨ ¨ ¨ ppk ´ 1q
Proof #2.
Now assume n “kś
i“1
peii , we get φpnq “kś
i“1
φppeii q
Now let us take a look at the case n “ pe with p a prime and e P Ną0. Sincegcdpa, peq “ 1 if and only if gcdpa, pq “ 1, we get:
Z˚pe “ pe ´ pe´1 “ pe´1pp´ 1q.
Example 2.1.
1. For the system x ” 1 pmod 3q, x ” 3 pmod 5q, one can easily see that x ” 13or x ” ´2 mod 15 (as a general solution x “ 13` 15Z).
2. Given the system x ” 13 pmod 151q, x ” 31 pmod 131q, it is not so obviouswhat the solution is.Euclid’s algorithm gives a, b P Z such that a¨151`b¨131 “ 1. In this example,we get a “ 59 and b “ ´68. Now x “ 31 ¨ p59 ¨ 151q ´ 13 ¨ p68 ¨ 131q “ 2127
17
18
Chapter 3
RSA systems
19
20
For setting up the RSA system, the designer has to do the following:
• Choose two distinct primes p, q ě 10100
• Compute n “ pq and φpnq “ pp´ 1qpq ´ 1q
• Choose e P N, e ă φpnq, which is co-prime to n (In practice e “ 216 ` 1)
Now the designer publishes pn, eq but keeps p and q private.For the encryption process, the public would use ϕ : Zn Ñ Zn given by m ÞÑ me.The designer then uses ϕ´1 : Zn Ñ Zn given by c ÞÑ cd where d is given byEuclid (D d, b P Z | de` bφpnq “ 1)This works since for m P pZnq˚pmeqd “ mde “ m1´bφpnq “ mpmφpnqq´b “ m1 “ m
Now we ask some question related to the computation of an RSA system:
1. How difficult is it to compute me and cd?
2. How hard is it to find large primes (ě 10100)?
3. How hard is factorization?
3.1 How difficult is it to compute me and cd?
To answer this question, assume that m and e are random numbers in t1, . . . , nu.
Use consecutive squaring to compute m216`1 “ m ¨
˜
. . .
ˆ
´
`
pmq2˘2¯2˙2
. . .
¸2
loooooooomoooooooon
16 times
So basically 17 multiplications.In general k :“ tlog2 nu. Then me can be computed in at most 2k multiplicationsin Zn:
For this we write e “kř
i“0
ai2i ñ me “ ma0 ¨ pm2qa1 ¨ ¨ ¨ ¨ ¨ pm2k´1
qak
Now we need a small look into complexity theory...
Definition 3.1 (The big-O Notation).
One writes fpxq “ Opgpxqq for f, g : R Ñ R if there are constants x0, c P Rsuch that fpxq ď cgpxq for all x ě x0. This is called the big-O notation.
Example 3.1.
The number of bit operations for adding two numbers a, b P Zn is Oplogpnqq,since the binary representation of a, b has at most length logpnq. Similarly,multiplying two numbers a, b P Zn requires Oplog2 nq bit operations, if schoolbookmultiplication is used. So the cost to compute me P Zn is Oplog3 nq.
Remark: Given an algorithm for computing fpa1, . . . , asq, ai P Zn, one says thealgorithm has polynomial time if the number of bit operations is Oplogk nq forsome k P N.An algorithm which requires at least nα bit operations for some α ą 0 is calledan exponential time algorithm.
21
3.2 How hard is it to find large primes (ě 10100)?
Theorem 3.1.
Let πpxq denote number of primes in the interval r0, xs.(Basically: πp2q “ 1, πp3q “ 2, πp4q “ 2, πp5q “ 3, ...)Then one has
limxÑ8
πpxq
x{ log x“ 1
The first rigorous proof was in 1896 independently by Jacques Hadamand andCharles Jean de la Valle Poussin. Their proof was influenced by Riemann, whointroduced the Riemann-Zeta function:
ζpsq “8ř
n“1n´s, for Repsq ą 1.
This theorem has an important consequence. The chance that a randomlychosen integer with 100 digits is prime is roughly
10100{ log 10100
10100“
1
100 log 10«
1
230
In order to construct a prime number with 100 digits:
1. Pick a 100 digit number m P r1099, 10100r
2. Test if m is divisible by small primes like 2,3,5,7,...
3. A number that is not divisible by the small primes, then it is tested by theso-called-“Monte-Carlo” test.
This opens up another question: How to check whether a number m P N isprime? One could try all possible divisors from 2 up to t
?mu. The cost of that
is Opm1{2 log2mq bit operations. This is an exponential time algorithm!In order to check if m is possibly prime, there are several probabilistic anddeterministic algorithms which outperform this primitive algorithm a lot, theyare even polynomial time. We will present three probabilistic algorithms andone deterministic one, which was published in the 2002 paper “PRIMES is inP” by three Indian computer scientists.The three probabilistic algorithms are:
1. The Fermat Test
2. The Solovay-Strassen Test
3. The Miller-Rabin Test
3.2.1 The Fermat Test
Theorem 3.2 (Little Fermat).
Let p be a prime and a an integer not divisible by p.Then
ap´1 ” 1 pmod pq.
22
Proof.
It is |Z˚p | “ φppq “ p ´ 1, and further we have a P Z˚p ; so by Lagrange thistheorem follows.
But what if p is not a prime?If p is not a prime, often D a P Z˚p s.t. ap´1 ı 1 mod p. For example:
• Not for n “ 4 ñ Z˚4 “ t1, 3uñ 13 “ 1, 33 “ 1 pmod 4q
• But for n “ 9 ñ Z˚9 “ t1, 2, 4, 5, 7, 8uñ 18 “ 1, 28 “ 4, 48 “ 7, 58 “ 7, 78 “ 4, 88 “ 1 pmod 9q
Definition 3.2.
For n P N, letUn :“ ta P Z˚n | an´1 ” 1 pmod nqu
Lemma 3.1.
For all n P N, the set Un is a subgroup of Z˚n.
Definition 3.3.
A number n which is not prime is called a Carmichael number if Un “ Z˚n, thatis for all a P Z˚n we have an´1 ” 1 pmod nq.
It turns out, they are very “rare”. If n is not a Carmichael and not a prime, itfollows rZ˚n : Us ě 2.
The Primality Test:
Given a candidate number n. Assume it is not a Carmichael number. Chooserandomly s integers a1, . . . , as P N.If there us an i P t1, . . . , su with an´1
i ı 1 pmod nq and gcdpai, nq “ 1, then nis not a prime.If an´1
i ” 1 pmod nq for i “ 1, . . . , s then n is a prime with probabilityě 1´ p 1
2 qs.
Theorem 3.3.
Let n P N
1. If p is a prime and p2 divides n, then n is not Carmichael. Thus allCarmichael numbers are square-free.
2. If n is composite (not prime), odd and square-free, then n is Carmichael ifand only if p � n implies pp´ 1q � pn´ 1q.
3. If n is Carmichael, then n has at least three prime factors.
23
Proof. 1. Write n “ pem where gcdpp,mq “ 1, and assume e ě 2. By theChinese Remainder Theorem, we have
Z˚n – Z˚pe ˆ Z˚m.
The order of Z˚pe is pe´1pp ´ 1q, so p divides φppeq. By Sylow’s Theorem,there is an element a P Z˚pe of order p, i.e. ap ” 1 pmod peq. So there is someb P Z˚n which corresponds to pa, 1q P Zpe ˆ Zm; and b also has order p.Now, it must be bn´1 ı 1 pmod nq, indeed if bn´1 ” 1 pmod nq then p �pn´ 1q but n ” 0 pmod pq so pn´ 1q ” ´1 pmod pq so p ffl pn´ 1q and thisis a contradiction.
2. ñAssume n “ p1 ¨ ¨ ¨ ps, where the pi are distinct odd primes. By the ChineseRemainder Theorem,
Z˚n – Z˚p1ˆ ¨ ¨ ¨ ˆ Z˚ps
Choose some x P Z˚n, and let x correspond to px1, . . . , xsq. Then xn´1 ” 1pmod nq if and only if xn´1
i ” 1 pmod piq for i “ 1, . . . , s. So ppi´1q � pn´1qfor all i.ð
Assume there is an i such that ppi ´ 1q ffl pn´ 1q. Let a P Z˚pi be a primitiveelement, that is a generates Z˚pi . Then an´1 ı 1 pmod piq. So if b P Z˚ncorresponds to p1, . . . , 1, a, 1, . . . , 1q (where a is in the ith position), thenbn´1 ı 1 pmod nq by the Chinese Remainder Theorem. Thus n cannot beCarmichael.
3. Assume n “ pq, where p and q are primes and p ă q. If n would beCarmichael, by 2. we get pq´1q � pn´1q, but n´1 “ ppq´1q`p´1 ” p´1pmod q ´ 1q, which is a contradiction.
Remarks:The smallest Carmichael number is 561 “ 3 ¨ 11 ¨ 17.There are 105212 Carmichael numbers ă 1015.It is believed that in the interval r1, ns the number of Carmichael numbers is
between n27 and n
12 .
3.2.2 The Solovay-Strassen Test (1977)
Before we can present the results by Solovay and Strassen, we first have tointroduce some results from elementary number theory.
Definition 3.4.
Let F be a finite field. An element u P F˚ “ Fzt0u is called a quadratic residue if
the equation x2 “ u has a solution in F. Otherwise, u is called a quadratic non-residue.
24
Example 3.2.
Let F “ Z11 and take a look at the following table:
x 1 2 3 4 5 6 7 8 9 10x2 1 4 9 5 3 3 5 9 4 1
So t1, 3, 4, 5, 9u are the quadratic residues of Zn.
In this example one can already get an idea what happens in a finite field withcharacteristic not 2: Both ´x and x are mapped onto the same number x2 bysquaring, and thus (if x ‰ ´x for all x P F˚) at most half of the elements canbe quadratic residues.
Lemma 3.2.
When the characteristic CharF “ 2, then every element of F˚ is a quadraticresidue. If CharF ‰ 2 then exactly half the elements of F˚ are quadraticresidues.
Proof.
Consider the squaring map SQ : F Ñ F, x ÞÑ x2. If CharF “ 2, then SQ isa Z2-linear map. Further kerpSQq “ t0u, and thus SQ is one-one. Since Fis finite, SQ must also be onto (surjective). So SQ is an isomorphism. SinceSQpF˚q are the quadratic residues of F we are done.
If CharF ‰ 2, then SQpaq “ SQpbq if and only if a “ ´b or a “ b. Sincethe only x P F satisfying x “ ´x is x “ 0, every quadratic residue correspondsexactly to two elements of F˚. This completes the proof.
Definition 3.5.
Let p be an odd prime and a P N arbitrary. Then let
ˆ
a
p
˙
:“
$
’
&
’
%
0 if a ” 0 pmod pq,
1 if a is a quadratic residue in Zp,´1 is not a quadratic residue in Zp
be the Legendre symbol.
Theorem 3.4 (Euler, 1760).
If p is an odd prime and a P N, then
ap´1
2 ”
ˆ
a
p
˙
pmod pq.
25
Proof.
Let α be a primitive of F˚p (i.e. a generator of the cyclic group).F˚p “ t1, α, α2, . . . , αp´2u
Claim: αi is quadratic residue iff i is even.
Let a “ αi ñ if i is even ap´1
2 “ α2npp´1q
2 “ pαp´1qn ” 1n ” 1 mod p
if i is odd ap´1
2 “ α2npp´1q
2 αp´1
2 ” 1 ¨ αp´1
2 ” ´1 pmod pq
If n is not a prime, we want to show that V :“ ta P Z˚n | an´1
2 ”`
an
˘
pmod nquis a proper subgroup of Z˚n.
Definition 3.6.
Let n ě 0 be an odd integer and n “ pe11 ¨ ¨ ¨ pess , where the pi are distinct primes.
Then for a P N´a
n
¯
:“
ˆ
a
p1
˙e1
¨ ¨ ¨
ˆ
a
ps
˙es
P t´1, 0, 1u
is called the Jacobi symbol.
Theorem 3.5.
Let n P N and odd.
(1) If a1 ” a2 pmod nq, then`
a1
n
˘
“`
a2
n
˘
.
(2) It is`
a1a2
n
˘
“`
a1
n
˘ `
a2
n
˘
.
(3) The following inversion formula holds if a odd:
´a
n
¯
“
#
´`
na
˘
if a ” n ” 3 pmod 4q`
na
˘
otherwise
(4) The following holds
ˆ
2
n
˙
“
#
1 if n ” ˘1 pmod 8q
´1 if n ” ˘3 pmod 8q
Remarks regarding the proof: The statements (1) and (2) directly follow fromthe definitions. (3) is deeper and essentially the so called quadratic reciprocity law,which says:
Assume a, n odd with gcdpa, nq “ 1 then`
an
˘ `
na
˘
“ p´1qa´1
2 p´1qn´1
2
Example 3.3.
ˆ
176
221
˙
“p2q
ˆ
2
221
˙4 ˆ11
221
˙
“
ˆ
11
221
˙
“p3q
ˆ
221
11
˙
“p1q
ˆ
1
11
˙
“ 1
26
Theorem 3.5 allows the computation of`
an
˘
in Oplog3 nq bit operations.
Theorem 3.6 (Solovay-Strassen).
Assume n is odd.
(a) The set
V :“!
x P Z˚n | xn´1
2 ”
´x
n
¯
pmod nq)
is a subgroup of Z˚n.
(b) It is V “ Z˚n iff n is prime.
Proof.
(a) It suffices to show ab P V if a, b P V. So let a, b P V, then we have
´a
n
¯
ˆ
b
n
˙
“
ˆ
ab
n
˙
and an´1
2 bn´1
2 ” pabqn´1
2 pmod nq
(b) If n is prime, by Euler V “ Z˚n. Otherwise, if n is not prime, let us as-sume V “ Z˚n. Then xn´1 ” 1 pmod nq for all x P Z˚n, thus n has to beCarmichael, and n “ p1 ¨ ¨ ¨ ps where the pi are pairwise distinct primes, ands ě 3, and furthermore pi ´ 1 divides n ´ 1 for every i by theorem 3.3.Consider the Chinese Remainder Theorem:
Z˚n ” Z˚p1ˆ ¨ ¨ ¨ ˆ Z˚ps
Let b P Z˚p1a quadratic non-residue, and let a P Z˚n correspond to pb, 1, . . . , 1q.
Then an´1
2 corresponds to pbn´1
2 , 1, . . . , 1q, and since the correspondence
is one-to-one and an´1
2 ” ˘1 pmod nq (because of Z˚n “ V ), it must be
an´1
2 ” 1 pmod nq.On the other hand we have
´a
n
¯
“
ˆ
a
p1
˙
¨ ¨ ¨
ˆ
a
ps
˙
“
ˆ
b
p1
˙ˆ
1
p2
˙
¨ ¨ ¨
ˆ
1
ps
˙
“
ˆ
b
p1
˙
“ ´1 ¨ 1 ¨ ¨ ¨ 1
contradicting V “ Z˚n.
The Primality Test:
The consequence is that if for some a P Z˚n the equality an´1
2 ”`
an
˘
pmod nqdoes not hold, then n is not a prime. If it does, then n is a prime with aprobability at least 1´ 1
2t .
3.2.3 The Miller-Rabin Test
Lemma 3.3.
Let n be prime and n ´ 1 “ 2sd where d is odd. If a P Z˚n, then either ad ” 1pmod nq, or there exists some r P t0, 1, . . . , s´1u such that a2rd ” ´1 pmod nq.
27
Proof.
For this consider the sequence ad, padq2 “ a2d, a4d, a8d, . . . , a2sd
So it would be: ˚, ˚, ˚, . . . ,´1, 1, . . . , 1, since we know that an´1 ” 1 mod n.
Definition 3.7.
For some odd n P N ě 3, we define the following sets:
• The Fermat liars:F pnq :“ ta P Z˚n | an´1 ” 1 pmod nqu
• The Euler liars:
Epnq :“!
a P Z˚n | an´1
2 ”`
an
˘
pmod nq)
• The Miller-Rabin liars or strong liars:
Spnq :“ ta P Z˚n | ad ” 1 pmod nq or a2rd ” ´1 pmod nq for some r Pt0, 1, . . . , s´ 1uu where n´ 1 “ 2sd such that d is odd
Theorem 3.7.
For all odd n, one has
Spnq Ď Epnq Ď F pnq Ď Z˚n
Thus, Spnq “ Z˚n iff n is prime.
Proof.
If n is prime, we have Spnq “ Z˚n by the lemma. So let n be composite. BySolovay-Strassen, Epnq Ř Z˚n. Moreover, it is clear that Epnq Ď F pnq Ď Z˚n. Sowe can complete the proof by showing Spnq Ď Epnq.Assume a P Spnq and n´ 1 “ 2sd, where d is odd. Let k be the smallest integer
such that a2kd ” 1 pmod nq, by assumption we have k P t0, 1, . . . , su. Assumen “ pe11 ¨ ¨ ¨ p
ett , where the pi are distinct primes.
We first take a look at the case k “ 0. For every i we have ad ” 1 pmod piq, andthus ordpipaq divides d. Since d is odd, ordpipaq must be odd. Further ordpipaq
divides pi ´ 1 and thus api´1
2 ” 1 pmod piq, which implies´
api
¯
“ 1 by Euler.
But this means`
an
˘
“ 1 ” an´1
2 pmod nq, so we have a P Epnq.
The second case is k ą 0; in that case a2k´1d ” ´1 pmod nq. For any i we have
a2kd ” 1 pmod piq and a2k´1d ” ´1 pmod piq, and thus ordpipaq divides 2kd,but does not divide 2k´1d. So we can write ordpipaq “ 2kdi, where di is odd.Since ordpipaq divides pi´1, we know that 2k divides pi´1. Thus we can write
pi “ 2kbi ` 1 where bi P Z. Note that aordpi
paq
2 ” ´1 pmod piq.Thus by Euler
ˆ
a
pi
˙
” api´1
2 ” aordpi
paq
2 ¨pi´1
ordpipaq ” p´1q
pi´1
ordpipaq
” p´1qpi´1
2kdi ” p´1qpi´1
2k “ p´1qbi pmod piq since di is odd.
28
Further we have:
n “tś
i“10
peii “tś
i“10
p2kbi ` 1qei ”tś
i“10
p1` 2kbieiq ” 1` 2ktř
i“10
biei pmod 22kq,
i.e. pn´ 1q ” 2ktř
i“10
biei pmod 22kq
Therefore we have 2s´kd “ n´12k
”tř
i“10
biei pmod 2kq, and thus also 2s´kd ”
tř
i“10
biei pmod 2q.
Since d is odd, it follows that ss´k ”tř
i“10
biei pmod 2q
So we finally get
an´1
2 “ a2s´1d “ pa2k´1dq2s´k
” p´1q2s´k
” p´1qřti“1 biei
”
tź
i“1
pp´1qbiqei ”tź
i“1
ˆ
a
pi
˙ei
“
´a
n
¯
pmod nq,
and thus a P Epnq.
Theorem 3.8 (Miller and Rabin).
If n is odd and composite, then |Spnq| ď 14φpnq except if n “ 9; in that case
|Spnq| “ 2, while φpnq “ 6.
Proof.
We distinguish two cases:
1. The first case is that n is Carmichael.Let n “ p1 ¨ ¨ ¨ pt, where the pi are distinct primes, and pi ´ 1 divides n ´ 1for all i, and t ě 3. (This can be assumed by theorem 3.3.) Define numberss1, . . . , st such that n´1 “ 2sippi´1qdi, where di is odd for every i. Withoutloss of generality, we can assume s1 ď ¨ ¨ ¨ ď st. Let s :“ s1 “ mints1, . . . , stu.
Then an´12s ” 1 pmod nq for all a P Z˚n, which one can easily see by applying
the Chinese Remainder Theorem. Furthermore, n´12s is even.
We again distinguish two more cases:
1a. The first is that s “ si for all i.Then n´1
2s`1 is an odd multiple of pi´12 . Then Spnq is contained in the
subgroup A1 :“ ta P Z˚n | an´1
2s`1 ” ˘1 pmod nqu. Let apk1, . . . , ktqbe the element in Z˚n defined via ψ : Zn Ñ Zp1
ˆ ¨ ¨ ¨ ˆ Zpt , given by
apk1, . . . , ktq ÞÑ pgk11 , . . . , gktt q, where the gi’s are generators of the Z˚pi ’s.
Then apk1, . . . , ktqn´1
2s`1 ” ˘1 pmod nq if and only if either all ki are even,or all ki are odd. Since t ě 3,then it follows that |Spnq| ď 1
2t´1φpnq ď14φpnq.
1b. The second is st ą s.Then n´1
2s`1 is a multiple of pt ´ 1, and hence even.
So Spnq Ď A0 :“ ta P Z˚n | an´1
2s`1 ” 1 pmod nqu.
29
Since it is A0 ‰ Z˚n, we know that |A0| ď12φpnq.
Additionally, we have Spnq Ď A2 :“ ta P Z˚n | an´1
2s`2 ” ˘1 pmod nqu,which is clearly a subgroup of A0.We now claim A2 Ř A0; which again is left to be proved by the reader.Together it follows that |Spnq| ď |A2| ď
12 |A0| ď
14φpnq.
2. The second case is that n is not Carmichael.We know that Spnq Ď F pnq Ř Z˚n and |F pnq| ď 1
2φpnq.As an exercise, construct a subgroup W Ď F pnq such that
(i) Spnq ĎW
(ii) W Ř F pnq
Hint: Let W “ ta P Z˚n | a2`d ” ˘1 pmod nqu for some `.
The Primality Test:
Take random numbers a1, . . . , at P Z˚n, and compute n ´ 1 “ 2sd where d isodd. Then compute for i “ 1, . . . , t
adi?” 1 pmod nq and a2`d
i
?” ´1 pmod nq, where ` “ 0, . . . , s´ 1
If neither happens for a particular i, then we have proven that n is not primeby the first lemma of this subsection! If one of the cases happens for every i,then the likelihood that n is prime is at least 1´ 4´t by Miller-Rabin.
3.2.4 Deterministic Primality Tests
In August 2002, Agrawal, Kayal and Saxena announced a deterministic pri-mality test in polynomial time, whose original complexity was Oplog10.5 nq(“PRIMES is in P”).In 2003 Lenstra and Pomerance improved the technique and announced a paperclaiming the result in Oplog6 nq-bit operations.
Lemma 3.4.
For all a P Z˚n, it is px` aqn ” xn ` a pmod nq if and only if n is prime.
Proof.
If n is prime, one has px` yqn “ xn ` yn in Znrx, ys,and by Little Fermat, an ” 1 pmod nq if a P Z˚n.If n is not prime, then a has to be Carmichael. It follows that n “ p1 ¨ ¨ ¨ pt andmany binomial coefficients
`
nm
˘
are non-zero modulo n.
Instead of computing px` aqn pmod nqwe also can compute px` aqn pmod n, xr ´ 1q for different choices of r.
30
3.3 How hard is factorization?
3.3.1 Security Issues of RSA
Recall: that n “ pq, where p, q ě 10100 are prime. The public information arethe modulus n, the encryption exponent e and the encryption map ψ : Zn ÑZn, m ÞÑ me “ c. The private information are the primes p and q and thedecryption exponent d, where ed ” 1 pmod φpnqq. Further, decryption is doneby ψ´1 : Zn Ñ Zn, c ÞÑ cd “ m.The fundamental question is: is being able to break RSA (that is computingψ´1) polynomially equivalent to factoring n?
Lemma 3.5.
Knowing p and q is polynomially equivalent to knowing n and φpnq.
Proof.
Consider the relations n “ pq and φpnq “ pp ´ 1qpq ´ 1q. If n and φpnq areknown, one can find p and q by solving these quadratic equations over the reals.The other direction is trivial.
Lemma 3.6.
Knowing the decryption exponent d is polynomially equivalent to factoring.
Proof.
If p, q and e are known, d can easily be computed. The other direction is moreinvolved; we only give an outline of the proof.Given d, it follows that mde´1 ” 1 pmod nq for all m P Z˚n. It follows that φpnqdivides de´ 1. Let k “ de´ 1 and write k “ 2tr with r odd. Since p and q areodd, φpnq is divisible at least by four and thus t ě 2.
Let g P Z˚n be randomly chosen. Consider the sequence gr, g2r, . . . , g2tr.
and let i be the smallest index such that g2ir ” 1 pmod nq. Then g2i´1r is anon-trivial square root of 1 pmod nq.Consider the roots in terms of the Chinese Remainder Theorem:
Z˚n Q g2i´1d “
$
’
&
’
%
p´1,´1q
p´1, 1q
p1,´1q
P Zp ˆ Zq
If g2i´1d ı ´1 pmod nq, then gcdpg2i´1d ` 1, nq “
#
p
q
One can show that for randomly chosen g, two third of the times one deals withthis case. The proof for this is left to the reader as an exercise.
31
3.3.1.1 Implementation Weaknesses
p and q Should be Sufficiently Apart
For example, the following is a bad choice: let a be a random number around10100. Let p :“ nextprimepaq and q :“ nextprimepp ` 1q, and n :“ pq. Thiscan be attacked since q “ nextprimep
?nq.
Pollards pp´ 1q Factoring Attack
Definition 3.8.
Let m and B be positive integers. One says that m is B-smooth if all primefactors of m are less or equal than B.
Example 3.4.
The number 48 is 3-smooth: it is 48 “ 24 ¨ 3.
Assume n “ pq and WLOG that p´1 is B-smooth, but q´1 is not (for a small
bound B). Define k :“ś
αďBα prime
αt lnnlnα u.
By assumption q ´ 1 does not divides k, but p ´ 1 does. By little Fermatwe have ak ” 1 pmod pq and ak ı 1 pmod qq for more than fifty percent ofthe a’s. (Another exercise for the interested reader.) If ak ı 1 pmod qq, thengcdpak ´ 1, nq “ p.As a consequence: both p, q should have the property that p ´ 1 and q ´ 1contain some large prime factors.
Definition 3.9.
An odd prime p is called a safe prime if p´12 is prime.
Example 3.5.
The numbers 7 and 11 are safe primes.
In practice, p and q are chosen as safe primes.
Common Modulus Attack
Situation: A large corporation computes n “ pq with p, q safe primes. Dif-ferent web servers get pairs pei, diq of encryption/decryption exponents for thismodulus n. Bad idea, since knowledge of any pair pei, diq will give a way tofactorize n.
diei ` bφpnq “ 1, φpnq � pdiei ´ 1q
32
Short Message Encryption
n – 21024 and assume a message m ď 240 is encrypted. Basically just en-crypting the last 40 bits of each message.Bad for two reasons:
1) Brute Force Attack can break the code
2) With probability around 18 %, m “ m1m2 with m1,m2 with more than 18bits. In this case c ” me ” me
1me2 pmod nq.
Produce a table of cme1
mod n for all 1 ď m1 ď 222 and store the last 50
bits of each result. Compute me2 mod n for 1 ď m2 ď 222 and search for a
collision in what case m1 and 2 are computed.
Bleichenbacher Attack (1998)
Under the standard used in SSL in 1998 (PKCS I), n is chosen to have 1024bits (n – 21024), and the protocol required that m has the first 16 bits specifythe protocol ID, then there follow a lot of random bits, followed by some zerosto indicate the start of the real message, and then the last 128 bits contain thereal message.If m is correctly formed the server proceeds with the secret key system, other-wise sends back a message that something is wrong.Given c “ me pmod nq, Bleichenbacher showed how to choose “ciphers” c1 suchthat c1 “ cre “ pmrqe mod n such that with about 70’000 queries m could becomputed.
Low Public Key
Remark: If n “ pq then a quadratic equation x2 “ α has in general up to4 solutions and finding these solutions is polynomially equivalent to factoring.
• If the factorization is known, then with the Chinese Remainder Theoremone can solve modulo p and q in polynomial time.
• Vice versa, assume one has the 4 solutions tα1, α2, α3, α4u
Zn – Zp ˆ ZqαØ pβ, γq
So tα1, α2, α3, α4u Ø t˘β,˘γugcdpα1 ´ α2, nq gives a factor of n.
Assume e “ 3 as an encryption exponent (i.e. gcdpe, φpnqq “ 1). Still badchoice! Assume m contains at most 300 relevant bits m “ p0, . . . , 0, ˚, . . . , ˚
loomoon
300 bits
q.
ñ m3 “ m3 pmod nq since me2900. And Solving x3 “ c in Z is easy!If m has fully 1024 bits, there is still a possible attack if m3 is known for differentmoduli ni.
c1 ” m3 pmod n1q
c2 ” m3 pmod n2q
c3 ” m3 pmod n3q
In practice, e “ 216 ` 1 “ 65537, this is also prime and fairly easy to compute.
33
Low Decryption Exponent
If d is chosen ď n14 , there is a well known attack based on lattices.
Conclusion: In the implementation, all difficulties above are taken into accountnowadays. The security depends mainly on the difficulty of factoring.
3.3.2 How Hard is Factoring Integers?
There exist many exponential time algorithms like trying all factors ď?n. The
complexity is Opn 12 q. No polynomial time algorithm is known, but there exist
so called sub-exponential time algorithms. The best algorithm known is thegeneralized number field sieve, whose grandson is the “quadratic sieve”(alsosub-exponential time).The idea is:Search for solutions of fpx, yq :“ x2´y2 “ 0 P Zrx, ys pmod nq. In other words,find pα, βq P Zn where α2 ” β2 pmod nq.If this is the case then α2 ´ β2 “ pα´ βqpα` βq ” 0 pmod nq, then there are 4possibilities:
α “ βα “ ´βp � pα` βq and q � pα´ βq pmod nqq � pα` βq and p � pα´ βq pmod nq
In two third of the non-trivial cases gcdpα´β, nq ‰ 1. So how to find α, β suchthat α2 “ β2.First search for α such that α2 pmod nq is smooth.For this choose the first t primes, p1 “ 2, p2 “ 3, ..., pt. Now search for x1, . . . , xlsuch that x2
i pmod nq is pt-smooth,x2i ” p
ei11 p
ei22 ¨ ¨ ¨ p
eitt pmod nq
x2k ” p
ek11 p
ek22 ¨ ¨ ¨ p
ektt pmod nq
and pxixkq2 “ p
ei1`ek11 ¨ ¨ ¨ p
eit`ektt
If all exponents are even, then it is a square.If xi, xj are pt-smooth, then also is xixj . Let eij “ eij pmod nqNow consider the l ˆ t matrix
M “
¨
˚
˝
e11 . . . e1t
.... . .
...el1 . . . elt
˛
‹
‚
where xi “ pei1 , . . . , eitqIf l ą t there is a large likelihood that M has a non-trivial left kernelpf1, . . . , flqM “ p0, . . . , 0q.
Thenlź
i“1
px2i qfi
looomooon
x2
“ př
fiei11 ¨ ¨ ¨ p
ř
fieitt
loooooooooomoooooooooon
y2
pmod nq, i.e. all exponents are even.
Major difficulty: The pt-smooth numbers are relatively rare if pt is small com-pared to n.
34
Define ϕpx, yq :“ |t1 ď m ď x | m is y-smoothu|
Theorem 3.9 (Norton(1971), Erdos, Pomerance and Canfield).
Set u “ ln xln y . Then ϕpx, yq – x ¨ u´up1`Op1qq uniformly for xÑ8.
Example 3.6.
x “ 10100, y “ 1010, then u “ 10.The expected number of 1010-smooth numbers – 1010010´10 “ 1090.
3.3.2.1 Improvements to find numbers x, s.t. x2 pmod nq is pt-smooth
First consider qpxq “ px ` t?anuq2 ´ an for a small x and a small a. In this
case qpxq is a square modulo n and qpxq – 2x?a?n.
For example: if x ď 103, a ď 106 and n ď 101000 then qpxq ď 10510.It is possible to find pt-smooth numbers using a sieving process. For this ifp � qpxq for some x P N then p � pqpx` kpqq for all k P Z.Produce an array A for 1 ď x ď I.Solve qpxq “ 0 pmod pei q for i “ 1, . . . , t.Now produce another array with the same length of the first called counter.Then you add at each index log pi under the same index of the numbers thatare divisible by pi.So basically if for example x1 were divisible by p1 “ 2 and p2 “ 3 then:
Index 1 2 3 . . . IArray A x1 x2 x3 . . . xICounter (Time 0) 0 0 0 . . . 0Counter after checking p1 “ 2 log 2 0 log 2 . . . a1 log 2Counter after checking p2 “ 3 log 2` log 3 0 log 2 . . . a1 log 2` a2 log 3
Counter after checking pi...
...... . . .
...
where ai “ I pmod piq for i “ 1, 2. And we search for the largest sum in thecounter array, find its index, and go to array A at that index to have the x weare searching for.
3.3.2.2 Remarks about complexity of quadratic sieve
Recall: A number theoretic problem is said to have a polynomial time algo-rithm if the number of elementary bit operations has order Oplogk nq, k P N.One says an algorithm has exponential complexity if the number of operationsis Opnrq, r P R.
Define Lnpα, cq :“ Opecplognqαplog lognq1´αq where α P r0, 1s.Note: Lnp0, cq “ Opec log lognq “ Opplog nqcq Ñ polynomial
Lnp1, cq “ Opncq Ñ exponential time.An algorithm with time complexity Lnpα, cq where α P p0, 1q is called to havesub-exponential time complexity.Quadratic sieve: Lnp
12 , 1q and Field sieve: Lnp
13 , cq.
35
36
Chapter 4
Secret Key Ciphers
37
38
In secret key systems, one differentiates between block ciphers and stream ci-phers.
4.1 Block Ciphers
A text is cut into blocks and each block is encrypted using a fixed secret key.Finally a block cipher consists of a message space M, a key space K and acipher-space C and two maps
ϕ :MˆKÑ C ψ : C ˆKÑM
such that ψpϕpm, kq, kq “ m and the induced maps ϕm : K Ñ C given byk ÞÑ ϕpm, kq and ϕk :M Ñ C given by m ÞÑ ϕpm, kq are one-way functions inthe usual sense.Historically, the most famous block cipher was DES: |M| “ |C| “ 264, |K| “ 256
where k was taken to be 8 ASCII characters. Old ASCII code consisted of 8bits rx1x2x3x4x5x6x7x8s P F8
2 s.t.ř
xi “ 0. Since the size of that code is 27
then 8 ASCII characters are 56 bits.In 2001 DES was replaced by AES.
4.1.1 AES
On 26.11.2001 NIST (National Institute of Standards and Technology) adoptedthe Rijndael system invented by Vincent Rijmen and Joan Daemen as a standardto be used for confidential data-communication. (Standard for Block Ciphers)
A block cipher consists of M,K, C and two maps ϕ : M ˆ K Ñ C, andψ : C ˆ K Ñ M with ψpϕpm, kq, kq “ m. In Rijndael M “ K “ C andthe set can be described as a ring:Consider Z2rx, y, zs Ě I “
@
x4 ` 1, y4 ` 1, µpzqD
where µpzq :“ z8 ` z4 ` z3 ` z ` 1. R :“ Z2rx, y, zs{I.Remark: I is a zero-dimensional ideal and hence R is a finite dimensional Z2-algebra.R has basis txiyjzk | 0 ď i, j ď 3 and 0 ď k ď 7u, then dimF2
R “ 128 “ 4 ¨ 4 ¨ 8so |R| “ 2128.Remark: Z2rzs{ xµpzqy “ F256.
Notation: If r P R, r “3ř
i“0
3ř
j“0
rijxiyj “
3ř
j“0
p3ř
j“0
rijxiqyj “
3ř
j“0
rjyj where
rj P F256rxs{px4 ` 1q.
Assume Alice and Bob agree on a secret key element k P R.
Key Expansion
Both Alice and Bob compute recursively kp0q, kp1q, . . . , kp11q P R, as follows:kp0q “ k
kpt`1q0 “ p
3ř
i“0
ϕpkptqi,3qqx
3 ` zt ` kptq0 for t “ 0, ..., 9
kt`1i “ kt`1
i´1 ` kptqi for t “ 0, ..., 9, i “ 1, 2, 3
39
Here ϕ : F256 Ñ F256 is a permutation described as: ϕ :“ ϕ3Lϕ1 where:
ϕ1 : F256 Ñ F256, given by f ÞÑ
#
f´1 if f ‰ 0
0 if f “ 0
L : F256 Ñ F256 given by f ÞÑ pz4` z3` z2` z` 1qf pmod z8` 1qϕ3 : F256 Ñ F256 given by f ÞÑ z6 ` z5 ` z ` 1` f
Encryption
Let γ “ pz` 1qx3`x2`x` z P R using kptq, t “ 0, ..., 10. Alice encrypts m P Ras follows:
mp0q :“ m` kp0q
mpt`1q :“ γ3ř
i“0
3ř
j“0
ϕpmptqij x
iy3i`j ` kpt`1qq for t “ 0, ..., 8
c :“ mp10q “3ř
i“0
3ř
j“0
ϕpmp9qij qx
iy3i`j ` kp10q
Bob, who knows kp0q, ..., kp10q, can solve m from c.
4.2 Stream Ciphers
Using some secret key k P K a pseudo-random-sequence s1s2s3s4s5s6.... is pro-duced where si P F. Given a message sequence m1,m2, ... where mi P F.Encryption: ci “ mi ` siDecryption: mi “ ci ´ si
In 1917, Gilbert Vernam invented and patented the one-time pad. For thislet m1,m2,m3, ... P pFqqN (often Fq “ Z2) be a message text. Alice and Bobexchange a secret key k1, k2, k3, ... P pFqqN.
Encryption: mi ÞÑ ci “ mi ` ki for i “ 1, 2, 3, ...
Note: Vernam Ciphers are Vigenere Ciphers with any arbitrary large dimen-sion of the vector space.
In 1949 Claude Shannon proved that the one-time pad is perfectly secure, thismeans the conditional entropy HpM|Cq “ HpMq1.
The idea behind stream ciphers is to try to generate pseudo-random-sequencek1, k2, k3, ... P pFqqN.
Example 4.1.
Fibonacci Sequence over Z : 1, 1, 2, 3, 5, 8, 13, ...Over Z3 : 1, 1, 2, 0, 2, 2, 1, 0, 1, 1, 2, ...Over any Fq can have period of length q2 ´ 1.
1 For a discrete random variable X with P pX “ iq “ pi, the entropy HpXq is defined asHpXq :“ ´
ř
pi logppiq.
40
Definition 4.1.
Let F be a (finite) field (or even a ring). An nth order recurrence relation isdefined as follows
Sn`i ` bn´1Sn`i´1 ` ...` b0Si “ 0 for i “ 1, 2, 3, ...
with some initial conditions S0, S1, ..., Sn´1.And it has the following characteristic polynomial
χpzq “ zn ` bn´1zn´1 ` ...` b0 P Frzs
Example 4.2.
Fibonacci has χpzq “ z2 ´ z ´ 1, so it is a second order recurrence sequence.
Let2 V “ FN “ tpS1, S2, ...qu.Define the shift operator D : V Ñ V given by pS1, S2, ...q ÞÑ pS2, S3, ...q
Lemma 4.1.
Let s “ pS1, S2, ...q satisfy the nth order recurrence relation. Then χpDqpsq “ 0if and only if s P kerpχpDqq.
Consequence: The solution space of the nth order recurrence relation is equal tothe kernel of the linear map χpDq, in particular the solution space is a subspaceof V .
Lemma 4.2.
dimF ker χpDq “ deg χpzq “ n
Proof.
The first n initial conditions s1 “ s1, s2 “ s2, ..., sn “ sn can be chosen freelyand afterwards the sequence is determined.
Lemma 4.3.
If ϕ1, ϕ2 P Frzs, then ϕ1pzq � ϕ2pzq iff ker ϕ1 Ď ker ϕ2.
Proof.
Let ϕ1pzq � ϕ2pzq, i.e. ϕ1pzq “ rϕ2pzq. If ϕ1pDqpsq “ 0,then ϕ2pDqpsq “ rpDqϕ1pDqpsq “ rpDqp0q “ 0.
Lemma 4.4.
Assume ϕpzq “ pz ´ λ1q ¨ ¨ ¨ pz ´ λnq and λi ‰ λj for i ‰ j.Then ker ϕpDq “ ker pD ´ λ1q
À
...À
ker pD ´ λnqand ker pD ´ λiq “ αp1, λi, λ
2i , λ
3i , ...q α P F.
Proof.
By lemma 4.3 kerpD ´ λ1q ` ...` kerpD ´ λnq Ď kerϕpDq.We know dim
`
kerpϕpDqq˘
“ n. It is enough to show that the sum on the left isdirect.2 FN is the notation for all functions NÑ F
41
ker pD ´ λ1q Ø p1, λ1, λ21, ..., λ
n´11 q
ker pD ´ λ2q Ø p1, λ2, λ22, ..., λ
n´12 q
......
ker pD ´ λnq Ø p1, λn, λ2n, ..., λ
n´1n q
looooooooooomooooooooooon
The Vandermond Matrix VM
det pVMq “ ˘ś
iăj
λi ´ λj ‰ 0.
Example 4.3.
Find general solution for Si`2 ´ Si`1 ´ Si “ 0 over F19.χpzq “ z2 ´ z ´ 1 “ pz ´ 5qpz ´ 15qGeneral solution: Si “ α5i´1 ` β15i´1.Assume initial conditions S1 “ 1, S2 “ 1
α` β “ 1
5α` 15β “ 1
*
ñ α “ 9 and β “ 11
Definition 4.2.
Fppz´1qq :“! N
ř
i“´8
aizi)
is called the space of formal Laurent series in z´1.
Background:Frxs polynomial ring.Fpxq field of rational functions.Frrxss ring, formal power series.
Fppxqq is field of formal Laurent series! 8
ř
i“´N
aixi)
Remark: The field of formal Laurent series Fppz´1qq “ z´1Frrz´1ssÀ
Frzs.Fppxqq is indeed a field, for this take a non-zero element fpxq “ a´Nx
´N `
a´N`1x´N`1 ` ...` a0 ` a1x` a2x
2 ` ... and assume a´N ‰ 0.ñ pfpxqq´1 “ pa´Nx
´N q´1p1` c1x` c2x2 ` ...` ...
loooooooooooooomoooooooooooooon
gpxqPFppxqq
q´1
Consider V = z´1Frrz´1ss – Fppz´1qq{Frzs“
!
S1
z `S2
z2 ` ... | si P F)
– FN.
Lemma 4.5.
Let s “ pS1, S2, ...q and define fpzq “ S1
z `S2
z ` ...Then s satisfies the nth-order recurrence relation if and only if χpDqpsq “ 0 if
and only if fpzq “ gpzqχpzq , where gpzq P Frzs and deg gpzq ă deg χpzq.
Nota Bene: Multiplication by z in z´1Frrz1ss correspondes to the shift D in FN.
42
Proof.
χpDqpsq “ 0 ô χpzqfpzq “ gpzq P Frzs.Moreover, since fpzq P z´1Frrz´1ss the top term of χpzqfpzq has degree at mostn´ 1.
Example 4.4.
Fibonacci sequences over R: si`2 ´ si`1 ´ si “ 0, general solution is fpzq “
a1z`a0
z2´z´1 “8ř
i“0
sizi .
Assume initial conditions s1 “ s2 “ 1, this results in a1 “ 1, a0 “ 0.
So fpzq “ 1z `
1z2 `
2z3 ` ... “
zpz´α1qpz´α2q
“ Az´α1
` Bz´α2
“
α1α1´α2
z´α1`
α2α1´α2
z´α2
where α1,2 “1˘?
52 .
Since 1z´β “
1z p
11´ βz
q “ 1z `
βz2 `
βz3 ` ...
ñ zz2´z´1 “
1?5
8ř
i“1
p1`?
52 q
i
zi ´ 1?5
8ř
i“1
p1´?
52 q
i
zi
ñ si “1?5
´
1`?
52
¯i
´ 1?5
´
1´?
52
¯i
Question of Kronecker: Complex meromorphic functions have formal power se-
ries expansion. fpzq “8ř
i“0
aizi under what conditions is fpzq rational?
Answer: fpzq rational iff the coefficients satisfy a recurrence relation.
Definition 4.3.
A sequence s “ psiqi is called ultimately periodic if there D j such that sr`i “si @i ě j. The period r is the smallest number with this property.
Theorem 4.1 (Kronecker).
For a power series
fpzq “8ÿ
i“0
sizi`1
P Frrz´1ss
the following are equivalent:
(1) fpzq is a rational function of degree n, where the degree of fpzq “ gpzqχpzq is
defined as deg f :“ maxtdeg g, deg χu.
(2) s “ ps1, s2, s3, ...q satisfies the nth-order recurrence χpDqpsq “ 0.
(3) The infinite Hankel matrix
Hf “
¨
˚
˚
˚
˚
˝
s1 s2 s3 ¨ ¨ ¨
s2 s3
s3. . .
...
˛
‹
‹
‹
‹
‚
has rank n.
43
(4) If F is finite, then s0, s1, s2, . . . is ultimately periodic of period at mostr ď qn ´ 1.
Proof.
(1)ô(2)See before. (Crucial part: Shift operator D : FN Ñ FN corresponds to multipli-cation by z in Fppz´1qq{Frzs so basically: χpDqpsq “ 0 ô χpzq¨fpzq “ 0 P Frzs.)(1)ô(3)Let
a0 ` a1z ` ¨ ¨ ¨ ` an´1zn´1
b0 ` b1z ` ¨ ¨ ¨ ` bn´1zn´1 ` zn“
8ÿ
i“1
sizi
ô a0 ` a1z ` ¨ ¨ ¨ ` an´1zn´1 “ pb0 ` ¨ ¨ ¨ ` z
nq8ř
i“1
sizi
zn´1 : an´1 “ s1
zn´2 : an´2 “ bn´1s1 ` s2
...
z0 : a0 “ b1s1 ` ¨ ¨ ¨ ` bn´1sn´1 ` sn
,
/
/
/
/
/
.
/
/
/
/
/
-
initial conditions
z´1 : 0 “ b0s1 ` ¨ ¨ ¨ ` bn´2sn´1 ` snz´2 : 0 “ b0s2 ` ¨ ¨ ¨ ` bn´1sn ` sn`1
...: 0 “ b0sk ` ¨ ¨ ¨ ` bn´1sk`n´1 ` bnsn`k
ô¨
˚
˚
˚
˚
˝
s0 s1 s2 ¨ ¨ ¨
s1 s2
s2. . .
...
˛
‹
‹
‹
‹
‚
¨
˚
˚
˚
˚
˚
˚
˝
b0b1...
bn´1
...
˛
‹
‹
‹
‹
‹
‹
‚
“ 0,
ñ Hf has rank n.(4)ñ(2)Assume s “ ps1, s2, s3, ...q has pre-period j and period r.Then pDr`j ´Djqpsq “ 0Consider Is “ tapzq P Frzs | apDqpsq “ 0uthen Is ‰ t0u since zj`r ´ zj P Is Ď Frzs.Note that Is is an ideal, i.e. D χpzq such that Is “ xχy and hence s satisfiesχpDqpsq “ 0. And note again that χpzq � zj`r ´ zj
(2)ñ(4)For this introduce the state vector at time t:
xt “
¨
˚
˝
st`1
...st`n
˛
‹
‚
44
Let
A “
¨
˚
˚
˚
˝
0 1 0. . .
. . .
0 0 1´b0 ¨ ¨ ¨ ¨ ¨ ¨ ´bn´1
˛
‹
‹
‹
‚
then the nth-order recurrence sequence sn`i ` bn´1sn`i´1 ` ¨ ¨ ¨ ` b0si “ 0 hasequivalent description xi`1 “ Axi.Explicit formula: xn “ An´1x1. There are only finitely many states,thus D 1 ď a ă b ď q such that Aax1 “ Abx1. Thus ultimately periodic withperiod b´ a.
Question: Are there nth order linear recurrence sequences with period qn ´ 1over Fq? (Each non-zero state appears exactly once in a sequence of lengthqn ´ 1)3
Lemma 4.6.
Let ϕpzq “ zn ` bn´1zn´1 ` ¨ ¨ ¨ ` b0 P Zqrzs with ϕp0q “ b0 ‰ 0. Then the
recurrence sequence ϕpDqpsq “ 0 has no pre-period. And D e P N such thatϕpzq � ze ´ 1, in particular si`e “ si for i “ 1, 2, ... and the smallest e withϕpzq � ze ´ 1 is the period of s.
Proof.
Consider the factor ring R “ Frzs{pϕq.By the Pigeonhole4 principle there is 0 ď i ă j ă qn with zi ` pϕq “ zj ` pϕq.ϕpzq � zj ´ zi since ϕp0q ‰ 0 we get that ϕpzq � zj´i ´ 1.This means in particular also that s “ ps1, s2, s3, ...q is periodic of period r andj´ i is possibly a multiple of r. Since ϕp0q ‰ 0 one can “reverse” the recurrencerelation.
Remark: If ϕpzq P Fqrzs and ϕp0q ‰ 0 then the smallest e P N such thatϕpzq � ze ´ 1 is called the order of ϕpzq. The order corresponds to the periodof ϕpDqpsq “ 0.
Lemma 4.7.
Assume α is a (primitive) generator of F˚qn “ t1, α, α2, ..., αqn´2u.
Let ϕpzq P Fqrzs be the minimal polynomial5 of α over Fq. Then deg ϕpzq “ nand the order is qn ´ 1.
3 Answer: YES4 The Pigeonhole principle states that if n` 1 objects are placed in n boxes, at least one
box must contain two objects.5 Let K Ď F, α P F and ppαq, where ppxq P Krxs monic.
Then ppxq is called the minimal polynomial of α if α is not a root of any non-zeropolynomial in Krxs of lower degree.
45
Proof.
A minimal polynomial is always irreducible, i.e. ϕpzq is irreducible, so thesplitting field is Fqrxs{ xϕpzqy – Fqdeg ϕ , so deg ϕ “ n.
Clearly αqn´1 “ 1 and thus ϕpzq � zq
n´1 ´ 1.
So e :“ ord ϕpzq ď qn´1. Since α is a primitive of F˚qn , α has order qn´1. HenceE a ă qn ´ 1 such that ϕpzq � za ´ 1, which implies that ord ϕpzq “ qn ´ 1.
Corollary 4.1.
Let ϕpzq be a minimal polynomial of a primitive α P F˚qn . Let s “ ps1, s2, s3, ...qbe a non-zerp sequence satisfying ϕpDqpsq “ 0.Then s has period qn ´ 1 and no pre-period and every non-zero state
xt “
¨
˚
˚
˚
˝
stst`1
...st`n´1
˛
‹
‹
‹
‚
appears exactly once in the sequence of the first qn ´ 1 elements.
Proof.
Recall: ϕ1pzq � ϕ2pzq ñ ker ϕ1pDq Ď ker ϕ2pDq. Moreover, pxqn´1 ´ 1qx is
equal to the product of all irreducible polynomials whose degree divides n.ñ ϕpzq � pxq
n´1 ´ 1q ñ ker ϕpDq Ď ker pDqn´1 ´ 1q
Note: ker pDe ´ 1q are the e-periodic sequences.It follows that s has period qn ´ 1.There is no pre-period, since ϕpzq is irreducible, in particular ϕp0q ‰ 0 andhence the recurrence sequence can be reversed.
Between 1940-1970 stream ciphers were often based on linear recurrence rela-tions. In engineering literature, they are often called LSFR6.For building a crypto-system Alice and Bob agree on a primitive polynomial
ϕpzq and initial conditions, in other words fpzq “ gpzqϕpzq “
s1z `
s2z2 `
s3z3 ` ... Bob
has the message mpzq “ m1
z `m2
z2 `m3
z3 `... and sends to Alice cpzq “ fpzq`mpzq.Alice then decrypts mpzq “ cpzq ´ fpzq.
The weakness is the so-called plain text attack.Assume st, st`1, st`2, ..., st`2n´1 is known.
¨
˚
˚
˚
˚
˝
st st`1 ¨ ¨ ¨ st`n´1
st`1. . .
......
. . ....
st`n´1 ¨ ¨ ¨ ¨ ¨ ¨ st`2n´1
˛
‹
‹
‹
‹
‚
¨
˚
˚
˚
˚
˝
b0......
bn´1
˛
‹
‹
‹
‹
‚
“
¨
˚
˚
˚
˝
´st`n´st`n`1
...´st`2n´1
˛
‹
‹
‹
‚
This means, solving the linear system results in b0, ..., bn´1.In 1969, using linear recurrence relations stopped, however non-linear recurrencerelations are still in use today. For this take fpx1, ..., xnq P Frx1, ..., xns andconsider sn`i “ fpsi, ..., si`n´1q.
6 Linear Feedback Shift Registers
46
Chapter 5
Discrete LogarithmProblem and Public KeyCryptography
47
48
Let G be a group, α P G be an element of finite order, ordpαq “ n. Consider thecyclic subgroup H “ tα0, α1, ..., αn´1
loomoon
e
u Ď G. Let β P G be an element.
Definition 5.1.
a P Z is called the logarithm of β to the base α if β “ αa.We write a “ logα β.
Remarks:
1. logα β exists if and only if β P H.
2. If β exists, logα β is multi-valued, indeed if a “ logα β also a` kn “ logα βThe unique value a with αa “ β and 0 ď a ď n ´ 1 k P Z is called theprincipal value of logα β.
Calculation Rules:
1. logα βm “ m logα β mod n
2. logαpβ1β2q “ logαpβ1q ` logαpβ2q mod n
In 1976 Diffie and Hellman showed in a famous paper how to use discrete loga-rithms for key exchange:
a) Alice and Bob agree on α P H
b) Alice chooses a P N, computes αa and sends it to Bob (a remains private)
c) Bob chooses b P N, computes αb and sends result to Alice (b remains private)
d) Both Alice and Bob can compute αab “ pαaqb “ pαbqa “ k
The Diffie-Hellman protocol can certainly be solved if the discrete logarithmproblem (logαpα
aq “ a) can be solved. A deeper question is: Is the Diffie-Hellman problem polynomially equivalent to DLP1?
Remark:
1. Necessarily the group should have a size such that brute force trying all casesis not possible. In practice ě 2160 (square root attack exists and 280 is toobig for computers).
2. Any cyclic group H of order n is isomorphic to pZ{nZ,`q. Assume α is agenerator (iff gcdpα, nq “ 1) then logα β “ a requires solution of aα “ βmod n in pZ{nZ,`q.(Very easy problem, use Euclid)
Difficulty: Finding explicit isomorphism between H and Z{nZ is DLP.
In 1985, El-Gamal showed how to construct a one-way trapdoor function froma hard DLP.
1 Discrete Logarithm Problem
49
5.1 Which groups have hard DLP?
1. F˚q (cyclic of order φpnq)
2. GLmpFqq: If A P GLmpFqq is diagonalizable (i.e. D S | S´1AS “ D) thenAa “ B ô Da “ S´1BS. And this problem is equivalent to m DLPs overFq. Assume the characteristic polynomial ϕpxq “ detpxI ´Aq is irreducible.
Assume also that λ is an eigenvalue, then λ P Fqm , then λq, λq2
, λq3
, ..., λqm´1
are the other eigenvalues. Then D S : S´1AS “ diagpλq, ..., λm´1q and
λqi
P Fqm . In this case, DLP is as hard as m DLP’s in Fqn .
3. Z˚n, but it is not used since Z˚n – Zpe11ˆ . . .Zpett , so we have an answer in
each of the Zpeii @ i “ 1, ..., t.
4. EpFqq (Elliptic curves of the Fq-rational points) are the interesting proposal.
5.2 Construction of one-way trapdoor functionsusing a hard DLP (El-Gamal 1985)
Given a cyclic group H as before, where DLP is hard.Public: pα, β,HqPrivate: a “ logα βThe encryption is given by the one-way trapdoor function ϕ : H Ñ H ˆ H,m ÞÑ pαk,mβkq “ pc1, c2q where the sender randomly chooses k P N and keepsit private.
For the decryption, solve
#
αk “ c1
mβk “ c2and since ca1 “ βk we get m “ c2pc
a1q´1.
5.3 Solving the DLP (How Difficult is it?)
In pZn,`q, the problem is as difficult as inverting elements in pZnq˚ (easy dueto Euclid) .
5.3.1 Index Calculus
Definition 5.2.
A subset S Ď G is called a factor base S “ tp1, ..., ptu if for an element g P Gthere is a good chance and algorithmic way to find exponents e1, ..., et, such thatg “ pe11 ¨ ¨ ¨ p
ett .
For such groups we need to search for exponents ki P N, such that αki “
pdi,11 ¨ ¨ ¨ p
di,tt for i “ 1, 2, 3, ...,m.
Solve
¨
˚
˝
k1
...km
˛
‹
‚
“
¨
˚
˝
d11 ¨ ¨ ¨ dt1...
. . ....
d1m ¨ ¨ ¨ dtm
˛
‹
‚
¨
˚
˝
logα p1
...logα pt
˛
‹
‚
over Zn, where ordpαq “ n.
If m ě t, there is a good probability that rankpMq “ t in what case logα pi canbe computed.
50
Now search for k P N such that αkβ “ pe11 ¨ ¨ ¨ pett
ñ logα β “ ei logα p1 ` ¨ ¨ ¨ ` et logα pt
Example 5.1.
(1) In F˚p , p a prime, factor bases can be used by taking first t primes S “t2, 3, ..., ptu Ď F˚p
(2) 2 G “ F˚128 “ F2rzs{ xfyfpzq “ z7 ` z ` 1 is irreducible.g “ a0 ` a1z ` ...` a6a
6 ` xfy for any g P G and ai P F2 @ i.Factor base: tz, z ` 1, z2 ` z ` 1, z3 ` z ` 1, z3 ` z2 ` 1uAssume α “ z (note that 127 is prime, then G “ xzy) andβ “ z4 ` z3 ` z2 ` z ` 1.Using index calculus:l1 “ logαpzq “ 1l2 “ logαpz ` 1ql3 “ logαpz
2 ` z ` 1ql4 “ logαpz
3 ` z ` 1ql5 “ logαpz
3 ` z2 ` 1q
α18 “ z6 ` z4 “ z4pz ` 1q2
α105 “ z6 ` z5 ` z4 ` z “ zpz ` 1q2pz3 ` z2 ` 1qα72 “ z6 ` z3 ` z2 ` z “ z2pz ` 1q2pz2 ` z ` 1qα45 “ z5 ` z2 ` z ` 1 “ pz ` 1q2pz3 ` z ` 1qα121 “ z6 ` z5 ` z4 ` z3 ` z2 ` z ` 1 “ pz3 ` z2 ` 1qpz3 ` z ` 1q
¨
˚
˚
˚
˚
˝
181057245121
˛
‹
‹
‹
‹
‚
“
¨
˚
˚
˚
˚
˝
4 2 0 0 01 2 0 0 12 2 1 0 00 2 0 1 00 0 0 1 1
˛
‹
‹
‹
‹
‚
¨
˚
˚
˚
˚
˝
l1l2l3l4l5
˛
‹
‹
‹
‹
‚
pmod 127q
l1 “ 1, l2 “ 7, l3 “ 56, l4 “ 31, l5 “ 90βα66 “ z5 ` z3 ` z “ zpz2 ` z ` 1q2
logα β “ l1 ` 2l3 ´ 66 “ 47 mod 127
How Efficient is Index Calculus?
In F˚p , p a prime, the question becomes: what is the probability that a randomα factors over first t primes S “ t2, 3, 5, ..., ptu? In other word is α pt-smooth?
Theorem 5.1 (Norton(1971), Erdos, Pomerance and Canfield).
Let N, r be positive integers satisfying N1r ě logN and choose β “
Y
N1r
]
.
Then |tx ď N | x is β-smoothu| “ Nr´r`oprq where limrÑ8
oprqr “ 0.
2 Example taken from “Handbook of Applied Cryptography”
51
Example 5.2.
p “ 21000, r “ 20 ñ one out of 2020 numbers is β-smooth.(β “ p21000q
120 “ 250)
ñ Not practical and for this reason F˚21000 is actually used in practice.
5.3.2 Pollard ρ Method
Let G “ xαy be a cyclic group, for simplicity assume |G| “ p, p prime.Let β P G. We need to find k, s.t. αk “ β, 0 ď k ă p.Note: k “ logα β.
The idea of Pollard:Search for integers x, y, x, y, s.t. αxβy “ αxβy
ñ k “ px´ xqpy ´ yq´1 mod p
Question:3 How many pairs pxi, yiq, i “ 1, 2, 3, ... should be computed untilwith reasonable probability αxiβyi “ αxjβyj , 1 ď i ă j ď N where N ě
?p
What is the probability that k randomly chosen letters which are randomlyput in n letters boxes in a distribution such that at least one box has at leasttwo letters.
Prrevents “ 1´ Prrnot events “ 1´k´1ś
i“1
p1´ in q
Lemma 5.1.
Let λ “pk2qn “
kpk´1q2n .
Then Prrevents – 1´ e´λ as long as k ăă n.
Proof.
By Taylor: logp1´ xq “ ´x` opx2q
k´1ś
i“1
p1´ in q “ e
k´1ř
i“1
`
logp1´ in q
˘
“ e´kpk`1q
2n `op k2
n2 q
In order to get Prrevents – 12
1´ e´λ “ 12 ñ λ “ log 2 “ kpk´1q
2k –
?2 log 2
?n – 1.2
?n
Remark: Let W be the random variable counting the number of pseudo-twins.
Then W can be approximated by a Poisson distribution: PrrW “ js “ e´λ λj
j! .
PrrW ě 1s “ 1´ PrrW “ 0s “ 1´ e´λ λ0
0! “ 1´ e´λ
Given a group of order p, then one requires ě 1.2?p pairs pxi, yiq P Zp ˆ Zp
such that there is a 50% chance for a collision αxiβyi “ αxjβyj .
The draw back of this method is storage!
3 This problem is known as the birthday problem
52
Pollard overcame the difficulty by introducing a recurrence relation in Zp ˆ Zp
xi`1 “ fpxi, yiq P Zpyi`1 “ hpxi, yiq P Zp
+
Dynamical System in Zp ˆ Zp
having the property that most points are visited.Related to it is a sequence of group elements gi :“ αxiβyi .ñ Pre-period and ultimately periodic. So D j s.t. gj “ g2j
So we only store pgi, g2iq.
5.3.3 Baby-Step Giant-Step Method
Situation: G “ xαy, where |G| “ n. Given β P G find k “ logα β, i.e. αk “ β.
Baby-Step
For some number m, produce a table tpi, αiq | i “ 1, ...,mu.In practice, m “ t
?nu.
Giant-Step
Compute βpα´mqj for j “ 1, 2, 3, ... and compare with the entries of the table.If βpα´mqj “ αi, then β “ αmj`i.If m “ t
?nu, then the number of multiplications in G is Op
?nq and for the
storage is Op?n log nq.
Note: Every element in Zn has an m-adic representation i`mj,where 1 ď i, j ď m.
5.3.4 Pohlig-Hellman Method
Assume G has order |G| “ n “ ps11 ¨ ¨ ¨ psrr , and pi ď B for i “ 1, ..., r.
Remark: n is B-smooth.Assume that αx “ β, the Pohlig-Hellman Algorithm iteratively computes x ” ximod ppsii q, i “ 1, ..., r.Once xi are known, with CRT we can compute x.Take p :“ pi and s “ si, and write the p-adic expansion of xi:
xi “ l0 ` l1p` l2p2 ` ...` ls´1p
s´1 0 ď lj ă p j “ 0, ..., s´ 1In the sequel make a look-up-table of the p-th root of unity: αp “ id P GSo the table of: pk, αk
np q for k “ 1, 2, ..., p´ 1.
ñ βnp “ αx
np “ αl0
np and by the look-up-table, the l0 is computed.
By construction: pβα´l0qnp “ pαx´l0q
np “ 1
So pβα´l0qnp2 “ pαx´l0q
np2 “ αl1
np and catch l1 by the look-up-table.
l2, l3, ..., ls´1 are computed similarly, so we get xi’s and with CRT we have x.
The running time complexity is Oprř
i“1
siplog n`?piqq.
53
54
Chapter 6
Alternative Public-KeySystems
55
56
6.1 Rabin System (1981)
Assume 3 ď p ă q two primes and n “ pq, b, c integers.
Question: What are possible solutions of x2 ` bx` c “ 0 in Zn?
Since p, q ą 2 then 2 is invertible in Zn, so we can write
x2 ` bx` c “ px` b2 q
2 ´ p b2
4 ´ cq “ 0 “ z2 ´ αSo solving x2 ` bx` c “ 0 is equivalent to solving z2 “ α.
Lemma 6.1.
z2 ´ α “ 0 has at most 4 solutions.
Proof.
mod p at most 2 solutions, say ˘smod q at most 2 solutions, say ˘tEach combination in t˘s,˘tu corresponds to a solution mod n.
Lemma 6.2.
Assume z2 ´ α “ 0 has solutions ˘s mod p and ˘t mod q.Assume a, b P Z have the property that ap ` bq “ 1. Then the general solutionin Zn is t˘tap˘ sbqu.
How to solve x2 “ α efficiently in Fp?! (if it exists)
It exists if and only if´
αp
¯
“ 1 and by Euler this holds if and only if αp´1
2 “ 1.
ñ?αp´1 P t´1, 1u for any α P F˚p , since αp´1 ” 1 mod p.
Assume p ” 3 mod 4 ñ αp`1
4 “ β P t?α,´
?αu
since β2 “ αp`1
2 “ αp´1
2 α “ α.
So the solutions are: ˘αp`1
4
Complexity: Oplog pq multiplications in Fp and henceOplog3 pq-bit operations.
Remark: A polynomial algorithm exists also for p ” 1 mod 4, but simply morecomplicated.
Remark: z2 ´ α “ 0 can have 0,1,2 or 4 solutions in Zn. More precisely, ifα P Z˚n, then z2 ´ α has either 0 or 4 solutions in Zn.
Example 6.1.
n “ 15z2 “ 0 Ñ 1 solutionz2 “ 1 Ñ 4 solutionsz2 “ 6 Ñ 2 solutionsz2 “ 2 Ñ 0 solutions
57
Consequence: If factorization is known, solving quadratic equations in Zn is ashard as taking square roots in Fp.For taking square roots there are known polynomial algorithms.And vice versa, assuming x2 ` bx` c “ 0 has 4 solutions in Zn.They are: tz1, z2, z3 z4u P Zn which correspond to p˘u,˘vq P ZpˆZq, withoutloss of generality, let z1 ” z2 ” 0 mod p and z3 ” z4 ” 0 mod q. Since they
are four, then z1 ‰ z2, then gcdpn, pz1 ´ z2qq “ gcdppq, pz1 ´ z2
plooomooon
PZ
q “ p.
And then q “ np and we have the factorization of n.
Encryption and Decryption of Rabin System
Alice chooses p, q – 10100, p ” q ” 3 mod 4Public: n “ pq and b P Zn.Encryption: ϕ : Zn Ñ Zn given by m ÞÑ c “ ´m2 ´ bm.
Decryption: Solve x2 ` bx` c “ 0 mod n.
Comparison to RSA
• Contrary to RSA, we know that decryption is equivalent to factoring.
• The encryption and decryption are similar in complexity.Encryption Decryption
Rabin 2 multiplications Oplog3 nq bit operations
RSA 17 multiplications Oplog3 nq bit operations
• There is an ambiguity in the message.
6.2 Merkle-Hellman System
Backgroud: Knapsack Problem:Given numbers s1, s2, n, a1, ..., an, b1, ..., bn P N.
Determine if there are x1, ..., xn P t0, 1u such thatnř
i“1
xiai ď s1 andnř
i“1
xibi ě s2.
Special Case: Subset Sum Problem:
Given a1, .., an, s P N, determine if there exists xi P t0, 1u such thatnř
i“1
xiai “ s.
Remark: Both problems are NP -complete.
Choose a super-increasing set a1 ă a2 ă ... ă an s.t.j´1ř
i“1
ai ă aj for j “ 2, 3, ...
Note: The Subset Sum Problem for super-increasing sets is trivial.
58
Encryption and Decryption of Merkle-Hellman System
Take a super-increasing set, choose integer m with property m ąnř
i“1
ai.
Let s P Z˚m and π a permutation over t1, ..., nu. Let bi :“ saπpiq mod m.Public: pb1, ..., bnqPrivate: s,m
Encyption: ϕ : pZ2qn Ñ N given by x ÞÑ
nř
i“1
xibi “ c
Decryption: s´1c “nř
i“1
xis´1bi “
nř
i“1
xiaπpiq
Remark: Setting n “ 100, a1 « 2100, ..., an « 2200, and m « 2200 would result ina public key of size around 20 kbits.So the encryption and decryption algorithms use around 100 additions of 200-bit numbers, whereas in RSA the algorithms use around 1000 multiplications of1000-bit numbers.
6.2.1 Attacks in Merkel-Hellman System
6.2.1.1 Attack by Adi Shamir (1984)
Note thatnř
i“1
xibi “ c has a unique solution in Zm by construction.
Now if we can find some m, and n P Z˚m such that ai “ nbi mod m forms a
supe-increasing set (after reordering with π), then the solution ofnř
i“1
xibi “ c in
Zm is also a solution tonř
i“1
xiai “ ncloomoon
c
mod m.
Observe thatn´1ř
i“1
aπpiq ă aπpnq ă m, so:
n´1ř
i“1
xiaπpiq “
#
c mod m has at most 1 solution and is easy to solve, OR
c´ aπpnq mod m has at most 1 solution and is easy to solve.
Shamir showed the existence and the way to find a m and n in polynomialtime.
6.2.1.2 Attack Based on Short Vector Search (Lagarias and Odlyzko1985)
c “nř
i“1
xibi, xi P t0, 1u, N ą?n
2
M :“
¨
˚
˚
˚
˚
˚
˚
˝
1 0 ¨ ¨ ¨ 0 Nb1
0. . .
. . ....
......
. . .. . . 0
...0 ¨ ¨ ¨ 0 1 Nbn12 ¨ ¨ ¨ ¨ ¨ ¨ 1
2 Nc
˛
‹
‹
‹
‹
‹
‹
‚
P Rpn`1qˆpn`1q
Lattice Λ generated by the rows of M :ΛpMq “ Zn`1M “ ta ¨M | a P Zn`1u
59
A solution px1, ...xnq P t0, 1un to the corresponding subset problem corresponds
to the lattice vector v “ px1, ..., xn,´1q ¨M “ px1 ´12 , x2 ´
12 , ...., xn ´
12 , 0q
“ p˘ 12 ,˘
12 , ...,˘
12 , 0q
i.e. ||v||2 “?n
2 ă N
Observation: For any integer linear combination of rows of M for which the last
coefficient is not zero, ||aM ||2 ě N ą?n
2 “ ||v||2.We can also argue that, with high probability, the vector v corresponding to thesolution of the subset problem is the shortest vector in the lattice.
Note: There exists no polynomial time algorithm to find the shortest (non-zero)vector in a lattice; however, there exists a polynomial time algorithm (LLL)
which gives a vector w, such that ||w||2 ď p43 ` εq
n`12 ||v||2 @v P Λ.
Lagarias and Odlyzto showed that for suitable N , the lattice density is lowenough such that the LLL-algorithm will return the shortest vector.
6.3 One-Way Functions from Semi-Group-Actions
Definition 6.1.
A semi-group G is a set with an associative operation. (No identity, no inverserequired)
Example 6.2.
pN,`q or t5, 7, 9, 11, 13, ....u.
Definition 6.2.
G is a semi-group, S an arbitrary set. An action of G on S is a map ψ :Gˆ S Ñ S such that ψpa, ψpb, sqq “ ψpab, sq @ a, b P G, s P S.
Notation: ψpa, sq :“ as.
6.3.1 Extended Diffie-Hellman Key Exchange
Let G be an Abelian semi-group, ψ : Gˆ S Ñ S a semigroup action.Assume that the semi-group action is difficult, that means given the pair ps, asq,it is hard to find b P G with bs “ as.
Alice and Bob agree on G, S, and s P S. Alice chooses a P G, computesas P S and sends this to Bob. Bob chooses b P G, computes bs P S and sends itto Alice. Both compute k :“ pabqs P S.
Traditional Diffie-Hellman: pαaqb “ pαbqa, the traditional setting: semi-groupG “ N and the set S is an abelian group.
60
Example 6.3 (Example of an interesting semi-group action).
Assume G is an Abelian group. As a set let S “ Gn “ Gˆ ¨ ¨ ¨ ˆG.As a semi-group consider Znˆn.
A “
¨
˚
˝
a11 ¨ ¨ ¨ a1n
.... . .
...an1 ¨ ¨ ¨ ann
˛
‹
‚
P Znˆn, g “
¨
˚
˝
g1
...gn
˛
‹
‚
P Gn
Define the action as: ψpA, gq “ Ag.Since ApBgq “ pABqg, this is a semi-group action.If n “ 1, then the question question of finding x, when g and xg are given, isthe DLP in the abelian group (just written additively).
6.3.2 Extended El-Gamal Protocol
Assume G is an abelian semi-group and ψ : Gˆ S Ñ S is a semi-group action.Assume, in addition, that S has some group structure.
Encryption
1. Alice chooses s P S, a P G and publishes ps, asq, a is kept private.
2. Bob chooses a random element b P G.
3. Bob encrypts the message m, by:m ÞÑ pbs, pbpasqq ¨mq “ pc1, c2q
Decryption
Alice knows a, so she computes apbsq “ bpasq and hence can computem “ pbpasqq´1 ¨ pbpasqq ¨m “ pac1q
´1c2.
Eve should solve the so-called-SAP1 for both the Deffie-Hellman and El Gamal.Given a pair ps, asq, construct α P G such that αs “ as.
Question: When is SAP hard?
Consider : GEve :“ tα P G | αs “ asuand Stabpsq “ tg P G | gs “ su (sub-semi-group).
When G is a group: α P GEve ô αs “ asô a´1αs “ sô a´1α P Stabpsqô α P a ¨ Stabpsq
and hence GEve “ a ¨ Stabpsq.
Remark: Again if G is a group we can consider the orbit of s:orbitpsq :“ tgs | g P GuWe know orbitpsq “ Gs – G{Stabpsq
1 Semi-group Action Problem
61
If G is a semi-group, it holds that |G| ď |G{Stabpsq| “ |G||Stabpsq| .
For a good encryption, we need |Gs| large (ě 280).
Example 6.4.
G “ Fnˆn, where F isa field, G is clearly not abelian.Question: What do large commutative sub-semi-groups of G look like?Easier Question: Given A P Fnˆn, what does CompAq :“ tB | AB “ BAu looklike?
Note FrAs :“ tNř
i“0
aiAiu Ď CompAq.
By Cayley-Hamilton2, it is enough to choose N “ n´ 1.Then it follows than FrAs is a F-algebra of dimension at most n.
Lemma 6.3.
Assume A P Fnˆn has n different eigenvalues λ1, ..., λn P F.Then CompAq “ FrAs.
Proof.
Assume SAS´1 “
¨
˚
˝
λ1 0. . .
0 λn
˛
‹
‚
“ D.
Then AB “ BA ô SAS´1SBS´1 “ SBS´1SAS´1
ô SBS´1 is a diagonal matrix.
Also for a diagonal matrix FrDs “ tn´1ř
i“0
aiDiu “ CompDq.
It follows that FrAs “ CompAq.
Remark: One can construct sub-F-algebras of Fnˆn whose dimension is ě n2
8 .
Example 6.5.
Consider FrAs ˆ Fn Ñ Fn, given by pB, vq ÞÑ Bv. Eve knows v and Bv.By Cayley-Hamilton B “ a0 ` a1A` ...` an´1A
n´1 for some a0, ..., an´1 P Fq.To find B, Eve solves Bv “ a0Iv ` a1Av ` ...` an´1A
n´1, for a0, ..., an´1.
Question: How can one increase the complexity of the problem?
More complicated actions.For example a two-sided action:FrAs ˆ Fnˆn ˆ FrBs Ñ Fnˆn given by pS,M, T q ÞÑ SMT .Deffie-Hellman:Alice computes SMT , Bob computes SMT ,and both compute SSMTT “ SSMTT .
2 Cayley-Hamilton: ϕpxq :“ detpxIn ´Aq, then ϕpAq “ 0.
62
Question: What is the weakest requirements so the matrix multiplication is well-defined?
Answer: ` associative, commutative, no zero and no inverses.¨ associative.Basically a semi-ring.
Example 6.6.
The simple semi-ring of order 6 .
` 0 1 2 3 4 50 0 1 2 3 4 51 1 1 1 1 1 52 2 1 2 1 2 53 3 1 1 3 3 54 4 1 2 3 4 55 5 5 5 5 5 5
¨ 0 1 2 3 4 50 0 0 0 0 0 01 0 1 2 3 4 52 0 2 2 0 0 53 0 3 4 3 4 34 0 4 4 0 0 35 0 5 2 5 2 5
6.4 McEliece Crypto-System
Encryption and Decryption
1. Alice selects a binary (over F2) rn, ks2-linear code capable of correcting t-errors and for which a decoding algorithm is known. Let G be the generatormatrix of C.
2. Alice randomly selects an invertible kˆ k matrix S, and a random permuta-tion matrix P .
3. Alice computes G “ SGP . The public key is pG, tq and the private key ispS,G, P q.
4. Bob wants to send a m message of length k. He computes c1 :“ mG.He then chooses an error-vector z at random, such that wt3pzq “ t.He sends c “ c1 ` z.
5. Alice receives c and computes as follows:cP´1 “ pc1 ` zqP´1 “ c1P´1 ` zP´1, since P is a permutation, zP´1 hasweight t.c1P´1 ` zP´1 “ pmGqp´1 ` zP´1 “ pmSGP qP´1 ` zP´1 “ mSG` zP´1
Note that mSG P C and S P GLkpF2q, and since Alice can decode and correctt errors, Alice can obtain mS. From here, Alice can multiply by S´1 andobtain m.
It is known that decoding a random linear code is NP-complete.
McEliece originally proposed a r1024, 512s2-code with t “ 50 « 2601000 bits.In a recent experiment, McEliece used for data transfer on a USB stick took95% of the energy just to encrypt/decrypt, so 5% used for data transfer.
3 wtpzq is the number of non-zero elements in z.
63
In 2008, researchers at EIT were able to break McEliece security in just a week.They suggested a quadruple key size for security, recent improvements suggestkey size around 5001000 bits.
6.4.1 Information Set Decoding Attack
Let Gsys be the generator matrix of a code C in systematic form.
Gsys “`
Ik Q˘
Let m P Fk2 , consider mGsys. The first k- coordinates of mGsys are equal to m.In this case, the first k columns of Gsys are called an information set.In general, if DI Ă t1, ..., nu of size k such that GI , the sub-matrix of G indexedby the columns of I, is invertible, then mG´1
I G has information symbols in thecoordinates of I.We also require that cI is error-free.
Idea:Take y P Fn2 which is known to have distance t from C. Suppose I is an infor-mation set. Let the closest codeword to y be c. Note cI “ yI . Then, yIG
´1I is
the pre-image of c under the map induced by G.Therefore, we can recover c as pyIG
´1I qG.
Lee-Brickell’s Algorithm
Let a P I, and let ga denote the row G´1I G where the column indexed by a has
a 1.Let 1 ď p ď t.
1. Choose an information set I.
2. y gets y ´ yIG´1I G
3. For each size p subset of I and each m “`
m1 ¨ ¨ ¨ mp
˘
P F2p, compute
e “ y ´př
i“1
migai .
If e has weight t, print e, otherwise go to 1.
Note: An RSA code with 1024 bit key size provides the same security as aMcEliece crypto-system with 69’000 bits.Goppa codes are not MDS4, because of their large public key length.
Definition 6.3.
Let n “ qr ´ 1, α “ pα1, ..., αnq P Fnqr be a vector of distinct elements. And letv P pF˚qr qn. The generalized Reed-Solomon code is given by:
GRSkpα, vq :“ tpv1fpα1q, ..., vnfpαnqq | degpfq ă ku
4 maximum distance separable
64
Remark: RS-code is a GRS-code with αi “ ηi´1, where η is primitive andv “ p1, ..., 1q.
A generator matrix for GRSkpα, vq is:
G “
¨
˚
˚
˚
˝
v1 v2 ¨ ¨ ¨ vnv1α1 v2α2 ¨ ¨ ¨ vnαn
......
v1αk´11 v2α
k´12 ¨ ¨ ¨ vnα
k´1n
˛
‹
‹
‹
‚
Note: For any σ P Sn, σpGRSkpα, vqq “ tpvσp1qfpασp1qq, ..., vσpnqfpασpnqqq |degpfq ă ku is a GRS-code.
Example 6.7.
Replace P by Q1 “ R` P1, R “ aT b, a, b P Fnqr , P1 is a permutation matrix.
1. Need Q1 invertible.We receive pmG` eqQ1.pmG ` eqQ1 “ pmSGQ´1
1 ` eqQ1 “ mSG ` eQ1 “ mSG ` epR ` P1q “
mSG` eaT b` eP1.So we need eaT “ 0.pS,G,Qq is the private key and pSGQ, t, aq is the public key.This allows the use of GRS-codes.
Original Update(1632,1269)-Goppa-code (255,195)-RS-code
Work force « 280 Work force « 284
460’647 bits 399’840 bits
So we have approximately 13 % saving.
2. We can also let Qm “ R`Π1` ...`Πm, where Πi are permutation matrices.Now eQm can have at most m ¨ t errors. This can be compensated for byusing a code with larder ECC5.
6.5 Niederreiter Crypto-System
A code C is a k-dimensional subspace of Fnq . So, there exists an pn ´ kq-
dimensional subspace CK, such that @ c P C, @ x P CK, cxT “ 0.CK is a the dual space and defines a code. A generator matrix for CK is calleda parity check matrix for C. Let H be such a matrix.Note: @ c P C, HcT “ 0. Also, if c`e is a sense-word, Hpc`eqT “ HcT`HeT “HeT .HeT is called a syndrome. Syndrome decoding is fast.
S P Fn´kˆn´kq invertible, H P Fn´kˆnq parity check matrix for C, P P Fnˆnq
a permutation matrix.pS,H, P q are kept private, while pH, tq is the public key, where H “ SHP , t “ECC of C.
5 error correcting capability
65
Let c “ HmT , m P Fnq , wtpmq ď t. By S´1c “ HPmT we obtain a syndrome,which can be decoded by standard methods. The cipher-text is a syndrome, themessage is the error pattern.
Advantages:
1. Encryption is about 12 times faster.
2. It allows digital signatures.In McEliece, errors are corrected rather than exposed as in Niederreiter.
66
Chapter 7
Hash Functions
67
68
Definition 7.1.
Let X be a possibly infinite set, and Y finite. Then a one-way function ϕ : X Ñ
Y is called a hash function.
Definition 7.2.
1. ϕ is called weakly collision free, if for a fixed x P X, it is computationallynot feasible to find x P X, x ‰ x with ϕpxq “ ϕpxq.
2. ϕ is called strongly collision free if it is computationally not feasible to finda pair x ‰ x, x, x P X with ϕpxq “ ϕpxq.
7.1 Chaum-van Heijst-Pfitzmann System
This is an example of hash functions based on the difficulty of DLP in F˚q .
Let p, q be primes with p “ 2q ` 1, p, q ą 21000. And let α, β be two prim-itives of Fp.
Lemma 7.1.
The function h : Fq ˆ Fq Ñ F˚p , given by px1, x2q ÞÑ αx1βx2 , can serve as ahash function. The function is strongly collision free and finding a collision isequivalent to solving logα β.
Proof.
Assume we know s “ logα β.Then we can get the collision αsβ0 “ α0β1.And knowing that we can generate the following collision: αx1βx2 “ αx1`sβx2´1.Vice versa:Let px1, x2q ‰ px3, x4q and αx1βx2 “ αx3βx4 .If x4 “ x2 then x1 “ x3 mod p´ 1.ñ Without loss of generality x1 ‰ x3, let x4 ą x2.We have αx1´x3 “ βx4´x2 mod p.Let d :“ gcdpx4 ´ x2, p´ 1q.
Since q ą x4 ´ x2 ě 1, and p´ 1assump.“ 2q. ñ d “
#
1
2.
Assume d “ 1. Let y :“ px4 ´ x2q´1 mod p´ 1.
ñ ypx4 ´ x2q “ 1 mod p´ 1.ñ β “ βpx4´x2qy “ αpx1´x3qy mod pñ logα β “ px1 ´ x3qy.The DLP is solved!!Now assume d “ 2. Since p´ 1 “ 2q, q prime, then gcdpx4 ´ x2, qq “ 1.Now let y “ px4 ´ x2q
´1 mod q ñ px4 ´ x2qy “ kq ` 1 with k P Z.βpx4´x2qy ” βqk`1 ” p´1qkβ ” ˘β mod p.ñ βpx4´x2qy ” αpx1´x3qy ” ˘β mod p.
Then logα β “
#
px1 ´ x3qy mod p´ 1
px1 ´ x3qy ` q mod p´ 1.
In both cases, the DLP is solved.
69
7.2 Hash Function Construction
Question: How to construct hash functions h˚ : X˚ Ñ Y ? Where X˚ :“8Ť
i“1
Xi
and X,Y are finite sets.
Some standard methods:
Method 1: Starting from a secret key system f : MˆK Ñ C, with M – K – C.(e.g. AES),let X “ K, Y “ C, m PM .Then h : X Ñ Y , x ÞÑ fpm,xq is a one-way function.Given px1, ..., xnq P X
n, define hn : Xn Ñ Y through a recurrencerelation yi`1 :“ fpyi, xiq, i “ 1, ..., n and y1 :“ m.Define hnpx1, ..., xnq :“ yn`1.In this way, we obtain h˚ : X˚ Ñ Y, px1, ..., xnq ÞÑ hnpx1, ..., xnq.
If fm : K Ñ C is strongly collision free, then so is h˚ : X˚ Ñ Y .
Method 2: Assume h : X Ñ Y is a strongly collision free hash function andX “ Y have some additive structure.Define hn : Xn Ñ Y , px1, ..., xnq ÞÑ hnpx1, ..., xnq recursively byh1px1q :“ hpx1q and hi`1px1, ..., xi`1q :“ hpxi`1 ` hipx1, ..., xiqq.Then h˚ : X˚ Ñ Y, px1, ..., xnq ÞÑ hnpx1, ..., xnq.
70
Chapter 8
Various Schemes andProtocols
71
72
8.1 Secret Sharing System
Situation: A bank has a safe. So the management decides that 3 or more employ-ees should be able to open the safe, but 2 or less don’t have enough informationon the secret key.
8.1.1 Threshold Scheme of A. Shamir
Lemma 8.1.
Let F be a finite field, tpx0, y0q, ..., pxn, ynqu Ď F2 be n ` 1 points having theproperty that xi ‰ xj for i ‰ j, then there is a unique polynomial fpxq P Frxsof degree n satisfying fpxiq “ yi for i “ 0, ..., n.
Proof.
For uniqueness:Assume f1 P Frxs is another polynomial with such a property. Then f ´ f1
is a polynomial with n ` 1 roots, and therefore the zero polynomial, and thusf “ f1.For existence:Define fi :“
ś
i‰j
x´xjxi´xj
P Frxs. We have degpfiq “ n and fipxiq “ 1, fipxjq “ 0
for j ‰ i. Therefore f “ř
yifi is the required polynomial.
Assume that among N employees, n or more should be able to access the safe.Choose |F| ě 2100 and a random polynomial fpxq “ an´1x
n´1 ` ...` a0 P Frxsand choose x1, ..., xN P Fzt0u, xi ‰ xj for i ‰ j.The shared secret is k :“ fp0q.Any n employees can compute fpxq by Lagrange. n´1 or less have zero knowl-edge about the value of fp0q indeed any value is still possible.
8.2 Digital Signatures
8.2.1 First Attempt
Start with a one-way trap-door function ϕ : S Ñ M . Alice deposits ϕ witha trusted third-party. If she wants to sign a message m P M , she computess :“ ϕ´1pmq and the signature consist of the pair pm, sq. If somebody wants to
verify pm, sq, they simply compute ϕpsq?“ m.
Problems:
1. Oscar, who would like to forge a signature of Alice, can simply start withs P S, he computes ϕpsq “ m, then pm, sq is a valid pair.
2. When Alice supplies a signature pair pm, sq to Eve, Oscar can take it anduse it for his purpose.
To overcome these difficulties, in practice digital signatures involve hash func-tions. hpDocumentq “ m, and the signature of the document, is the triplepDocument, m, ϕ´1pmq “ sq.
73
In many textbooks, the scheme above is described in conjunction with RSA.For the one-way trap-door function ϕ : Zn Ñ Zn, m ÞÑ me and ϕ´1 : Zn ÑZn, c ÞÑ cd and de ” 1 mod φpnq.Here we have the multiplicative property that ϕpm1m2q “ ϕpm1qϕpm2q.
8.2.2 El-Gamal Signature Scheme
A signature scheme consists of a secret signing function sign : M Ñ S, whereM is the space of all possible messages that can be sent and S is the space ofall possible signatures.In addition, one has a public verification function:
ver : M ˆ S Ñ ttrue, falseu
pm, sq ÞÑ
#
true if s “ signpmq
false if s ‰ signpmq
In 1985, El-Gamal proposed to choose a prime p – 21000, α a primitive andβ “ αa such that the computation of a “ logα β should not be feasible.
sign : Zp Ñ Zp ˆ Zp´1
m ÞÑ pαk, pm´ aαk modppqqk´1 modpp´ 1qq “: ps1, s2q
k is randomly chosen by the signer. The signature then consists of the triplepm, s1, s2q.Public: α, β, p.Private: a “ logα β, k.Verification: Is βs1ss21 “ αm?
If pm, s1, s2q is a valid signature, then βs1ss21 “ pαaqs1αkpm´aαkqk´1
“ αm.
Security: Assume Oscar wants to sign the particular message m P Zp. Hehas to find ps1, s2q P Zp ˆ Zp´1 such that βs1ss21 “ αm. Assume he chooses s1
randomly, then logs1pβ´s1αmq “ s2 P Zp´1.
Note that Z˚p should not have some particular instance where the DLP is easy,so it should not have subgroups of small order and for this reason p is usuallychosen as a safe prime.
8.2.3 DSA and ECDSA
In 1994, a variation of the El-Gamal signature was adopted by NIST, and wascalled DSA1.Let p ą 2500 prime, α a primitive and β “ αa.
sign : Zp Ñ Zp ˆ Zp´1
m ÞÑ pαk, pm` aαk modppqqk´1 modpp´ 1qq “: ps1, s2q
Verification: αmβs1?“ ss21 .
1 Digital Signature Algorithm
74
Remark:If s2 is invertible,then αmβs1 “ ss21 is equivalent to αmps2q
´1
βs1ps2q´1
” s1 mod p.Reduction modulo q:Let q be a second prime such that q � pp´ 1q.
Also let α0 :“ αp´1q , β0 “ αa0 “ β
p´1q .
Then α0 is a q-th root of unity, indeed αq0 “ 1.
Similarly βq0 “ 1. From αmps2q´1
βs1ps2q´1
” s1 mod p follows that αmps2q
´1
0 βs1ps2q
´1
0 ”
sp´1
11 mod p.
Now let m :“ m mod q, s1 :“ s1 mod q and s2 “ s2 mod q.
Is αmps2q
´1
0 βs1ps2q
´1
0 ” psp´1q
1 mod pq mod q?
Remark: m, s1, s2 are roughly of the size of q.
DSA specifies the numbers q, p, further:
1. 2159 ď q ď 2160 and 2512 ď p ď 21024 such that q � pp´ 1q.Remark: Security depends on the difficulty to compute logα0
β0.
2. Select a primitive α P Z˚p and let α0 “ αp´1q mod p.
3. Select a random number 0 ă a ă q and let β0 “ αa0 P Z˚p .
4. Signature function:
sign : Zq Ñ Zq ˆ Zqm ÞÑ ppαk0 modppqq modpqq, pm` aαk modpp´ 1qqk´1 modpqqq “: ps1, s2q
5. Alice signs a message m with pm, s1, s2q. p, q, α0, β0 are available fromthe trusted third-party.
6. Bob verifies ppαms´1
20 β
s1s´12
0 q modppqq modpqq?“ ps
p´1q
1 modppqq modpqq.
In 2001, an extension using elliptic curves was adopted.
Let EpFpq be an elliptic curve over Fp.Note: P ` ...` P
looooomooooon
a
“ aP “ Q ñ a “ logP Q.
Now let EpFpq have prime order q “ |EpFpq|.Assume A P EpFpq, A ‰ 0 ñ xAy “ EpFpq.Let a be a random number 1 ď a ă q and let B “ aA.Public: EpFpq, A, B, q.Private: a :“ logAB.
sign : EpFpq Ñ Zq ˆ Zqm ÞÑ ps1, s2q
where one chooses a random k P Zq and computes kA “ pu, vq.s1 “ u mod q and s2 “ k´1pm` as1q mod q.Verification: i :“ s´1
2 m mod q, j “ s´12 s1 mod q,
pu, vq?“ iA` jB.
75
8.3 Zero Knowledge Proofs
Alice, the prover, convinces Bob, the verifier, that she knows some secret withoutrevealing any part of the secret.
Example 8.1.
Assume n “ pq is RSA-composite.Somebody knowing the factorization is able to solve quadratic equations of theform x2 ´ α “ 0.How can Alice convince Bob that she knows the factorization without revealing the factors?
1. Ask Bob to select α P Zn (preferably an element which has a solution), andAlice provides one solution of the quadratic equation.
BAD! Since Bob can choose y P Zn, and then computes α “ y2, and asks forthe solution of x2 ´ α “ 0. If Alice delivers y, y ‰ y, then there is a goodchance that gcdpy ´ y, nq ‰ 1, and hence being able to factor n.
2. First Improvement:
a. Bob chooses c,?n ă c ă n and computes d “ c2 mod n and sends d to
Alice.
b. Alice chooses b and sends both b and?bd to Bob. In other words, she
solves x2 ´ bd “ 0.
Note: If b “ a2 mod n, then it really requires that Alice solved x2 ´ a2d “ 0and Bob cannot learn anything from the result of Alice.
PROBLEM: Alice can come up with another choice of b without knowingthe factorization and still find
?bd.
For this Alice randomly chooses y and computes b :“ d´1y2 mod n. Andnow she convinced Bob, that she can solve x2 ´ bd “ 0. (Solution x “ y)
Protocol:For a fixed n, iterate the following steps:
1. Bob can choose c,?n ă c ă n and computes d “ c2 mod n and sends the
result to Alice.
2. Alice chooses a,?n ă a ă n, and computes b “ a2 mod n and sends it to
Bob.
3. Bob can ask one of the two question:
Q1: Solve x2 ´ b “ 0 mod n.
Q2: Solve x2 ´ bd “ 0 mod n.
Remark: In the protocol, the order really matters. Indeed, assume Alice choosesfirst a, computes b “ a2 mod n and sends it to Bob. Bob can choose d “ x2b´1
and asks Q2, or he can choose d “ b2n`1, then it follows that db “ b2pn`1q, sox2 ´ bd contains solution ˘bn`1 and if Alice sends another root then Bob canfactor n.
76
8.4 Digital Cash System - DigiCash
David Chaum had in 1990 the idea to use one-way trap-door functions to createa digital cash system.In 1993 Stefan Brands improved the system of Chaum. His system has thefollowing features:
1. The system is anonymous and not traceable.
2. Alice can withdraw cash from her bank account.
3. Alice can use the cash at merchants who participate in the system.
4. Merchants can verify if the delivered cash actually has value by offline com-putation.
5. Double use of the cash at different merchants will reveal the identity of Alice.
8.4.1 Brands System
Let p be a safe prime, p “ 2q ` 1, q a prime. The central bank chooses tworandom numbers k1, k2 and a generator of F˚p , say g P F˚p , then computes
gi “ gki mod p for i “ 1, 2. p, q, g, g1, g2 are then made public and k1, k2
are destroyed. In addition, some standard hash function H is used.
1. Each bank participating in the DigiCash system chooses a secret identitynumber x and publishes h “ gx mod p, and hi “ gxi mod p for i “ 1, 2.
2. When Alice opens an account at the bank, she chooses a secret user numberu. She tells the bank the account number I “ gu1 mod p. u is not revealedto anyone.The bank stores I under the name of Alice. The bank also sends z1 “ pIg2q
x
to Alice for further use.
3. Each merchant chooses an identification number m and registers it with thebanks that are part of the system.
4. Creation of coins:Alice goes to the bank and asks for one coin. For this, the bank chooses arandom number w P Fq and gives gw :“ gw mod p and e :“ pIg2q
w mod pto Alice.Alice chooses 5 secret non-zero numbers s, x1, x2, y1, y2 and computesA “ pIg2q
s mod p, B “ gx11 gx2
2 mod p, z “ zs1 mod p, a “ gy1w g
y2 mod pand b “ esy1Ay1 mod p. Then she computes c :“ py1q
´1HpA,B, z, a, bq andsends it to the bank. The bank computes c1 “ cx ` w mod q and sends itto Alice and debits her account.And finally, Alice computes r :“ y1c1 ` y2 mod q.The coin consists of pA,B, z, a, b, rq.
5. Verification by the merchant that the coin is valid:The merchant checks if gr “ ahHpA,B,z,a,bq and if Ar “ bzHpA,B,z,a,bq mod p.If both congruences hold, then the coin is valid.
77
6. Verification that the coin was not stolen:The merchant chooses a time stamp t and gives d :“ HpA,B,m, tq to Alice.Alice computes r1 ” pdue ` x1q mod q and v2 ” pds ` x2q mod q andsends r1, r2 to the merchant. If gr11 g
r22 “ AdB mod p then the coin actually
belongs to Alice.
7. Deposit at the bank:The merchant deposits the coin pA,B, z, a, bq together with pr1, r2, dq in thebank. The bank now checks if this coin was already deposited before.For this the bank checks if the following equalities hold:gr “ ahHpA,B,z,a,bq, Ar “ zHpA,B,z,a,bqb, and gr11 g
r22 “ AdB pmod pq
If so, the coin is valid and the merchant gets credit.
Fraud Control:Assume Alice uses the coin twice at two different merchants. Then the mer-chants submit the coins together with pr1, r2, dq respectively pr11, r
12, d
1q.Check: pr1 ´ r11q ” uspd ´ d1q mod q and pr2 ´ r12q ” spd ´ d1q mod q, whichyields to u ” pr1 ´ r
11qpr2 ´ r
12q´1 mod q.
Finally I “ gu1 mod p can be computed.
8.5 Flipping Coins over Large Distance
Sitaution: Alice and Bob play a game.Alice decides that if head turns up, she wins. Bob flips a fair coin.
Question: How to do this in long distance?
Solution: Alice computes large primes p, q „ 2500 preferably p ” q ” 3 mod 4.She now computes n “ pq and sends it to Bob. He then chooses a randomnumber α P Zn and computes b “ α2 mod n.With high probability, b has 4 roots mod n and Alice can compute them. As-sume the roots are ˘α1,˘α2. Alice sends one of the roots to Bob. Assume α1
was sent. There is a 50% chance that gcdpα´ α1, nq ‰ 1.If Bob can compute p, q then Bob wins, otherwise Alice.
Fraud Control:- Alice sends a prime number, but Bob can check primality.- Alice can use a composite with three primes n “ p1p2p3, then x2 ´ b “ 0 hasusually eight solutions. So for roots α and ´α Bob doesn’t learn factorization,otherwise he does, so basically Alice then increases the chance for Bob to win.
78
79
Appendix A
Repetition of Introductionto Finite Fields
80
81
A.1 Properties of Finite Fields
A finite field or Galois Field is a field with finitely many elements. We write Fqor GFpqq if the field has q many elements.
Theorem A.1.
Zp “ Z{pZ is a finite field iff p is prime.
Example A.1.
Z3 “ t0, 1, 2u+ 0 1 20 0 1 21 1 2 02 2 0 1
¨ 0 1 20 0 0 01 0 1 22 0 2 1
Theorem A.2.
Every finite field is a finite extension of a prime field pZpq and vice versa.Hence Fq exists iff q “ pn, n P N and p prime.
Definition A.1.
- Zp is called the base field of Fpn .- p is called the characteristic of a field.
Theorem A.3.
For every prime power q “ pn, there is exactly one unique (up to isomorphism)finite field Fq.
Definition A.2.
fpxq “ Frxs is irreducible if fpxq “ gpxq ¨ hpxq then degpgq “ 0 or degphq “ 0.
Remark: Irreducibility depends on the underlying field!An example is x2 ` 1 is irreducible over R but not over C.
82
A.2 Construction of Finite Fields
Theorem A.4.
Frxs{ xfpxqy is a field iff fpxqpP Frxsq is irreducible.
Theorem A.5.
Let q “ pn, p prime, n P N.Then Fq is isomorphic to Fprxs{ xfpxqy where fpxq is irreducible in Fprxs andof degree n.
Example A.2.
F9 “ F32
Take fpxq “ x2 ´ 2 “ x2 ` 1 irreducible over Z3 and of degree 2.ñ F9 – F3rxs{
@
x2 ` 1D
“ t0, 1, 2, x, 2x, x` 1, x` 2, 2x` 1, 2x` 2uAddition:
p2x` 1q ` px` 2q “ p2` 1qx` p2` 1q “ 0 pmod 3q1` px` 1q “ x` p1` 1q “ x` 2 pmod 3q
Multiplication:x ¨ x “ x2 “ 2 pmod x2 ` 1q pmod 3qp2x` 1qpx` 2q “ 2x2 ` 5x` 2 “ ´2` 2x` 2 “ 2x pmod x2 ` 1q
Definition A.3.
- Let fpxq P Fqrxs be irreducible. Then the smallest e P N such that fpxq � xe´1is called the order of fpxq.- If the order of fpxq is equal to qdegpfq´1, then fpxq is called a primitive polynomial.
Note: Primitive polynomials exist for any degree and underlying field.
Theorem A.6.
Let fpxq P Fprxs be irreducible and α be a root of it. (Hence α lives in anextension of Fp)Then,
Fprxs{ xfpxqy – Fprαs
Where Fprαs :“
#
degpfq´1ř
i“0
λiαi | λi P Fp
+
(“The Fp-algebra of α”).
Moreover, if fpxq is primitive, then α is a primitive element of Fprαszt0ui.e. Fprαszt0u “ tαi | i “ 0, 1, ..., pdegpfq ´ 2u.
83
Example A.3.
fpxq “ x2 ` x` 1 is a primitive polynomial over F2.Let α be a root of fpxqñ α0 “ 1
α1 “ αα2 “ α` 1 pfpαq “ 0 ô α2 ` α` 1 “ 0 ô α2 “ α` 1qα3 “ α ¨ α2 “ α ¨ pα` 1q “ α2 ` α “ α` α` 1 “ 1
ñ F22 “ F2rαs “ t0, 1, α, α` 1u “ xαy Y t0u
Theorem A.7.
Every finite field is isomorphic to a vector space over the base field:
Fpn – pFpqn
More general: Fqn – pFqqn where q “ pm.
Example A.4.
The standard vector space isomorphism is the following:φ : Fprαs Ñ pFpqnn´1ř
i“0
λiαi ÞÑ pλ0, . . . , λn´1q
For F4 – Z22 – pZ2q2
ñ 0 ÞÑ p0, 0q1 ÞÑ p0, 1qα ÞÑ p1, 0qα2 ÞÑ p1, 1q
A.3 Inversion in Finite Fields
A.3.1 Extended Euclidean Algorithm (EEA)
Assume gpxq P pFprxs{ xfpxqyqzt0u, then there exists an inverse g´1pxq. To finsit, we compute the EEA, such that h1pxq ¨gpxq`h2pxq ¨ fpxq
looooomooooon
0 pmod fpxqq
“ gcdpgpxq, fpxqqloooooooomoooooooon
fpxq irreducible so 1
ñ h1pxqgpxq “ 1 pmod fpxqq so h1pxq “ g´1pxq
A.3.2 Little Fermat or Lagrange’s Theorem
Since Fqzt0u is a multiplicative group of order q ´ 1, it holds for all elementsy P Fqzt0u that yq´1 “ 1
ñ yq´2 “ y´1
If q “ 2n ñ we know that 2n ´ 2 “ 21 ` 22 ` ¨ ¨ ¨ ` 2n´1 and we can writey´1 “ y2y22
. . . y2n´1
Theorem A.8.
xqn
´ x “ś
aPFqnpx´ aq “
ś
fpxq, where f is irreducible and degpfq � n,
where q “ pe, p is prime and e P N.
84
85
Appendix B
Entropy
86
87
B.1 What is Entropy?
Definition B.1.
HpXq :“ ´ř
xPrrX “ xs log2pPrrX “ xsq
Example B.1.
Suppose we have 8 possible messages m1, ...,m8 and suppose that they have thesame probability, i.e. PrrM “ mis “
18 @ i “ 1, ..., 8.
The receiver knows that the message is one of the eight, it cannot be anythingelse, but he doesn’t know which one exactly.Question: What is the number of bits necessary to tell which message is sent?
Answer: 23 “ 8 ñ 3 bits.HpMq “ ´
ř
mi
PrrM “ mis log2pPrrM “ misq
“ ´ř
mi
18 log2p
18 q
“ ´ř
mi
18 log2p
123 q
“ ´ř
mi
18 p´3q
“ 3
Entropy: is the expected number of bits needed to send a message.
Example B.2. 1
We have three possible messages: m1,m2,m3.PrrM “ m1s “
12 , PrrM “ m2s “ PrrM “ m3s “
14 .
ñ HpMq “ ´ř
mi
PrrM “ mis log2pPrrM “ misq
“ ´p 12 p´1q ` 1
4 p´2q ` 14 p´2qq
“ 32
To send m1, submit “0” (so 1 bit with probability 12).
To send m2, submit “10” (so 2 bit with probability 14).
To send m3, submit “11” (so 2 bit with probability 14).
Lemma B.1.
Let M be the message space, C the cipher space and K the key space.Let m PM, c P C and k P K.
• m and k uniquely determine a c1 P C.
• c and k uniquely determine a m1 PM.
• m and c do not always uniquely determine k1 P K.
1 This example is for Huffman Encoding
88
Example B.3.
a b ck1 1 2 3k2 2 1 3k3 0 4 3
Note: The rows should always contain different ciphers, but the columns notnecessarily.
Corollary B.1.
HpC|K,Mq “ HpM |K,Mq “ 0.
89
Appendix C
Quick Review ofComplexity Theory
90
91
We need to classify decision problems1 by their complexities.
Definition C.1.
P denotes the class of decision problems that can be solved by a deterministicturing machine in polynomial time.
NP denotes the class of decision problems that can be solved by a non-deterministic2
turing machine in polynomial time, by verifying a given solution in polynomialtime.
There are two ways to understand the NTM:
• The NTM is the “luckiest possible guesser”
• The NTM can follow arbitrarily many paths at the same time
Definition C.2.
A decision A is NP -hard if any NP problem B reduces to A.If at the same time A is in NP , then A is NP -complete.
Note: Hardness of result for the decision problem also holds for the search prob-lem.
1 Problems with answer “yes” or “no”.2 A non-deterministic turing machine has no fixed rules in any step it takes.
92
93
Appendix D
Lattices and LatticeProblems
94
95
Given v1, ..., vk P Rk linearly independent.
Definition D.1.
The discrete subgroup Λ Ă Rn generated by integer linear combinations ofv1, ..., vk is called a lattice of rank k and dimension n.
Λ “ Λpv1, ..., vkq :“kř
i“1
Zvi “ tkř
i“1
λivi | λi P Zu.
tv1, ..., vku is called a basis of Λ.
Notation: tv1, ..., vku basis of Λ,
M “
¨
˚
˝
v1
...vk
˛
‹
‚
P Rkˆn is the generator matrix.
Lemma D.1.
Let M and M P Rkˆn.M and M generate the same lattice iff D U P GLkpZq such that M “ UM .
Definition D.2.
The volume/determinant of a lattice Λ with generator matrix M is defined as:
volpΛq :“ |detpM ¨M tq|12 .
Definition D.3.
Given a lattice Λ, we define the i-th successive minimum as:λipΛq “ mintr | dimpspanpΛXBpO, rqqq ě iu.
Where BpO, rq is the ball of origin O and radius r.
Remarks:
• @ i Dv P Λ such that ||v||2 “ λipΛq
• λ1pΛq “ mint||x´ y||2 | x, y P Λ, x ‰ yu
Definition D.4.
Packing Raduis: rΛ :“ λ1
2
Density: densitypΛq :“ volpk´ball of raduis rΛqvolpΛq
96
Closest Vector Problem (CVP)
Given a lattice basis M P Rkˆn and a target vector t P Rn. Find x P Zk suchthat ||xM ´ t|| ď ||yM ´ t|| @ y P Zk.
Shortest Vector Problem (SVP)
Given a lattice basis M P Rkˆn. Find a (non-zero) lattice vector xM, x P Zksuch that ||xM || ď ||yM || @ y P Zkzt0u.
Remarks:
• The decision problem associated to CVP, i.e. given r ą 0 decide if thereexists x P Zk such that ||xM || ď r, is NP-complete with respect to anyLp-norm. (Proven by reduction from the subset problem).
• The search version of CVP can be reduced to the decision problem. (Bymaking “polynomially many” oracle cells).
• SVP is not harder than CVP, i.e. if we can solve CVP we can solve SVP.
• SVP is NP-complete with respect to || ¨ ||8.
• SVP is NP-complete under randomized reductions (for any Lp-norm).
D.1 Approximating the Shortest Vector with re-spect to the Euclidean Norm
Given v1, ..., vn P Rn linearly independent.By πi : spanpv1, ..., vnq ÞÑ pspanpv1, ..., vi´1qq
K we denote the orthogonal pro-jection of spanpv1, ..., vnq onto the orthogonal complement of spanpv1, ..., vi´1q
and π1 denotes the identity.
Definition D.5.
v˚1 , ..., v˚n P Rn is called the Gram-Schmidt basis of Λpv1, ..., vnq if v˚i “ πipviq.
Remarks:
• v˚i “ vi ´i´1ř
j“1
µijv˚j , where µij :“
ăvi,v˚j ą
ăv˚j ,v˚j ą
.
• v˚1 , ..., v˚n form an orthogonal basis of Rn.
• M “
¨
˚
˚
˚
˝
v1
v2
...vn
˛
‹
‹
‹
‚
, M˚ “
¨
˚
˚
˚
˝
v˚1v˚2...v˚n
˛
‹
‹
‹
‚
, then M “
¨
˚
˚
˚
˚
˝
1 0 ¨ ¨ ¨ 0
µ21. . .
. . ....
.... . .
. . . 0µn1 ¨ ¨ ¨ µn,n´1 1
˛
‹
‹
‹
‹
‚
M˚.
In particular detpMq “ detpM˚q.
97
Lemma D.2.
Let Λ “ Λpv1, ..., vnq an n-dimensional lattice of full rank and v˚1 , ..., v˚n its
Gram-Schmidt basis.Then ||v||2 ě mint||v˚1 ||2, ..., ||v
˚n||2u @ v P Λ.
Proof.
Let v “nř
i“1
civi for ci P Z, and assume ` is the highest index such that c` ‰ 0.
Then
v “ÿ
i“1
civi “ÿ
i“1
ci
˜
v˚i `i´1ÿ
j“1
µijv˚j
¸
“ c`v˚` `
`´1ÿ
j“1
rjv˚j
for appropriate rj P R. Using the orthogonality of the v˚i ’s we get
||v||22 “ |c`|2||v˚` ||
22 `
`´1ÿ
j“1
|rj |2||v˚j ||
22 ě ||v
˚` ||
22 ě mint||v˚1 ||
22, . . . , ||v
˚n||
22u.
Theorem D.1 (Minkowski Convex Body Theorem).
For any lattice Λ of rank n and a convex set S Ă spanpΛq symmetric withrespect to the origin, it holds that:If volpSq ą 2ndetpΛq, then S contains a non-zero lattice point v P S X Λzt0u.
Corollary D.1.
λ1pΛq ď?n detpΛq
1n .
Proof.
S “ Bp0,?n detpΛq
1n q X spanpΛq.
Note that volpSq ą 2ndetpΛq as it contains the hypercube with edges of length
2detpΛq1n .
Claim follows with Minkowski’s Theorem.
Definition D.6.
Hermite factor: γn :“ maxt λ1pΛq2
detpΛq2n| Λ lattice of rank nu.
Remarks:
• γn is known for 1 ď n ď 8 and n “ 24.
• γn ď 1` n4 .
γ2 “
b
43 , γ3 “
3?
2, γ4 “?
2, γ8 “ 2, γ24 “ 4
• ñ λ1pΛq ďa
1` n4 volpΛq
1n @ rank n lattices Λ.
98
Polynomial-Time Algorithm to solve SVP approximately
Definition D.7.
Let b1, ...bn be a basis of Λ “ Λpb1, ..., bnq.Then b1, ..., bn is called δLLL-reduced, 1
4 ă δ ă 1, if:
(1) “Length Reduced”|µij | ď
12 for 1 ď j ď i ď n.
(2) “Lovasz-Condition”δπipbiq ď πipbi`1q @i
Remark:
• (2) is equivalent to δ||b˚i ||2 ď ||b˚i`1 ` µi,i`1b
˚i ||
2.
• (1) is motivated by “approximate” Gram-Schmidt.
• If all b1, ..., bn satisfy (1), then:
||bi||2 ď ||b˚i ||
2 ` 14
i´1ř
j“1
||b˚j ||2
• LLL basis can also be δ “ 1, however then the LLL-reduction algorithmis not proven to terminate (in polynomial time).
Lemma D.3.
Let b1, ..., bn P Rn be a δLLL-reduced basis with δ P p 14 , 1q,
then ||b1|| ď p1
δ´ 14
qn´1
2 λ1pΛq.
Proof.
δ||b˚i ||2 “ δ||πipbiq||
2(2)ď ||πipbi`1q||
2 ` µ2ij ||b
˚i ||
2(1)ď ||b˚i`1||
2 ` 14 ||b
˚i ||
2
Hence pδ ´ 14 q||b
˚i ||
2 ď ||b˚i`1||2
Inductively pδ ´ 14 qi´j ||b˚j ||
2 ď ||b˚i ||2
In particular: pδ ´ 14 q
n´12 ||b1|| ď ||b
˚i || @ i
λ1 ě min ||b˚i || ě pδ ´14 q
n´12 ||b1||
Remark: For δ “ 14 ` p
34 q
nn´1 , a δLLL-reduced basis has ||b1|| ď p
43 q
n2 λ1.
Lemma D.4.
Let b1, ..., bn P Rn be a δLLL-reduced basis with δ P p 14 , 1q,
then ||b1|| ď p1
δ´ 14
qn´1
4 volpΛqfrac14.
Proof.
volpΛq “nś
i“1
||b˚i || ě ||b1||nnś
i“1
pλ´ 14 q
i´12 “ ||b1||
npδ ´ 14 q
npn´1q4
So we know that there exists v P Λ such that ||v|| ď
c
1`n
4looomooon
Hermite Factor
volpΛq1n .
99
D.1.1 The Algorithm
Input: Lattice basis B “ tb1, ..., bnu, δ P p14 , 1q
Output: δLLL basis for Λpb1, ..., bnq1.
for i “ 1 Ñ n dofor j “ i´ 1 Ñ 1 do
bi :“ bi ´ cijbj where cij “ rµijs “ răbi,b
˚j ą
ăb˚j ,b˚j ąs
end forend for
2.
if δ||πipbiq||2 ą ||πipbi`1q||
2 for some i thenswap bi and bi`1 and 1. again
elsereturn B
end if
Theorem D.2.
The algorithm terminates in polynomial time.
Proof. Just for integer lattices.
Determine Λk :“ Λpb1, ..., bkq and dΛ :“nś
i“1
detpΛkq2
Note that 1. does not affect dΛ.Let d1 be the volume of dΛ after two vectors have been swapped.Then d1
d ă δ.ñ The volume of δ decreases by a factor δ whenever we swap.After the kth iteration: dk ď δd0, where dk is d after k swaps.
As dk ě 1, k ď logpd0q
logp 1δ q
.
D.2 Application: Factorization of Integers withthe method of Claus Schnorr (1993)
Basic Idea: In order to factor n “ p ¨ q, we saw that it is desirable to have non-trivial solutions of x2 ´ y2 “ 0 mod n.A more basic problem is finding relations with small primes of the formpe11 ¨ ¨ ¨ p
ett “ qf1
1 ¨ ¨ ¨ qfss mod n, where p1, ..., pt, q1, ..., qs are small primes,and e1, ..., et, f1, ..., fs P N.
Example D.1.
n “ 15, 24 ¨ 30 “ 70 ¨ 30
23 ¨ 31 “ 32
ñ 23 ¨ 3 ¨ 24 ¨ 30 “ 70 ¨ 30 ¨ 32
100
Like in quadratic sieve, write exponents mod 2:¨
˚
˚
˚
˝
e11 ¨ ¨ ¨ e1t f11 ¨ ¨ ¨ f1s
e21 ¨ ¨ ¨ e2t f21 ¨ ¨ ¨ f2s
......
......
ek1 ¨ ¨ ¨ ekt fk1 ¨ ¨ ¨ fks
˛
‹
‹
‹
‚
We want a non-trivial left kernel, i.e. non-trivial relations of the rows mod 2ñ x2 “ y2 mod 2.
Method: Assume p1, ..., pt are first t primes p1 “ 2, p2 “ 3, p3 “ 5, ...Search for exponents e1, ..., et, f1, ..., ft such that ppe11 ¨ ¨ ¨ p
ett ´ pf1
1 ¨ ¨ ¨ pftt nq P Z
is small (factorable over p1, ..., pt or pt-smooth).
In other words pe11 ¨ ¨ ¨ pett – pf1
1 ¨ ¨ ¨ pftt n. Taking the logarithms would result in:
tř
i“1
pei ´ fiq log pi – log n.
So basically we need to find “small” λ1, ..., λt P Z such thattř
i“1
λi log pi – log n.
Lemma D.5.
Let N “tś
i“1
peii , N “ ptś
i“1
pfii qn.
Then the requirement |N ´ N | ă s is equivalent to |nř
i“1
λi log pi ´ log n| ď 1N s.
Proof.
Taylor series expansion of log x.
Lattice:¨
˚
˚
˚
˚
˚
˚
˝
log 2 0 ¨ ¨ ¨ 0 N0 log 2
0 log 3. . .
... N0 log 3...
. . .. . . 0
...0 ¨ ¨ ¨ 0 log pt N0 log t
N0 log n
˛
‹
‹
‹
‹
‹
‹
‚
where N0 P N is to be determined.
The difficulty lies in that log pi and N0 log pj are not integers. In order to getinteger lattices simply round to the nearest integer.
101
Theorem D.3.
Let c ą 1 and let N0 “ nc. Consider the lattice
¨
˚
˚
˚
˚
˚
˚
˝
log 2 0 ¨ ¨ ¨ 0 N0 log 2
0 log 3. . .
... N0 log 3...
. . .. . . 0
...0 ¨ ¨ ¨ 0 log pt N0 log pt0 ¨ ¨ ¨ ¨ ¨ ¨ 0 N0 log n
˛
‹
‹
‹
‹
‹
‹
‚
If λ1, ..., λt P Z satisfy the equalities:
(1) |tř
i“1
λi log pi ´ log n| ď 1N pt
(2)tř
i“1
|λi log pi| ď p2c´ 1q log n` 2 log pt
then for u :“tś
i“1
peii , v :“tś
i“1
pfii , and |ei ´ fi| “ |λi| it holds that |u´ vn| ď p2t .
In 1993, Schnorr estimated that a 512-bit RSA integer can be factored usinga lattice of dimension 6300 and an improved version of LLL. (Block KorkinZolotarev)
In 2009, Schnorr announced modification of method in polynomial time.
102
103
Appendix E
Basics of Coding Theory
104
105
E.1 Linear Codes
Definition E.1.
An rn, ksq-linear code is a k-dimensional subspace of Fnq . We will denote a codeby C.Any linear code can be described by a matrix
G “
¨
˚
˚
˚
˝
c1c2...ck
˛
‹
‹
‹
‚
, ci P C, ci are linearly independent.
C “ tmG : m P Fnq u.
Common Model:
SendermessageÝÑ Encoder
codewordÝÑ Channel
sensewordÝÑ Decoder
messageÝÑ Receiver
Example E.1.
Consider a p6, 2q2-code with matrix:
G “ˆ
1 1 1 0 0 00 0 0 1 1 1
˙
,
and a message that belongs to F22: m “
`
1 0˘
.
Then mG “`
1 0˘
ˆ
1 1 1 0 0 00 0 0 1 1 1
˙
“`
1 1 1 0 0 0 0˘
is the code word.
Suppose we receive`
1 1 0 1 0 0˘
.
Let’s notice that`
1 1 0 1 0 0˘
R C.
C “
$
’
’
’
’
’
’
&
’
’
’
’
’
’
%
´
1 1 1 0 0 0¯
´
0 0 0 1 1 1¯
´
1 1 1 1 1 1¯
´
0 0 0 0 0 0¯
Definition E.2.
Define the Hamming Distance px, y P C, x, y ‰ 0qdHpx, yq :“ # of coordinates in which x, y different.dH is a metric on Fnq .
Lemma E.1.
Let dminpCq :“ mintdHpx, yq | x ‰ y P Cu.Then C can correct
X
dmin´12
\
errors.
106
Lemma E.2 (Singelton Bound).
Let C be a rn, ksq-linear code. Then dminpCq ď n´ k ` 1.
Corollary E.1.
An rn, ksq-code can correct at mostX
n´k2
\
errors.
Definition E.3.
Any code which achieves the Singelton Bound is called maximum distance sep-arable.
E.2 Goppa Codes
Invented/discovered by V. D. Goppa in 1970.
Definition E.4.
Fix an extension Fqr over Fq. Let L “ tγ0, γ1, ..., γn´1u Ă Fq be a set of distinctelements.Let Gpxq P Fqr rxs such that Gpγiq ‰ 0 for all γi P L. Then the Goppa code is
ΓpG, Lq “ tc “ pc0, ..., cn´1q P Fnq |nÿ
i“1
cix´ γi
” 0 mod Gpxqu
A Goppa code with degpGq “ w is an rn, ksq code, where k ě n ´ rw anddmin ě w ` 1.Encoding and decoding of Goppa codes is well-known and fast.
E.3 Reed-Solomon Codes
Let η be a primitive root in Fqr .RSpn, kq “ tpfpηq, fpη2q, ..., fpηnqq | degpfq ă kuThis is a rn, ksqr -code.RS codes are always maximum distance separable.
107
