+ All Categories
Home > Documents > Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in...

Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in...

Date post: 23-Jun-2020
Category:
Upload: others
View: 10 times
Download: 0 times
Share this document with a friend
37
Cryptology lectures Vanessa Vitse
Transcript
Page 1: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

Vanessa Vitse

Page 2: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

Contents

1 First concepts in cryptography 4

2 Modular arithmetic and complexity 8

2.1 Large integer arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2 Euclidean division and congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.3 Modular exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.4 Extended Euclid algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.5 Modular inverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Prime numbers generation and primality testing 15

3.1 Distribution of prime numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2 Pseudo-primality tests: Fermat and Miller-Rabin . . . . . . . . . . . . . . . . . . . . . 15

4 The discrete logarithm problem in asymmetric cryptography 18

4.1 A first example: the Diffie-Hellman key exchange . . . . . . . . . . . . . . . . . . . . . 18

4.2 ElGamal encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.3 Generation of parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.4 Schnorr identification scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.5 Signature schemes (and hash functions) . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4.6 DLP solving algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5 Factorization and RSA 26

5.1 Textbook RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5.2 Security of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.3 Comparison of DLP-based and factoring-based cryptographic schemes . . . . . . . . . 28

6 Pseudo-random Number Generators (PRNG) 28

2 UFR IM2AG – UGAM1 Maths/MSIAM

Page 3: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Contents

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6.2 Linear Feedback Shift Registers (LFSR) . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.3 Linear algebra and LFSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

6.4 Maximal period LFSR and primitive polynomials over finite fields . . . . . . . . . . . 33

6.5 Minimal polynomial of a linear recurring sequence . . . . . . . . . . . . . . . . . . . . 35

6.6 Cryptanalysis of LFSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

UFR IM2AG – UGAM1 Maths/MSIAM

3

Page 4: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

Introduction

The fundamental goal of cryptography is to protect information at rest or in motion. Cryptographyis omnipresent in any computing system and is an integral part of standard protocols (e.g. in TLSused everyday by billions of people). Cryptography is obviously very useful but also very difficult toimplement in a secure way. These lectures aim at understanding how some classical cryptographicsystems work and why they are secure. In each session, the mathematical core is first introduced,then a lab session is proposed where some classical protocols or algorithms will be implemented andtheir security analyzed.

The last session is dedicated to error correcting codes.

Bibliography

This course is certainly not intended as an exhaustive study of the subject but as a starting point forfurther investigations. The following books will help you to get advanced knowledge in cryptography.

• Exercices et problemes de cryptographie, Damien Vergnaud.

• A graduate Course in Applied Cryptography, Dan Boneh and Victor Shoup, http://toc.cryptobook.us/book.pdf

• Modern Computer Algebra, Joachim von zur Gathen, Cambridge University Press, 2003.

• Cours de Cryptographie, Gilles Zemor (pour les agregatifs!)

• Mathematics of Public Key Cryptography, Steven Galbraith, https://www.math.auckland.ac.nz/~sgal018/crypto-book/main.pdf

• The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, SimonSingh (also available in french).

SageMath is a free software for mathematical computations based on Python. As an alternative,it is possible to use Xcas. In any case, you need to install it on your personal computer (http://www.sagemath.org/download.html) to be able to finish lab sessions at home. For the interfacewith sage, the Jupyter Notebook is highly recommended (https://jupyter.readthedocs.io/). Thesame environment is used for the French agregation.

For people who are not already familiar with this software, you can read the online tutorial avail-able in (almost) all languages. See English version here: https://doc.sagemath.org/pdf/en/

tutorial/SageTutorial.pdf, or download the following book (in french) which can also be usedfor the “Agregation, epreuve de modelisation”:

Calcul mathematique avec Sage, Casamayou et al., CreateSpace, 2013. Available online at https:

//hal.inria.fr/inria-00540485/file/sagebook-web-20130530.pdf

1 First concepts in cryptography

All communication tools (computers, smartphones, microcontrollers...) used nowadays are somehoweasy to spy: wireless traffic, physical copper lines, optical fibers, clouds... are all connected to many

4 UFR IM2AG – UGAM1 Maths/MSIAM

Page 5: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

1. First concepts in cryptography

operators and data centers that can read our private data anytime. Three fundamental goals incrytography are to guarantee the confidentiality of the private data transiting over non secure channels,the authenticity of these data (or message integrity, meaning that an attacker has no way to modifythe message without being noticed), but also the identity of the owner of these data.

To simplify the setting, assume that two parties, Alice and Bob, want to securely exchange informationin presence of an eavesdropping adversary Eve. For that they can use encryption and decryptionprotocols, which are public and available to anyone. These protocols obviously require a secret keyin order that only Alice and Bob can recover the sensitive data. In particular, the security of acryptosystem has to rely only on the secrecy of the key1. Note that besides transmitting a messageon a unsecured network, these same techniques allow Alice to store a file on a disk so that no one elsewith access to the disk can read the file, only Alice herself can do it at a any later time.

When Alice and Bob already share a key unknown to the attacker, they can use the same key toencrypt and decrypt: this is what is called symmetric cryptography. Symmetric cryptography wasalready used by Egyptians as far as 1900 BC and is now at the heart of any secure electronic device.

Definition. A symmetric cipher is a pair (E,D) of public algorithms working with three sets M,K, Csuch that

• M is the set of all messages or plaintexts,

• K is the set of all possible secret keys,

• C is the set of all encrypted messages or ciphertexts.

The algorithm E takes as input a key k ∈ K and a message m ∈ M and outputs a ciphertext c ∈ C.It can be non-deterministic, i.e. it can output different ciphertexts for a same input (k,m).

The algorithm D takes as input a key k ∈ K and a ciphertext c ∈ C and outputs (deterministically) amessage m ∈M, i.e.it realizes a mathematical function D : K × C →M.

Together E and D must satisfy the correctness property

∀k ∈ K, ∀m ∈M, D(k,E(k,m)) = m.

Often M, K and C are of the form {0, 1}n, i.e. the messages, keys and ciphertexts are fixed-lengthsequences of bits. Obviously, a cipher should also satisfy some security assumptions (otherwise, wemay as well take the identity functions for E and D). Informally, it should be hard to recover aplaintext m from the knowledge of its encryption c without knowing the corresponding secret key kused during encryption.

As a classical example of symmetric encryption, the one-time-pad2 cipher consists of a couple (E,D)of encryption and decryption functions defined over (K,M, C) where keys, messages and ciphertextsare bit strings of the same length n, otherwise said K =M = C = {0; 1}n = Fn2 . For a key k ∈ {0; 1}nand a message m ∈ {0; 1}n, the encryption function is defined as the addition over Fn2 without carry,i.e.

E(k,m) = k ⊕m,1This old principle was already stressed out by Kerckhoffs in 18832The one-time pad cipher is due to Gilbert Vernam in 1917.

UFR IM2AG – UGAM1 Maths/MSIAM

5

Page 6: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

where ⊕ denotes the exclusive-OR. In particular, as Fn2 is a vector space over a field of characteristic2, for any x, y, z ∈ Fn2 ,

x⊕ y = y ⊕ x, x⊕ (y ⊕ z) = (x⊕ y)⊕ z, x⊕ 0Fn2 = x and x⊕ x = 0Fn2 .

It follows immediatly that decryption is done with the same function as encryption, that is for a keyk ∈ {0; 1}n and a ciphertext c ∈ {0; 1}n

D(k, c) = k ⊕ c.

Exercise: check the correctness of this scheme, otherwise said that D(k,E(k,m)) = m for any keyk and message m.

From a security perspective, this encryption is optimal since it ensures perfect secrecy:

Definition. Let (E,D) be a cipher defined over (K,M, C). Consider random variables K,M,C relatedby the equation M = D(K,C), such that K is uniformly distributed over K and K,M are independent.The cipher (E,D) is perfectly secure if for all (m, c) ∈M× C such that Pr[C = c] 6= 0, we have

Pr[M = m | C = c] = Pr[M = m].

We emphasize that M is not uniformly distributed: all plaintexts are not equally probable. Thedefinition means that M and C are independent random variables, so that knowledge of the ciphertextc gives no information at all on the plaintext.

Proposition. The one-time pad encryption is perfectly secure.

Proof. We first observe that for the one-time pad, the random variable C is also uniformly distributed.Indeed, for all c ∈ C,

Pr[C = c] =∑m∈M

Pr[(C = c) ∩ (M = m)]

=∑m∈M

Pr[(M ⊕K = c) ∩ (M = m)] =∑m∈M

Pr[(K = m⊕ c) ∩ (M = m)].

Since M and K are independent and K is uniform, it holds that

Pr[C = c] =∑m∈M

Pr[K = m⊕ c].Pr[M = m] =∑m∈M

1

2nPr[M = m] =

1

2n.

Thus C is uniformly distributed over {0, 1}n. Now for all m ∈M and c ∈ C, we have :

Pr[(M = m) ∩ (C = c)] = Pr[(M = m) ∩ (K = c⊕m)]

= Pr[M = m].Pr[K = c⊕m] =1

2nPr[M = m] = Pr[C = c].Pr[M = m].

Thus C and M are independent.

Unfortunately it is not possible to devise a better cipher than the one-time-pad while preservingperfect secrecy. It is indeed necessary to have a uniformly distributed secret key as least as long asthe message, otherwise information about the plaintext can be obtain.

6 UFR IM2AG – UGAM1 Maths/MSIAM

Page 7: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

1. First concepts in cryptography

Theorem (Shannon’s theorem). If a cipher (E,D) defined over K,M, C is perfectly secure, then|K| ≥ |M|.

Here we assume that Pr[M = m] 6= 0 for all m ∈ M, which is always the case in practice (otherwise,we can reduce M to the set of plaintexts appearing with non-zero probability).

Proof. Let c ∈ C be such that Pr[C = c] 6= 0. For all m ∈M, let Km,c be the set {k ∈ K : m = D(k, c)}of keys decrypting c to m. Obviously, if m 6= m′ then Km,c ∩ Km′,c = ∅. Now for all m ∈ M, since(E,D) is perfectly secure it holds that

0 6= Pr[M = m].Pr[C = c] = Pr[(M = m)∩(C = c)] = Pr[(M = m)∩(C = c)∩(K ∈ Km,c)] ≤ Pr[K ∈ Km,c].

In particular Km,c is not empty. Then |K| ≥∣∣⋃

m∈MKm,c∣∣ =

∑m∈M |Km,c| ≥ |M|. This concludes

the proof.

Exercise Remark that the one-time pad becomes totally insecure if not used correctly: for example, ifAlice uses its secret key twice to encrypt two different messages, then Eve can recover some information.

Remark The one-time pad is malleable in the sense that an attacker can cause predictable changesto the plaintext; thus it provides no message integrity. More precisely, if the attacker intercepts aciphertext c = E(k,m) and changes c to c′ = c ⊕ δ, then the other party receives the modifiedmessage D(k, c′) = m⊕δ. To make things concrete, suppose Alice is a professor and that her studentsBob and Eve have to submit their homework by email. To guarantee privacy, students encrypt theirhomework file with one-time pad. Simplifying things a bit, assume that a header of the form From:Bob

authenticates the homework of Bob. Now suppose that Eve spies Bob’s email traffic and intercepts theemail with Bob’s encrypted homework. Eve can effectively steal Bob’s homework by simply XORingthe appropriate 3 character string into the ciphertext in positions 6 to 9 without knowledge of Bob’ssecret key. Bob will never know that his homework was stolen by Eve and Alice will grade Bob’shomework thinking it is Eve’s.

Thus perfect security asks for keys as long as messages; in other words, any new message requiresa new key. This is not feasible in practice, essentially because secure key distribution and storageare not easy. For real world applications, it is necessary to settle on weaker security requirements:recovering m from c (or just any information about m), even if theoretically possible, should be notcomputationally feasible with real world resources.

Note that in classical symmetric protocols keys are of some fixed length (usually 128 bits) whereasmessages/ciphertexts may have as well fixed or variable length (for example a message can be a 1GBvideo file or 1KB email or even a single bit encoding in an electronic election).

To work around the problem of key size while sticking to the principle of XORing the plaintext, abasic idea is to replace the one-time pad secret key by a short seed s (of size typically 128 bits) thatwill be used to generate a “random-looking” bit sequence. This stretching is done by a deterministicalgorithm G : Fl2 → FN

2 , s 7→ G(s) which is called a pseudo-random number generator (PRNG). Theone-time pad becomes then a stream cipher.

Popular methods to construct PRNG are based on linear feedback shift register (LFSR) which math-ematically correspond to linear recurrent sequences on finite fields. More details about PRNG aregiven in session 4.

UFR IM2AG – UGAM1 Maths/MSIAM

7

Page 8: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

Symmetric cryptography is a fundamental part of cryptography but it does not by itself solve allproblems related to “secure communications”. Most importantly, symmetric cryptography techniquesdo not provide mechanisms that allow Alice and Bob to share a secret key in the first place. Inparticular, if they only share an Internet connection, they cannot establish a secure communication.

To solve the problem of key exchange and key transport, the two protagonists need the concepts ofpublic-key encryption and digital signatures. The idea is quite simple: reproduce in the digitalworld the concept of classical mail boxes. Bob who has access to a phone book can get the physicaladdress of Alice and send her a message in a sealed envelope. Alice, as the owner of her mail box,is the only one to have the key which can open it and recover Bob’s message. Thus in public keycryptography, to address a message to Alice two keys are needed:

• Alice’s public key (known from everybody) which is used to encrypt messages,

• Alice’s private key which is used to decrypt ciphertexts, and thus only known by Alice.

If such a public key scheme exists, then the problem of key distribution becomes obsolete! Despiteits simplicity, it is only in 1976-1977 that mathematicians found a way to realize the first public keycryptosystem. The construction of these schemes rely on the existence of hard mathematics problems.It should at least in theory be feasible to deduce the private key from the public key, but in practicewe ask that this computation is infeasible in reasonable time and with reasonable computing power.To define precisely what we mean by “reasonable”, we will analyze in detail the complexity of themathematical functions introduced.

But before going further, we need first to introduce the mathematical background.

2 Modular arithmetic and complexity

2.1 Large integer arithmetic

In a modern computer, the processor can perform usual arithmetic operations over integers storedin the registers, that are of sizes of 32 or 64 bits. Therefore, when analyzing the complexity of analgorithm, it is usual to consider elementary operations (addition/subtraction, multiplication anddivision) as constant time operations.

But in cryptography, keys and messages have sizes much larger than 64 bits; for example, in theasymmetric RSA cryptosystem, messages are of size 2048 bits. In particular, it is necessary to usesoftware programs3 to handle computations over large size integers. Also, the addition / multiplicationof numbers of size n can no longer be considered as “unit” or constant time operations when n grows.The measure of the complexity of an algorithm can be done introducing the notation “big O”:

Definition. Let f, g be two real functions, with g > 0. We note f = O(g) if there exists a constantC > 0 such that for any large enough x,

|f(x)| ≤ Cg(x).

Examples. f = O(1) ⇐⇒ f is bounded (away from 0).xa + log(x)b = O(xa) for any a, b, x > 0.

3For example, GMP is one popular multi-precision library.

8 UFR IM2AG – UGAM1 Maths/MSIAM

Page 9: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

2.2 Euclidean division and congruences

Be careful with the notation f = O(g): if f = O(g) and h = O(g), it DOES NOT MEAN that f = hor that f = O(h)...

With the classical algorithms (those learned in elementary school), it is easy to implement the ad-dition/subtraction of two integers of size n with O(n) constant time operations (addition of digitsor bits), and multiplication/division algorithms with O(n2) operations. Note that there are nu-merous multiplication algorithms with better complexity, such as Karatsuba’s with complexity inO(nlog2(3)) = O(n1.584).

Here all the complexities are given in the size of the input of the algorithms: the size of an integera is in log2(a), when measured in bits. Another example is the multiplication of two polynomials ofdegree d with coefficients smaller than B: the size of the input is in d log2B and the complexity ofmultiplication is in O((d logB)2).

2.2 Euclidean division and congruences

Modular arithmetic is at the heart of many asymmetric cryptosystems. The precise definition relieson Euclidean division.

Theorem (Euclidean division). For a, b ∈ Z, b 6= 0, there exist a unique couple q, r ∈ Z s.t. a = bq+rand 0 ≤ r < |b|. The integer r is the remainder in the division of a by b, and q is the quotient.

Definition (Divisibility). Let a and b two integers. Then a divides b (or b is a multiple of a) if thereexists an integer c such that b = a · c. This is denoted a|b.Definition (Congruence). Let x, y, n ∈ Z. Then x is congruent to y modulo n if their remainders inthe division by n are the same.

In particular

x = y mod n ⇔ n|(x− y)

⇔ ∃k ∈ Z, x = kn+ y

Property.

1. This is an equivalence relation (reflexive, transitive and symmetric)

2. Compatibility with addition and multiplication mod n: for all integers a, b, a′, b′ s.t. a = a′ mod nand b = b′ mod n, then a+ b = a′ + b′ mod n and ab = a′b′ mod n.

3. Other interesting properties :

• a = b mod n⇔ ac = bc mod nc

• a = b mod mn⇒ (a = b mod m and a = b mod n)

The congruence equivalence relation partitions the set Z into equivalence classes:

Definition (Residue classes modulo n). Z/nZ is the set of equivalence classes or residue classesmodulo n for the congruence relation. For any integer m in a residue class, we call m a representativeof that class.

Note that there are precisely n distinct residue classes modulo n, given for example by 0, . . . , n − 1(corresponding to the remainders in the Euclidean division by n).

Property. (Z/nZ,+, ·) is a (commutative and unit) ring.

UFR IM2AG – UGAM1 Maths/MSIAM

9

Page 10: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

2.3 Modular exponentiation

The compatibility of the congruence relation with addition and multiplication means that computingmodulo n is essentially the same as computing over Z, except that each intermediate result is replacedby its remainder in the division by n. In particular, the size of intermediate/output data should neverexceed the size of n.

Question: given g ∈ Z/nZ (or more generally in a group G) and e ∈ N∗, how to compute ge mod n?

An obvious way is to iteratively multiply by g a total of e times, reducing modulo n at each step. Thecomplexity is then in O(e log(n)2). Another (much faster) way is to apply the “square-and-multiply”algorithm; the idea is based on this mathematical property:

Property. Let e =∑

i εi2i be the binary expansion of e. Then

ge =∏εi=1

g2i

mod n.

This yields the following algorithm reading the bits of e from right to left:

Algorithm 1: “Right-to-left” algorithm for modular exponentiation

Input : g ∈ Z/nZ, e, n ∈ N∗Output: ge mod nres← 1t← gwhile e 6= 0 do

if e is odd thenres← res · t mod n

e← be/2ct← t2 mod n

return res

Complexity: we perform at most O(log e) multiplications in Z/nZ and log e squarings g2i+1

=(g2

i)2

.

The total complexity is thus O(log e(log n)2).

Reading the bits of e in a decreasing order, it is possible to devise a “left-to-right” square-and-multiplyalgorithm. The following formula gives the corresponding algorithm:

ge =

{(ge/2)2 for even e,

g · (g(e−1)/2)2 for odd e.

The complexity analysis of the left-to-right version is the same as the right-to-left one: it is a polyno-mial algorithm in the size of the input.

Some figures: It is important to realize that modern computers are extremely efficient but still havelimitations! Here are some orders of magnitude:

10 UFR IM2AG – UGAM1 Maths/MSIAM

Page 11: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

2.3 Modular exponentiation

Algorithm 2: “Left-to-right” algorithm for modular exponentiation

Input : g ∈ Z/nZ, e, n ∈ N∗Output: ge mod nif e == 0 then

return 1

res← gt← blog2(e)cB ← list of bits of e (e =

∑ti=0B[i]2i with B[t] = 1)

while t > 0 dot← t− 1res← res2 mod nif B[t] == 1 then

res← res · g mod n

return res

• a 4-cores tabletop computer at 2.5 GHz can compute about 10 billions floating point operationsby second: 236 FLOPS

• a modest computer cluster: 240 FLOPS

• supercomputers: 250 to 256 FLOPS

Thus, it would take a supercomputer several years (or even decades) to compute a single exponenti-ation of 80-bit integers using the naive iterative algorithm! By contrast, with a square-and-multiplyalgorithm, exponentiating 1000-bit integer only takes a few milliseconds on a laptop computer.

This means that there is a huge gap between O(n) and O(2n) complexities. To further illustrate thesubject, we list below the time it takes to perform f(n) operations on a computer that makes 230

elementary operations by second, for various functions f and values of n.

n log2(n) n n log2(n) n2 n3 2n n!

10 3 ns 9 ns 30 ns 90 ns 0.9 µs 0.9 µs 3 ms

20 4 ns 18 ns 80 ns 0.4 µs 7 µs 1 ms 70 years

30 4.5 ns 28 ns 140 ns 0.8 µs 25 µs 1 s > age of universe

40 5 ns 37 ns 190 ns 1.5 µs 60 µs 1024 s –

50 5.2 ns 46 ns 260 ns 2.3 µs 0.1 ms 12 days –

60 5.5 ns 55 ns 330 ns 3.3 µs 0.2 ms 34 years –

80 5.8 ns 75 ns 470 ns 6 µs 0.4 ms 35 million years –

100 6.2 ns 93 ns 620 ns 9 µs 0.9 ms > age of universe –

200 7.1 ns 186 ns 1.5 µs 37 µs 7 ms – –

1000 9.2 ns 0.9 µs 9 µs 1 ms 1 s – –

10000 12 ns 9 µs 0.1 ms 100 ms 1000 s – –

We can see that there is a pronounced difference between polynomial and exponential complexity.

Remark. Computations modulo n allow to define problems that are computationally difficult, i.e. withan exponential complexity.

Modular exponentiation is a good illustration of one-way function : given n ∈ N∗, g ∈ Z/nZ andx ∈ Z, it is easy to compute gx mod n since there exist algorithms with polynomial complexity.

UFR IM2AG – UGAM1 Maths/MSIAM

11

Page 12: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

However, there is no efficient algorithm (in 2020) which computes x given n, g, gx mod n when n is alarge prime. This problem is called the discrete logarithm problem and is useful for many asymmetriccryptographic protocols. For example, the security of the key exchange protocol of Diffie-Hellman relieson this problem.

2.4 Extended Euclid algorithm

The ring Z/nZ is not always an integral domain. More precisely, when n is not prime, there aredivisors of zero, non invertible by definition. The division operation modulo n is thus not as simpleas addition or multiplication. The gcd operator allows to determine when an element is invertiblemodulo n and the Extended Euclid algorithm allows to compute efficiently the inverse of an invertibleelement (then division is just multiplication by the inverse).

Definition (gcd, lcm, coprimality). For a, b ∈ Z, the greatest common divisor of a and b is denotedgcd(a, b) or a∧ b, and the least common multiple lcm(a, b) or a∨ b. The integers a and b are coprimewhen gcd(a, b) = 1.More generally, the gcd of {a1, . . . , an} ⊂ Z is the greatest common divisor of a1, . . . , an.

The gcd can be computed efficiently using the following result:

Property. Let a and b two positive integers such that a > b, then

gcd(a, b) = gcd(b, a mod b).

Now let r0 := a and r1 := b. We compute iteratively

r0 = r1 q1 + r2 with 0 ≤ r2 < |r1| → gcd(a, b) = gcd(r0, r1) = gcd(r1, r2)r1 = r2 q2 + r3 with 0 ≤ r3 < r2 → gcd(r1, r2) = gcd(r2, r3)

......

rn−1 = rn qn + rn+1 with rn+1 = 0 → gcd(rn−1, rn) = rn

In particular, gcd(a, b) is equal to the last non-zero remainder rn.

Algorithm 3: Euclid’s algorithm

Input : a, b ∈ N, a > bOutput: gcd(a, b)while b > 0 do

r ← a mod ba← bb← r

return a

Complexity: Consider a, b ≤ N .

The number of Euclidean divisions in Euclid’s algorithm is smaller than 2 log2N . Indeed, it is notdifficult to show by induction that for any i ≥ 0, ri+2 < ri/2; just consider the proof for i = 1(induction is done the same way): if r1 ≤ r0/2 then r2 < r1 ≤ r0/2, otherwise 2r1 > r0 and thenr2 = r0 − r1 < r0/2, in any case r2 < r0/2. In particular

r2k < r0/2k ≤ N/2k

12 UFR IM2AG – UGAM1 Maths/MSIAM

Page 13: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

2.5 Modular inverse

and as soon as k ≥ log2N , we have r2k = 0.

At each step, the cost of the Euclidean division of ri−1 = qiri + ri+1 is in O(log(rn−1). log(qn)), thusthe cost of all Euclidean divisions is smaller than O(log(a). log(

∏i qi)). It is not difficult to see from

definition of qi, ri that qi ≤ ri−1/ri, so that∏qi ≤ a/rn ≤ a.

At the end, the complexity of Euclid’s algorithm is in O((logN)2).

The gcd of two integers can be expressed as a linear combination of these integers:

Lemma (Bezout lemma). For a, b ∈ Z, there exist u, v ∈ Z such that au+ bv = gcd(a, b).

The Extended Euclid’s algorithm gives a constructive proof of Bezout’s lemma. More precisely, tocompute u and v, we explicitly introduce the sequences (ui), (vi) such that ri = ui a + vi b, given byinduction :

• Initialization:

{u0 = 1 v0 = 0

u1 = 0 v1 = 1

• Induction hypothesis:

{ui−1a+ vi−1b = ri−1

uia+ vib = ri

Writing ri+1 = ri−1 − riqi = ui−1a+ vi−1 − (uia+ vib)qi = (ui−1 − qiui)a+ (vi−1 − qivi)b, you get{ui+1 = ui−1 − qiuivi+1 = vi−1 − qivi

The Bezout’s coefficients are obtained at step n when rn = gcd(a, b).

Complexity:

With a similar analysis, we deduce easily that the complexity of the extended version is also inO((logN)2).

2.5 Modular inverse

The Extended Euclid algorithm is very often used to compute the modular inverse.

Theorem. An integer a is invertible modulo n iff a and n are coprime.

Proof. Direct application from Bezout: ua+ vn = 1⇒ u = a−1 mod n.

Algorithm 4: Computation of inverse modulo n

Input : a ∈ Z, n ∈ N∗Output: a−1 mod nu0 ← 1 u1 ← 0; while b 6= 0 do

tmp← aa← bb← tmp%aq ← tmp/atmp← u0 − qu1 u0 ← u1 u1 ← tmp

return u0

UFR IM2AG – UGAM1 Maths/MSIAM

13

Page 14: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

The number of invertible elements modulo n is given by the Euler’s totient function.

Definition. Let n be an integer, the Euler’s totient function of n is defined as the number of positiveintegers smaller than n and coprime with n:

∀n ∈ N∗, ϕ(n) = |(Z/nZ)×|.

An equivalent definition is that ϕ(n) is the number of generators of any cyclic group of cardinalityn. Indeed an integer x is a generator of (Z/nZ,+) if and only if gcd(x, n) = 1 (thanks to Bezout).So |(Z/nZ)×| is the number of generators (Z/nZ,+) and any cyclic group of order n is isomorphic toZ/nZ.

If the factorization of n is known4, it becomes easy to compute ϕ(n):

Property. • ϕ(mn) = ϕ(m)ϕ(n) for all coprime positive integers n,m.

• ϕ(pe) = pe − pe−1 = pe(1− 1/p) for all prime p and positive integer e.

• ϕ(n) = n∏ri=1(1− 1/pi) where n = pe11 . . . pekk is the factorization of n into primes.

• n =∑

d|n ϕ(d).

When the factorization of n is known, another method for computing the modular inversion is givenby Euler’s theorem:

aϕ(n) = 1 mod n⇒ a−1 = aϕ(n)−1 mod n.

But as we have seen, even with fast exponentiation algorithms, the complexity of this method is inO((log n)3), so less efficient than Extended Euclid algorithm.

As a last application of the Extended Euclid algorithm, we give a method to solve congruential systemsusing the famous Chinese Remainder theorem.

Theorem (Chinese Remainder Theorem – CRT). Let n,m be two coprime integers and a, b twointegers. Then the system {

x = a mod n

x = b mod m

admits a unique solution x mod mn.

Proof. From Bezout, there exist u, v s.t. un + vm = 1 and x0 = bun + avm is a particular solution.

If x1 is another solution of the previous system then

{x1 − x0 = 0 mod n

x1 − x0 = 0 mod m. From Gauss lemma, we

deduce that x0 = x1 mod mn.

4In practice however, the computation of ϕ(n) is difficult. For instance, if n is the product of two distinct primes pand q, then the computation of ϕ(n) is as difficult as the factorization of n, which is generally a hard problem.

14 UFR IM2AG – UGAM1 Maths/MSIAM

Page 15: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

3. Prime numbers generation and primality testing

3 Prime numbers generation and primality testing

3.1 Distribution of prime numbers

To set up public key cryptosystems, prime numbers are necessary. It is a classical result that thereare infinitely many prime numbers, but is there a chance for a randomly chosen integer to be prime?

Number theory allows to answer positively to that question. The following theorem gives a lot ofinformation about the repartition of prime numbers. Let π(x) = |{p ∈ P : p ≤ x}| be the number ofprime integers smaller than x.

Theorem (Hadamard and de la Vallee Poussin, 1896). For n ≥ 17,

n

lnn≤ π(n) ≤ 2

n

lnn.

So informally, the probability that a random integer n is prime is about 1/ lnn, which is very high.More precisely,

π(n) ∼n→∞

∫ n

2

dt

ln(t).

For example, about one number among 21 is prime near n = 1 000 000 000.

But even if there are good chances to get a prime by choosing a integer randomly, we need an efficienttest to certify that this integer is actually a prime.

A first naive method to determine if a given integer n is prime or not is trial division: attempt todivide n by every prime p ≤

√n; if no such p divides n, then n must be prime.

Property. If n ≥ 0 is a composite integer, then there exists a prime number p such that p ≤√n and

p|n.

As an example we can prove primality of n = 10007 by testing that all prime numbers smaller than100 = b

√nc, namely {2, 3, 5, 6, 11, 13, 17, 19, 23, 29, 29, 31, 37, 41, 43, 47, 53, 59; 61, 67, 71, 73, 79, 83, 89, 97}

(this list can be obtained with the Erathostene’s sieve), are not divisors of n.

However, the complexity of this trial division algorithm is exponential in the size of n since it takesabout

√n/ ln (

√n) divisions to test if n is prime. For example for n ' 10300 (typical size of primes

used in RSA), it means that more than 2.9147 division tests are necessary... Obviously, more efficientmethods are needed.

3.2 Pseudo-primality tests: Fermat and Miller-Rabin

Even if they do not always provide a certificate of primality or non-primality, probabilistic tests arevery efficient in practice and are thus preferred to slower deterministic tests. We start with:

Theorem (Euler-Fermat). If p is prime and a ∈ Z, then ap = a mod p

Proof. This is a direct application of Lagrange’s theorem in the group Z/pZ∗ of invertible elementsmodulo p.

UFR IM2AG – UGAM1 Maths/MSIAM

15

Page 16: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

By contraposition, this gives us a way to prove that n is composite when there is some a ∈ Z/nZ suchthat an 6= a. For example, a certificate of non-primality of n = 25009997 is given by:

225009997 = 2384555 mod 25009997.

It may seem counter-intuitive, but this certificate does not give any information on the factorizationof n. Actually, factoring an integer is in general much harder than proving its non-primality.

Although an instance of Fermat’s test can be efficiently performed with fast exponentiation algorithms,it does not always detect non prime numbers. For example, 341 = 11×31 is clearly not prime but notdetected if tested with a = 2: 2341 = 2 mod 341. Fermat’s test is thus an example of a pseudo-primalitytest:

Definition. A pseudo-primality test is a (non-deterministic) algorithm that, given an integer n, out-puts True is n is prime, and outputs either True or False is n is composite.

Hence only a False output gives certainty. If the output is True, then n may or may not be prime,but it is always possible to run the test again. For instance, in the case n = 341, the test witha = 2 failed to provide the right answer, but using a different value such as a = 3 gives a certificate:3341 = 168 mod 341.

But unfortunately for Fermat, it is possible that for certain composite integers (try for example 561),there is no choice of a that will provide a certificate of non-primality.

Definition (Carmichael number). A Carmichael number is a composite integer n such that

∀a ∈ Z, an = a mod n.

And even worse, there are infinitely5 many Carmichael numbers, so infinitely many composite numbersthat cannot be detected by Fermat’s primality test. On the bright side, Carmichael numbers are quiterare, and it is very improbable that a random large integer satisfies this property; however an adversarycould try to trick you into believing that an integer is prime by choosing such a number.

It is possible however to devise a criterion that is true if and only if n is a prime.

Theorem. An integer n is prime if and only if ϕ(n) = n− 1.

Proof. The direct implication is clear. The converse can be proved by contraposition using the factthat ϕ(pk) = pk − pk−1 < pk − 1 and that ϕ(ab) ≤ (a− 1)(b− 1) < ab− 1.

A simple possible test would then be to compute ϕ(n) and see whether it is equal to N − 1. Butcomputing ϕ(n) is as hard as factoring n in practice (exercise: prove that when n is the product oftwo prime numbers). So we will use this theorem in a less obvious way:

Lemma. Let p be an odd prime and s, t ∈ N∗ with t odd such that p = 2st + 1. Let a be an integernot divisible by p. Then, exactly one of the following holds:

(P1) at = 1 mod p

(P2) a2it = −1 mod p for some 0 ≤ i < s

5The question of whether there is a finite or infinite quantity of Carmichael numbers was open for more than 80 yearsand finally settled in 90’s by Alford-Granville-Pomerance.

16 UFR IM2AG – UGAM1 Maths/MSIAM

Page 17: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

3.2 Pseudo-primality tests: Fermat and Miller-Rabin

Proof. As p is prime, for any a not divisible by p we have ap−1 − 1 = 0 mod p. The Lemma comesthen from the integrity of (Z/pZ)∗ and the following equality

ap−1 − 1 = (at)2s − 1 = ((at)2

s−1 − 1)((at)2s−1

+ 1) = ((at)2s−2 − 1)((at)2

s−2+ 1)((at)2

s−1+ 1) =

(at − 1)(at + 1)(a2t + 1) . . . (a2s−1t + 1) = 0 mod p.

Definition. An integer a is called a compositeness witness for an odd integer n if a 6= 0 mod n andboth (P1) and (P2) are not satisfied.

This suggest the probabilistic primality test of Miller-Rabin: pick a random a and check whether itis a witness for n. If so, n is composite, otherwise n is probably prime (see below for more precision).Computations can be efficiently done with fast exponentiation algorithms.

Algorithm 5: Miller-Rabin primality test

Input : n an odd integerOutput: true if n might be prime, false if n is definitely not primea ∈ {1, . . . , n− 1} random integers, t such that n = 2st+ 1 and t oddb← at mod nif b == 1 then

return True

for i = 0, . . . , s− 1 doif b == −1 then

return True

b← b2

return False

Example: Consider n = 561. Pick a = 5, as n− 1 = 560 = 24 × 35, we compute

• 535 = 23 6= ±1 mod 561

• 535·2 = (23)2 = 529 6= −1 mod 561

• 535·22

= (529)2 = 463 6= −1 mod 561

• 535·23

= (463)2 = 67 6= −1 mod 561.

Thus n = 561 is composite and 5 is a compositeness witness. Note the contrast with the Fermat testwhich would only check that 5560 = 672 = 1 mod 561 and does not detect that 561 is composite.

The natural question is then: does a composite integer n has many witnesses (or any at all)? Fortu-nately, we have the following (admitted) theorem

Theorem. Let n be an odd composite integer. Then, the probability that a random integer a ∈{1, . . . , n− 1} is a witness for n is at least 3/4.

There are thus at most (n − 1)/4 numbers among {1, . . . , n − 1} that are coprime with n withoutbeing compositeness witness of n. Otherwise said, if n is composite and we pick k random integers in

UFR IM2AG – UGAM1 Maths/MSIAM

17

Page 18: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

{1, . . . , n − 1}, then the probability that we do not find a witness for n is very small (≤ 1/4k). Onthe other hand, if n is prime, we will not find a witness and thus will not prove anything about theprimality of n (unless more than 1/4 possible witnesses are tested, but this is impractical).

In fact, the Miller-Rabin test is very effective for random integers n:

Theorem (Damgard-Landrock-Pomerance). Let n be a random odd integer in [2k; 2k+1]. Let a be arandom integer in {1, . . . , n− 1}. If a is not a witness for n, then

P(n is prime) ≥ 1− k2 · 42−√k.

This means that if n is a large random integer that passes a single Miller-Rabin test, then the proba-bility that n is prime is excellent. For example for k = 1024, this probability is greater than 1− 2−40.Repeating the test achieves a probability astronomically close to 1.

Note that there are also deterministic primality tests (AKS in 2003 is the first one) but even if theyhave polynomial complexity, they are less efficient than Miller-Rabin in practice.

4 The discrete logarithm problem in asymmetric cryptography

The modular exponential function x 7→ gx mod p with p prime, is a one-way function. It can becomputed efficiently (in polynomial time with fast exponentiation algorithm) but its inverse functioncannot: it relies on the difficulty of discrete logarithm problem. We give the definition in the mostgeneral setting6

Definition (DLP). Let G be a group written in multiplicative notation. The discrete logarithm prob-lem (DLP) is:

Given g, h in G, find x (if it exists) such that h = gx.

This problem allows to devise asymmetric cryptographic protocols.

4.1 A first example: the Diffie-Hellman key exchange

The key exchange protocol of Diffie-Hellman is historically the first cryptographic scheme that doesnot require a secret key. Nowadays it is widely used, for example in TLS to secure all communicationsbetween servers and web browsers (e.g. for connecting to your bank account).

We give first a short description:

1. Alice and Bob agree publicly on a finite group G and an element g ∈ G such that the DLP ishard in 〈g〉.

2. They choose on their own a random integer, a for Alice and b for Bob, that they keep secret.

3. They exchange on the channel ga and gb, then compute respectively Kab = (gb)a for Alice andKab = (ga)b for Bob.

6For these lectures, we consider only the case where the DLP is defined over the multiplicative group of a prime fieldFp. There are more efficient algebraic groups to consider for cryptography however.

18 UFR IM2AG – UGAM1 Maths/MSIAM

Page 19: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

4.2 ElGamal encryption

Alice [secret = a] Bob [secret = b]

ga //

gboo

Kab = (gb)a Kab = (ga)b

At the end of the protocol, both Alice and Bob share the common secret Kab which is a randomelement of 〈g〉. They can deduce an ephemeral secret key from Kab that is used for establishing asymmetric cryptographic protocol.

If Eve observes the transaction between Alice and Bob, she cannot deduce the shared secret if theComputation Diffie-Hellman problem (CDHP for short) is hard:given a group G and g, ga, gb ∈ G, compute gab.

But what is the relation between DLP and CDHP? Cleary, if Eve knows how to solve DLP, she isable to recover a and b and thus can solve CDHP. The converse reduction is not clear but commonlyaccepted to be true.

So the Diffie-Hellman key exchange is secure against a passive eavesdropper. But in practice, anattacker that is capable of eavesdropping traffic may also be able to interfere between Alice an Bob byinjecting its own messages. In particular, as there is no authentification from Alice or Bob, an activeattacker can perform a man-in-the-middle attack:

Alice [secret = a] Eve [secret = e] Bob [secret = b]

ga //

geoo

gboo

ge//

Kae = (ge)a Kae,Keb Keb = (ge)b

Note that it is possible to design protocols secure against active attackers (by using an authenticatedkey exchange) but it requires the existence of a trusted third party. This notions are not in the scopeof these introductory lectures.

4.2 ElGamal encryption

The modular exponential function also allows to define a public key cipher, called ElGamal encryption(1985). This cryptosystem is widely implemented in free softwares (e.g. in GPG), since his mainconcurrent RSA was until recently patented.

Description of the protocol:

1. Key generation: Alice chooses G = 〈g〉 where DLP is hard. She generates a random integer aand computes Ka = ga: her public key is (G, g,Ka), her private key is a.

UFR IM2AG – UGAM1 Maths/MSIAM

19

Page 20: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

2. Encryption: to encrypt m ∈ G, Bob generates a temporary key Kt = gt where t is a randominteger and compute c = m(Ka)

t; the ciphertext is (Kt, c).

3. Decryption: to decrypt (Kt, c), Alice computes (Kt)−ac and recovers the deciphered mes-

sage m.

The main idea is that the message m is masked (as in the one-time-pad) by (Ka)t = (Kt)

a = gat.In particular, the cipher is non deterministic but malleable (exercise!). Note that the problem ofmalleability can be circumvented using padding (see e.g. PKCS or OAEP), but this is not under thescope of these lectures.

4.3 Generation of parameters

The security of previous protocols relies essentially on DLP. More precisely, the DLP must be hardto solve in the subgroup generated by the element g chosen in G. Up to our best knowledge in 2020,there are no efficient algorithm to solve the DLP in the multiplicative group (Z/pZ)∗ if p − 1 has asufficiently large7 prime factor and small cofactors.

In the lab session, we have seen how to generate large primes, so it should not be difficult to find sucha prime p. The next step is to find a suitable element g.

Proposition. Let p be a prime number. Then the multiplicative group (Z/pZ)∗ is cyclic.

Proof. The proof relies on the fact that Z/pZ is a field, and thus a polynomial P in (Z/pZ)[X] has atmost deg(P ) roots. In particular, for any n ∈ N∗ the polynomial Xn−1 has at most n roots, meaningthat there are at most n elements in (Z/pZ)∗ whose order divides n (i.e. satisfying xn = 1 mod p).By Lagrange’s theorem, the order of every element in (Z/pZ)∗ is a divisor of p − 1, so this gives

a partition (Z/pZ)∗ =⋃d|p−1

{x ∈ (Z/pZ)∗ | ord(x) = d}. Let N(d) be the cardinality of {x ∈

(Z/pZ)∗ | ord(x) = d}; the above partition gives p− 1 =∑d|p−1

N(d).

Let d be a divisor of p− 1. If N(d) 6= 0, then there exists an element x ∈ (Z/pZ)∗ of order d. So thesubgroup 〈x〉 has exactly d elements, whose orders must divide d; this implies that 〈x〉 = {roots ofXd − 1}. In particular, any other element of order d also belongs to 〈x〉. Since the cyclic group 〈x〉has exactly ϕ(d) generators, this means that N(d) = ϕ(d).

Thus for any divisor d of p− 1, either N(d) = 0 or N(d) = ϕ(d). But we have p− 1 =∑d|p−1

N(d) and

also p−1 =∑d|p−1

ϕ(d). This yields N(d) = ϕ(d) for any d | p−1; in particular N(p−1) = ϕ(p−1) 6= 0,

which means that there exist elements of order p− 1 in (Z/pZ)∗, which is thus cyclic.

In order to instantiate DLP-based procotols we need to find a generator g of (Z/pZ)∗, i.e. primitiveroot modulo p. Many elements of Z/pZ are primitive roots. Indeed, there are exactly ϕ(p − 1)such generators. Now ϕ(n) can be much smaller than n when n has many small factors (recall thatϕ(n) = n

∏p∈P, p|n(1− 1/p)), however the ration ϕ(n)/n is always lower-bounded by 1/(3 ln lnn) if n

has a cryptographic size. Thus a standard way to find a generator is to pick a random element and

7The biggest factor of p− 1 should have at least 1024 bits, see NFS algorithm for more details.

20 UFR IM2AG – UGAM1 Maths/MSIAM

Page 21: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

4.4 Schnorr identification scheme

test if its order is actually p− 1; a correct element will be found after an expected number of at most3 ln lnn trials. If the factorization of p− 1 is known, it becomes easy to test if an element is of orderp− 1 with the following lemma:

Lemma. Let g be an element of Z/pZ∗, then g is of order d if (and only if)

gd = 1 and gd/q 6= 1 for any divisor q of d.

Proof. If g is not of order d, then its order is a strict divisor of d. In particular for any prime divisorq of d/ord(g), ord(g) is a divisor of d/q and gd/q = 1.

But if p is a 2000-bit prime, computing the factorization of p− 1 can become cumbersome. Anotherpossibility is then to generate a prime p such that (p− 1)/2 is also prime. These prime numbers arecalled Sophie Germain primes. Thus to find a primitive root g modulo a Germain prime number p,it is sufficient to test if g2 6= 1 and g(p−1)/2 6= 1. Note however that it can take a while to generate aSophie Germain prime with cryptographic size.

4.4 Schnorr identification scheme

A major application of public key cryptography is to provide authentication. An example of this inthe real world is digital signatures for authenticating automatic software updates. The public key ofthe software developer is stored in the application or operating system and the software update is onlyperformed if the digital signature on the update is verified for that public key.

Schnorr signature is the first (and easiest to understand) example of digital signature based on DLP.The goal is the following: given a group G, an element g of prime order r and a public key h = ga,find a way to generate a signature of a message m using the private key a. Obviously it should behard to compute the signature of m without knowing a.

To explain the Schnorr signature scheme, we first present an identification scheme. Alice and Bob areon the Internet and Alice (the Prover) wants to convince Bob (the Verifier) that he is actually talkingto her and not to Charlie (thus preventing a “man-in-the-middle” attack). For that, Alice will try toprove to Bob that she knows the private key a corresponding to her public key h = ga.

They proceed in three communication stages:

1. First Alice sends a commitment c = gk to Bob, where 0 ≤ k < r is chosen uniformly at random.

2. Secondly Bob sends a challenge 1 ≤ s1 < r;

3. Finally Alice sends a response s2 = k + as1 mod r to Bob. Then Bob either accepts or rejectsthe proof by checking whether gs2 = c.hs1 or not.

This protocol is zero-knowledge, meaning that it does not leak any information about the secret a.Indeed, it is easy to see that anyone can produce a triple (c, s1, s2) without knowing the private keya (simply choose s1 and s2 and then solve for c). In particular, an eavesdropper is not able to getinformation on a.

But what if Bob is not honest and wants to recover Alice’s secret? Can he choose carefully s1 to getinformation on a? The answer is no: if Bob is able to get information on a, then he could recoverinformation on k, which means that he can break at least partially the DLP on the instance (g, c).

UFR IM2AG – UGAM1 Maths/MSIAM

21

Page 22: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

Note that this also means that k must be chosen randomly so that (g, c) is indeed a hard instance ofDLP (otherwise it becomes possible to recover information about the private key a).

Finally, it is not possible for a third person Charlie to pretend being Alice. As an initial approach,we may assume that Charlie commits an element c = gk for which he knows the discrete log k inbase g. But if Charlie manages to successfully answer Bob’s challenge s1, then he knows k, s1 ands2 = k + as1, meaning that he knows the (supposedly hard) discrete log a of h.

However, Charlie could proceed otherwise: he could commit h, or hk for a k of his choice, or somethingelse. For instance, if Charlie were able to learn Bob’s challenge s1 before commiting (maybe becauseBob’s random generator is broken), he could commit c = glh−s1 for an integer l of his choice, thenanswer s2 = l to Bob’s challenge. However, we can show that once Charlie has committed c, he is notable to answer correctly to more than one of the r possible challenges of Bob. Indeed if Charlie wereable to answer to two different challenges s1 and s′1, then he would know s2 and s′2 such that{

s2 = k + as1

s′2 = k + as′1

In particular, he is able to recover a and solve the DLP! Thus if Bob’s challenge is truly uniformlyrandom among the r possible values, the probability that Charlie impersonates successfully Alice isin 1/r, which is negligible for r of cryptographic size.

4.5 Signature schemes (and hash functions)

Hash functions are an important tool in cryptography, specially for digital signature cryptosystems.We briefly give the main properties of such functions, without too much details.

Definition. A hash function is a map from the set of arbitrary finite length bitstrings {0; 1}∗ to {0; 1}lthe set of bitstrings of fixed length l with the following security properties:

1. Preimage-resistance: given y ∈ {0; 1}l, it should be computationally infeasible to find a bitstringx such that H(x) = y.

2. Second-preimage-resistance: given x ∈ {0; 1}∗ and y = H(x), it should be computationallyinfeasible to find a bitstring x′ 6= x such that H(x′) = y.

3. Collision-resistance: it should be computationally infeasible to find two distinct bitstrings x 6= x′

such that H(x) = H(x′).

The main idea is to reproduce with hash functions the notion of fingerprint. In the context of digitalsignature, instead of authenticating a full message/file m of arbitrary size, it is only its digest H(m)that is considered. Obviously if H is not second-preimage-resistant, an eavesdropper could use thesame signature to falsely authenticate another message m′ such that H(m) = H(m′).

The Schnorr signature scheme can be obtained by transforming the interactive identification schemeinto a non-interactive one, using the Fiat-Shamir transform. The basic idea is to replace the challenges1 by a non predictable random integer that depends on c. More precisely, if H is a cryptographichash function from {0; 1}∗ to {0; 1}l (for some parameter l), given a message m we set s1 = H(m||c),where || is the concatenation of binary string.

Description of Schnorr signature scheme:

22 UFR IM2AG – UGAM1 Maths/MSIAM

Page 23: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

4.6 DLP solving algorithms

1. Key Generation: Alice chooses G = 〈g〉 of order r where the DLP is hard. She generates arandom integer a and computes h = ga: her public key is (G, g, h, r), her private key is a.

2. Signature: to sign a message m, Alice chooses uniformly at random 0 ≤ k < r, compute c = gk,s1 = H(m||c) mod r and s2 = k + as1 mod r. The signature of m is (s1, s2).

3. Verify: Bob tests whether s1 = H(m||gs2h−s1).

Check that this scheme is correct, i.e. the Verify algorithm does succeed when given a pair (s1, s2)given by the signature algorithm.

4.6 DLP solving algorithms

This section aims at presenting some classical generic algorithms for the DLP, not specific to the casewhere G is a finite field.

Exhaustive search

The simplest algorithm for DLP is to sequentially compute ga for 0 ≤ a < r and test equality ofeach value with h. If a is uniformly distributed, this requires an expected number of ≈ r/2 groupoperations and comparisons, thus a mean (and worst-case) complexity in O(r) operations.

Pohlig-Hellman

Let r =∏ni=1 p

αii be the prime decomposition of r = card(G). If the discrete logarithm of h is known

modulo each of the pαii , then the whole logarithm of h modulo r can be recovered with the ChineseRemainder Theorem. Then further simplification to obtain the DL modulo pαii can be done: wecompute iteratively the DLP expression in base pi by solving αi DLPs in subgroups of order pi.

More precisely, we first consider the case of a cyclic group G = 〈g〉 of order a prime power pα; theelements y1 = gp

α−1, y2 = gp

α−2, . . . , yα = g have order p, p2, . . . , pα respectively. For a given h ∈ G,

its DL in base g can be written as z = z0 + z1p+ · · ·+ zα−1pα−1. Then z can be iteratively recovered

by computing α DLs in the order p subgroup 〈y1〉. Indeed we have hpα−k

= yz0+z1p+···+zk−1p

k−1

k and ifz0, . . . , zk−2 have already been computed then

hpα−k

(y−1k )∑k−2j=0 zjp

j

= yzk−1

1 .

Then zk can be obtained by a DL computation in the subgroup generated by y1 = gpα−1

.

For the general case of a cyclic group G = 〈g〉 of order r =∏ni=1 p

αii , we can then reduce the problem of

computing the DL a of h in base g to the problem of computing the DL ai = a mod pαii of hi = hr/pαii

in base gi = gr/pαii for each i = 1, . . . , n. Indeed, the subgroup 〈gi〉 is cyclic of order pαii , so the above

method can be used.

If c(pi) is the cost of solving DLP in a group of cardinality pi (with one of the generic algorithmspresented in this section), the Pohlig-Hellman reduction solves the DLP in G of order r =

∏ni=1 p

αii

with a cost in∑n

i=1 αic(pi). In particular this reduction becomes very efficient when each of the factorspi are small. Therefore, we usually consider in practice that the DLP in G is as hard as the DLP inits larger subgroup of prime order.

Baby-step-Giant-Step (BSGS)

UFR IM2AG – UGAM1 Maths/MSIAM

23

Page 24: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

The basic idea is to make a time/memory trade-off to speed up exhaustive search.

Let m = d√re, we write a in basis m, namely there exists two integers a0, a1 such that a = a0 +ma1

with 0 ≤ a0, a1 < m. It follows from h = ga that

ga0 = h(g−m)a1 .

We deduce then an algorithm in two stages:

1. Store the list L = {(gj , j) : 0 ≤ j ≤ m};

2. For 0 ≤ k ≤ m, compute h(g−m)k and check if it appears in L; when it appears there is acollision h(g−m)k = gj and the DL of h is j +mk.

The membership test can be done by either sorting the list L in time O(√r log r) and then doing a

dichotomic search in O(log r). This can be done even faster in constant time O(1) by using a hashtable.

Thus BSGS is a deterministic algorithm with complexity in O(√r) in memory and in time.

Pollard Rho

It is possible to devise a probabilistic algorithm with time complexity still in O(√r) but with constant

memory complexity. The main idea of Pollard-Rho algorithm (1978) is to use random walks on theset of elements of G and hope for a collision after O(

√r) steps using the so-called birthday paradox:

Theorem (Birthday paradox). Let S be a set of N elements. If elements are sampled uniformly atrandom from S then the expected number of samples to be taken before having a collision (that someelement is sampled twice) is less than

√πN/2 + 2.

Proof. 8

Let X be the random variable giving the number of samples to be taken before having a collision. Wewant to give an upper-bound on the expected value E(X).

We remark first that the probability that a selected element is distinct from the previous i−1 distinctalready selected is 1− (i− 1)/N , so

Pr[X > k] =

k−1∏i=1

(1− i

N) ≤

k−1∏i=1

e−i/N = e−k(k−1)

2N ≤ e−(k−1)2

2N .

In particular as Pr[X > k] = 0 for k > N , we have the following equalities

E(X) =∑k≥1

kPr[X = k] =∑k≥1

k(Pr[X > k − 1]− Pr[X > k]) =∑k≥0

Pr[X > k].

The previous upper bound on Pr[X > k] gives

E(X) ≤ 1 +∑k≥0

e−k2

2N ≤ 1 + 1 +

∫ +∞

0e−

t2

2N dt = 2 +√

2N

∫ +∞

0e−u

2du = 2 +

√Nπ

2.

8Remark that this proof also gives that the probability that there is at least one collision after taking k samples is

1− Pr[X > k] ≥ 1− e−(k−1)2

2N which tends very quickly to 1 for k greater than√N .

24 UFR IM2AG – UGAM1 Maths/MSIAM

Page 25: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

4.6 DLP solving algorithms

The main idea of Pollard-Rho is to iterate an efficiently computable map F : G→ G such that

• given α, β ∈ Z/rZ, it is easy to find α′, β′ ∈ Z/rZ such that F (gαhβ) = gα′hβ′

• F behaves “sufficiently” like a random map.

For example, we can divide G in three subsets G1, G2 and G3 of comparable sizes, and then consider

F (x) =

x2 if x ∈ G1,

g · x if x ∈ G2,

h · x if x ∈ G3.

Starting from a random element u0 = gα0hβ0 , we then compute the sequences (ui), (αi), (βi) such that

ui = F (ui−1) = F i(u0) = gαihβi .

The sequence (ui) is ultimately periodic: there exist i0 and ` > 0 such that ui0 = ui0+` (and ui = ui+`for any i ≥ i0). In particular, a collision between ui0 and uj0 = ui0+` gives

gαi0hβi0 = gαj0hβj0 .

Then there are two possibilities:

• either βi0 − βj0 is coprime to r, then

logg(h) = −(αi0 − αj0)(βi0 − βj0)−1 mod r.

• Otherwise, we start again from a new point.

u0

u1 = F (u0)

ui0−1ui0 = ui0+`ui0+`−1

Thanks to the birthday paradox, the expected time before finding a collision in the sequence u0, u1 =F (u0), . . . (i.e. running through the cycle) is in O(

√r). Note that even if F is not random in practice,

it behaves sufficiently randomly for this analysis to remain correct.

To get a cost in O(1) memory, we use the Floyd’s tortoise and hare method:we compute simultaneously a “tortoise” sequence (ui) and a “hare” sequence (vi) = (u2i) until thefirst collision ui = vi.A collision happens as soon as i is a multiple of the cycle length ` greater than i0, thus before i0 + `.

UFR IM2AG – UGAM1 Maths/MSIAM

25

Page 26: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

4.6.1 A lower bound

The discrete log algorithms presented thus far are generic: they work in any group, since they onlyuse the group operation and comparisons of elements. For such algorithms, a lower bound on thecomplexity is known.

Theorem (Shoup). For any DLP-solving generic algorithm, there exists a constant C such that theexpected number of operations needed to solve the DLP in a cyclic group of order n is greater thanC√p, where p is the largest prime factor of n.

This implies that Pollard Rho and Baby Step – Giant step are “optimal” among generic algorithms

when working on prime order groups. For such group orders√n =

√2log p

, meaning that genericalgorithms have exponential complexity.

On the other hand, for some concrete groups there may exist non-generic algorithms that can per-form much better. The simplest example is (Z/nZ,+) in which the DLP has polynomial complexity(exercise).

5 Factorization and RSA

All cryptographic schemes presented so far rely on the difficulty of solving the DLP. We consider inthis section cryptosystems based on another computational problem: the difficulty of factoring largeintegers. More precisely, in these schemes, the public key is a composite number and the private key isthe prime factor decomposition which allows to execute secrete operations (deciphering, signature,...).

A composite number n which is difficult to factorize should be sufficiently large (about 3072 bits) withno small factors (which are easy to find with gcd computations). So in practice, two large primes p, qare generated and then we take n = pq. These sorts of composite numbers are difficult to factorize:the actual record is the factorization of a composite integer of 830 bits in about 2700 CPU years on asingle core.

5.1 Textbook RSA

We describe the textbook RSA (from Rivest, Shamir and Adelman 1978) as presented in papers andbooks, but be aware that this is definitely not how it should be implemented in the real word.

Whereas all computations were done in Z/pZ with p prime for DLP based cryptosystems, we workhere in Z/nZ with n composite.

Assume that Bob wants to send an encrypted message to Alice. As for any public key scheme, thereare three main algorithms:

1. Key generation: Alice generates two large primes p, q of similar size and computes n = pq.Alice also chooses e ∈ (Z/ϕ(n)Z)× and computes d = e−1 mod ϕ(n).Alice’s public key is (n, e) and her private key is d.

2. Encryption: Bob obtains9 Alice’s public key (n, e). Then he encodes his message as an integer1 ≤ m < n and computes c = me mod n, then sends the ciphertext c to Alice.

9This requires trusted third parties and public key infrastructures, which are outside the scope of these lectures.

26 UFR IM2AG – UGAM1 Maths/MSIAM

Page 27: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

5.2 Security of RSA

3. Decryption: Alice computes m = cd mod n and decodes to obtain the original message.

This scheme is correct:

• Case 1 : gcd(m,n) = 1. Then gcd(m, p) = 1 and gcd(m, q) = 1. Since ed = 1 + k(p− 1)(q − 1)for some integer k, with Fermat’s theorem, we have med−1 = 1 mod p and med−1 = 1 mod q.The Chinese remainder theorem gives the result modulo pq.

• Case 2 : gcd(m,n) 6= 1. Wlog we can assume that gcd(m, p) = p. In particular m = 0 =med mod p. Then there are two possibilities: either gcd(m, q) = 1 and we apply Fermat’stheorem as before, or gcd(m, q) = q and then m = 0 = med mod q. As before, the CRT allowsto finish the proof.

For efficiency, it is usual in practice to take an encryption exponent e prime with small Hammingweight (e.g. e = 216 + 1; as proven below e = 3 is not recommended because of broadcast attacks).This exponent does not need to be chosen randomly. It is easy to see that encryption and decryptionalgorithms are O(log n3) operations using fast exponentiation algorithms.

Contrarily to Schnorr signature which is quite different from ElGamal encryption, the RSA signaturescheme is just a “reversed” RSA encryption. More precisely a signature of a message m is s =H(m)d mod n and to verify if a signature is correct we check that se = H(m) mod n.

5.2 Security of RSA

The difficulty of breaking the RSA encryption scheme relies on the difficulty of computing e-th rootsmodulo n. This problem is believed (even if it is not proved) to be as hard as factoring n. The variantof RSA when e = 2, called Rabin’s scheme, has a security equivalent to the factorization of n, as seenin lab session 2.

This “textbook” encryption/signature scheme is deterministic and malleable, which is a problem forsecurity. We analyze some classical attacks on RSA in the next section. To circumvent this problem,a randomized padding is always added to the message in practice (see PKCS or OAEP for moredetails). Another trivial reason for not using RSA as in the textbook version is the problem of “smallmessages”: if m is sufficiently small so that me < n then there are no reduction modulo n duringencryption and an attacker can directly obtain the plaintext by computing the e-th root as an integer(with no reduction).Another reason is the Broadcast attack. If Alice sends a same message m to k different people withpublic keys (e, n1), . . . , (e, nk) (but all with the same e encryption exponent), then a passive attackercan recover me mod n1 . . . nk with CRT and deduce m if e ≤ k. This is why taking e = 3 is notnecessarily a good idea.

Factoring n is as hard as recovering the secret key

We first remark that knowing ϕ(n) allows to deduce the secret key d. Yet knowing ϕ(n) = (p−1)(q−1)is as hard as factoring n: from n = pq and ϕ(n) = n− (p+ q) + 1 we deduce easily p and q which arethe roots of the trinomial X2 − (p+ q)X + pq.

Now if an adversary is able to get d, then he can easily recover the factorization of n. Indeed, ifk = ed − 1 then for any g ∈ (Z/nZ)×, we have gk = 1 mod n. As k is even, we can compute gk/2.Since it is a square root of 1 modulo n, using the same trick as in Miller-Rabin, we get the factorizationof n as soon as gk/2 6= ±1 mod n.

UFR IM2AG – UGAM1 Maths/MSIAM

27

Page 28: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

5.3 Comparison of DLP-based and factoring-based cryptographic schemes

The security of the cryptographic schemes presented so far relies either on the hardness of computingdiscrete logarithm, or on the hardness of factoring large integers. Although these two problems areclearly different, it turns out that several algorithms initially designed for factoring can also be used tocompute discrete log in (Z/nZ)∗ (as an example of this, you will see in lab session 3 how to computefactorization with the original version of Pollard Rho).

Currently, the best algorithm for factoring is the Number Field Sieve, and it is also the best algo-rithm for solving the DLP in (Z/nZ)∗; its complexity is subexponential (i.e. between polynomial and

exponential), in O(

2O(1)(logn)1/3(log logn)2/3)

. Thus both problems are approximately equally hard.

However, the big advantage of the DLP is that it can be defined in any finite group, not just (Z/nZ)∗.Nowadays, (Z/nZ)∗ has been replaced in almost every use by groups consisting of the set of pointsof elliptic curves defined over finite fields. These groups are more difficult to define and study, andtheir operations are slower to compute, but they offer a much better security. Indeed, excepted inspecial cases there is no known DLP algorithms on elliptic curves performing better than generic ones.Consequently, RSA is no longer recommended and has been supplanted by elliptic curve cryptographyin most real-world applications.

6 Pseudo-random Number Generators (PRNG)

6.1 Introduction

We have already seen that random bits are needed in cryptography everywhere: for generating keys orephemeral values in protocols (called nonces), for stretching short secret seed into a long pseudorandomstring, ... It is however impossible to procedurally generate genuine random variables. Indeed, theoutput of computer program is completely determined by its internal state (otherwise said, the contentof its memory) so is actually not random at all! The best a computer can achieve is pseudo-randomness.

Definition. A pseudo-random number generator (PRNG) is an algorithm that takes as input an initialvalue (the seed) and outputs a sequence of numbers.

Obviously, a PRNG is “good” if its output is hard to distinguish from a truly random sequence; thiscan be measured by statistical tests that are outside the scope of these lectures. The type of outputcan vary depending on its applications. The simplest case is when the output is a sequence of bits,that simulates a sequence of mutually independent Bernoulli variables of parameter 1/2.

Because of their deterministic nature, all PRNG have limitations:

Property. The sequence (un) output by a PRNG which only uses a finite amount of memory isultimately periodic, i.e. there exists an integer T > 0 and a rank N ∈ N such that un+T = un for alln ≥ N .

Proof. (Sketch) if a PRNG uses a bounded amount of memory, then it has a finite number of possiblestates. Consequently, after a finite number of iterations it will go back to a previously encounteredstate, and thereafter the sequence becomes periodic.

28 UFR IM2AG – UGAM1 Maths/MSIAM

Page 29: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

6.2 Linear Feedback Shift Registers (LFSR)

Having a long period (relatively to the memory usage) is clearly a desirable feature for a PRNG, butit is not the only one: speed and statistical robustness are also important. To give an example, thewidespread Mersenne Twister PRNG has a period of 219937 − 1, for a memory usage of 2.5 KB.

From a cryptographic point of view, we want more than just statistical properties: given consecutivevalues uk, uk+1, . . . , uk+m of the output, it should be computationally infeasible to gain informationon the next term uk+m+1, even for large values of m. (Note that if the period is long enough it iscomputationally infeasible anyway to store all of the sequence’s values.)

Important remark: the topic of random generation is quite complex and will only be skimmedin these lectures. But PRNG are not the end of the story, since computers actually have access tosources of randomness (e.g. timings of keystrokes in milliseconds, thermal noise from the fan or harddisk, timings of arrivals of internet packets...). Unix-like operating systems use these entropy sourcesin their pseudorandom generation.

6.2 Linear Feedback Shift Registers (LFSR)

A classical, and simple, example of PRNG is given by linear feedback shift registers (LFSR). Theywere mainly used for the construction of stream ciphers such as CSS (for protecting movies on DVDdisks) or RC4 (for securing Web traffic). They are still attractive for low-cost consumer electronicsdevices, but need to be combined with boolean functions to remain secure.

Definition (LFSR). A L-bit LFSR is composed of a shift register that contains a sequence of L bits(si, . . . , si+L−1) and a linear feedback bit function.

The LFSR outputs one bit (the least significant bit) per clock cycle, the other bits are shifted to theright. The new bit si+L is put in the most significant bit cell of the register and given by a linearfunction

si+L = c1si+L−1 + c2si+L−2 + · · ·+ cL−1si+1 + cLsi

where the ci are binary coefficients called the feedback coefficients of the LFSR.

The bits (s0, . . . , sL−1) are the initial state (the seed) of the register, they completely determine theoutput sequence.

Algorithm 6: LFSR

Input : (s0, . . . , sL−1) ∈ FL2 \ {0}Output:for i = 0, . . . , N − 1 do

output sisi+L ← c1si+L−1 + c2si+L−2 + · · ·+ cL−1si+1 + cLsi

sisi+1si+2. . .si+L−2si+L−1

+

cL

+

cL−1

+

cL−2

+

c2

+

c1

si+L si−1

UFR IM2AG – UGAM1 Maths/MSIAM

29

Page 30: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

This definition is just a hardware-oriented way of saying that we will be looking at linear recurringsequences (with values in F2). The feedback polynomial of a LFSR is the polynomial

C(X) = 1− c1X − c2X2 − · · · − cLXL,

its reciprocal P (X) = XL − c1XL−1 − · · · − cL−1X − cL is called its characteristic polynomial.

As explained before, the output sequence is ultimately periodic, i.e. there exists i0 such that (si)i≥i0is periodic, with a bound on the period.

Proposition. • The sequence (si) is ultimately periodic of period T ≤ 2L − 1.

• If cL 6= 0 then the sequence is periodic.

Proof. Let Ri = (si, . . . , si+L−1) ∈ FL2 be the state of the register at the i-th iteration. If there existsan integer i0 such that Ri0 = (0, . . . , 0), then si = 0 for all i ≥ i0, and T = 1.Otherwise, there are 2L − 1 possible (non-zero) values of the register; hence among (R0, . . . , R2L−1)at least two values Ri0 and Ri0+T with 0 < T ≤ 2L − 1 are equal. Then by induction si = si+T forany i ≥ i0.

Finally, if cL 6= 0, then it holds that si =1

cL(si+L − c1si+L−1 − · · · − cL−1si+1) .

This means that the value of a term si of the sequence is determined by the L following terms (it ispossible to “rewind” the sequence). Since si = si+T for all i ≥ i0, by downward induction it also holdsfor all i ∈ N.

Remark that if cL = 0, then the sequence (si)i≥1 satisfies the shorter recurrence relation

si+L−1 = c1si+L−2 + c2si+L−3 + · · ·+ cL−1si.

This means that except for s0, this sequence can be produced by a shorter LFSR. For this reason,unless otherwise stated it will be assumed that cL 6= 0.

The construction of LFSR with the maximal possible period T = 2L − 1 will be explained later, butsome of their properties can be given now.

Proposition. Consider a L-bit LFSR for which there exists an initial state R0 ∈ FL2 such that thecorresponding output sequence (si) has period 2L − 1. Then:

• For any other initial value R′0 6= (0, . . . , 0), the output sequence (s′i) also has period 2L − 1 andis a shift of (si): there exists τ ∈ N such that (s′i) = (si+τ ).

• Equidistribution: for 0 < k ≤ L, every tuple (b0, . . . , bk−1) of k bits has exactly 2L/2k occurencesduring a period of the sequence (si), except for the k-tuple (0, . . . , 0) that appears (2L/2k − 1)times.In particular, during a period the sequence (si) takes exactly 2L−1 times the value 1 and 2L−1−1times the value 0.

• Auto-correlation: for any τ 6= 0 mod 2L − 1, there are exactly 2L−1 indices i ∈ J0, 2L − 2K suchthat si 6= si+τ and 2L−1 − 1 indices such that si = si+τ .

The first point implies that the maximal period property only depends on the feedback polynomial ofa LFSR, not on the chosen seed. The second and third points mean that the output sequence satifiessome elementary statistical tests: 0 and 1 are (almost) equally frequent, there are (almost) as many00 as 01, 10 and 11, and so on.

30 UFR IM2AG – UGAM1 Maths/MSIAM

Page 31: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

6.3 Linear algebra and LFSR

Proof. Since the LFSR has period 2L− 1, the values R0, R1, . . . , R2L−2 of the register during the first2L − 1 iterations are all distinct and non null. Thus {R0, . . . , R2L−2} = FL2 \ {(0, . . . , 0)}; otherwisesaid each non-zero possible value of the register is taken exactly once during a period. The rest of theproof follows from this observation:

• Let R′0 be another non-zero initial value. Then there exists τ ∈ J0, 2L − 2K such that R′0 = Rτ .Consequently R′i = Ri+τ for all i, and thus (s′i) = (si+τ ).

• Let (b0, . . . , bk−1) be a non-zero k-tuple of bits with 1 ≤ k ≤ L. There are exactly 2L−k elementsof FL2 \ {0} starting by (b0, . . . , bk−1), thus∣∣{i ∈ J0, 2L − 1K : (si, . . . , si+k−1) = (b0, . . . , bk−1)}

∣∣=∣∣{i ∈ J0, 2L − 1K : Ri starts with (b0, . . . , bk−1)}

∣∣ = 2L−k.

The reasoning is similar when (b0, . . . , bk−1) = 0.

• Let τ 6= 0 mod 2L− 1. Then R0 6= Rτ , thus R′0 = R0−Rτ 6= 0. Let (s′i) = (si− si+τ ); it satisfiesthe same recurrence relation as (si), with initial values (s′0, . . . , s

′L−1) = R′0. Thus (s′i) is the

sequence output by the LFSR with initial state R′0. By the first point, it is a shift of (si); bythe second point, it contains 2L−1 1’s and and 2L−1 − 1 0’s in a period. The conclusion follows.

6.3 Linear algebra and LFSR

LFSRs can be expressed as linear functions using matrices over F2. Consider the registers Ri as vectors

in FL2 , i.e. Ri =

sisi+1

...si+L−1

for all i ∈ N. Then Ri+1 = ARi, where

A =

0 1 0 . . . 0...

. . .. . .

. . ....

.... . .

. . . 00 . . . . . . 0 1cL . . . . . . c2 c1

∈ML(F2).

This implies that Ri = AiR0 for all i ∈ N, and thus

si = (1 0 . . . 0)

sisi+1

...si+L−1

= (1 0 . . . 0)AiR0.

The matrix A is what is called a companion matrix. A classical computation shows that the charac-teristic polynomial of the matrix A is

χA(X) = P (X) = XL − c1XL−1 − · · · − cL,

UFR IM2AG – UGAM1 Maths/MSIAM

31

Page 32: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

the reciprocal of the feedback polynomial C of the LFSR.

Let Bc = (e1, . . . , eL) be the canonical basis of FL2 , and f : v 7→ Av the endomorphism of FL2 associatedwith the matrix A. A change of basis will give another interpretation of the LFSR, from whichinformation on the period can be given.

It is easy to check that

AeL =

0...001∗

, A2eL =

0...01∗∗

, . . . AL−1eL =

1...∗∗∗∗

.

Thus B = (eL, f(eL), . . . , fL−1(eL)) is another basis of FL2 , the change-of-basis matrix is

M = PBBc =

0 . . . 0 1...

...... ∗

0...

......

1 ∗ . . . ∗

, and M−1AM = MatB(f) =

0 . . . . . . 0 ∗

1. . .

......

0. . .

. . ....

......

. . .. . . 0 ∗

0 . . . 0 1 ∗

.

This is (the transpose of) a companion matrix, so its characteristic polynomial is given by the coeffi-cients in the last column. But this characteristic polynomial is χf = χA = P (X), thus

M−1AM = tA =

0 . . . . . . 0 cL

1. . .

......

0. . .

. . ....

......

. . .. . . 0 c2

0 . . . 0 1 c1

.

Now, for all i ∈ N we have seen that si = (1 0 . . . 0)AiR0, thus

si = (1 0 . . . 0) (M tAM−1)iR0 = (1 0 . . . 0)M(tA)iM−1R0 = (0 . . . 0 1) (tA)iY0

where Y0 = M−1R0. The linear recurring sequence (si) can thus be recovered by successive multipli-cation by tA and looking at the last coordinate.

Let Yi = (tA)iY0 = tAYi−1 =

qi,0qi,1...

qi,L−1

. Multiplication by tA has two interpretations:

– From a hardware point of view, it corresponds the following “dual” type of LFSR:

si qi,L−1 + qi,L−2 + . . . + qi,1 + qi,0

c0cL−1 cL−2 c2 c1

32 UFR IM2AG – UGAM1 Maths/MSIAM

Page 33: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

6.4 Maximal period LFSR and primitive polynomials over finite fields

At each clock cycle, the LFSR outputs one bit si (the most significant one). The other bits areshifted to the left and then xored with cjsi.

– Let Qi = qi,0 + qi,1X + · · · + qi,L−1XL−1 be the polynomial whose coefficients are given by the

coordinates of Yi = (tA)iY0. Then Qi+1 = XQi mod P (X). In other words, the matrix tA alsorepresents the endomorphism

F2[X]/〈P (X)〉 7→ F2[X]/〈P (X)〉Q 7→ XQ

in the canonical basis (1, X,X2, . . . , XL−1), and Qi is the remainder of XiQ0 in the Euclideandivision by P (X). This implies that the pseudorandom sequence (si) can be obtained by lookingat the degree L− 1 coefficient of the sequence of polynomials (Qi) = (XiQ0 mod P (X)).

This second point-of-view is called the Galois representation of a LFSR, whereas the linear recurringsequence point-of-view is called the Fibonacci representation. But of course, both are equivalent.

6.4 Maximal period LFSR and primitive polynomials over finite fields

With the Galois representation, the internal state of a LFSR is given by the polynomial Qi =XiQ0 mod P (X). The period is then the smallest integer T > 0 such that XTQ0 = Q0 mod P (X). Ifthe initial polynomial Q0 is coprime to P (X), then the period is simply the (multiplicative) order ofX in the group of invertible elements of the finite ring F2[X]/(P (X)).

Theorem. A LFSR has the maximal period 2L − 1 if and only if its characteristic polynomial P (X)is irreducible and (the class of) X is a generator of the multiplicative group of F2[X]/(P (X)).

Exercise: prove this theorem ! Indication: with A = F2[X]/(P (X)), show that ord(X) ≤ |A×| ≤2L − 1 and that |A×| = 2L − 1 if and only if P (X) is irreducible.

Proof. Let A = F2[X]/(P (X)); there is a natural bijection between A and the set of polynomialsof degree strictly smaller than degP = L, so |A| = 2L. Let A× be the set of invertible elements ofA; since 0 is not invertible, it holds that |A×| ≤ 2L − 1. By Lagrange’s theorem, it also holds thatthe order of X in A× is a divisor of |A×|, so in particular ord(X) ≤ |A×| ≤ 2L − 1.

Consequently, if the LFSR has period 2L − 1, then the order of X is 2L − 1, thus |A×| = 2L − 1.This implies that X is a generator of A×, but also that A× = A \ {0}. All non-zero elements of Aare therefore invertible, which says that A is a field, so P (X) is irreducible.

Conversely, if P (X) is irreducible, then A is a field (with 2L elements), so A× is cyclic of order2L − 1. If X is a generator of A×, its order is consequently 2L − 1, so the period is maximal.

A polynomial satisfying the condition of the above theorem is called a primitive polynomial. To findsuch a polynomial of degree L, a possibility is to start from the finite field F2L (in any representation),and test random elements until a generator x of (F2L)∗ is found. Then the minimal polynomial of x,i.e. the smallest degree P ∈ F2[X] such that P (x) = 0, gives a suitable polynomial.

UFR IM2AG – UGAM1 Maths/MSIAM

33

Page 34: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

Example / Exercise:

1. Show that the polynomial Q = X4 +X3 +X2 +X + 1 ∈ F2[X] is irreducible. Is the class x ofX a generator of the multiplicative group of F24 = F2[X]/(Q)?

The polynomial Q = X4 +X3 +X2 +X + 1 ∈ F2[X] is irreducible, so F24 = F2[X]/(Q). Butthe class x of X is not a generator of (F24)∗: indeed, X5 = 1 mod Q since X5 +1 = (X+1)Q,so x has order 5.

2. Let y = 1 + x ∈ F24 . Show that y is a generator of F∗24 and find its minimal polynomial P .

It is easy to check that y = 1 + x has order 15 (compute y3 and y5) and is thus a generatorof F24 . To find its minimal polynomial, we compute:(1 +X)0 = 1 mod Q(1 +X)1 = 1 +X mod Q(1 +X)2 = 1 +X2 mod Q(1 +X)3 = 1 +X +X2 +X3 mod Q(1 +X)4 = 1 +X4 = X3 +X2 +X mod Qfrom which one can deduce that (1 +X)4 + (1 +X)3 + 1 = 0 mod Q, i.e. y4 + y3 + 1 = 0. Thepolynomial P = X4 +X3 + 1 is thus primitive.

3. Compute the output of the corresponding LFSR and check that it satisfies the properties listedin 6.2.

To find the output of the LFSR, we compute modulo P :X0 = 1, X1 = X, X2 = X2, X3 = X3, X4 = X3 + 1, X5 = X4 +X = X3 +X + 1,

X6 = X4 +X2 +X = X3 +X2 +X+1, X7 = X4 +X3 +X2 +X = X2 +X+1, X8 = X3 +X2 +X,

X9 = X4+X3+X2 = X2+1, X10 = X3+X, X11 = X4+X2 = X3+X2+1, X12 = X4+X3+X =

X + 1,

X13 = X2 +X, X14 = X3 +X2, X15 = X4 +X3 = 1,

yielding the sequence (0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1).

More generally, let P (X) =∏mj=1 Pj(X)αj be the decomposition of the characteristic polynomial of a

given LFSR in irreducible factors. By the polynomial version of the Chinese Remainder Theorem,

F2[X]/(P (X)) 'r∏j=1

F2[X]/(Pj(X)αj ).

This entails that the multiplicative order of X in F2[X]/(P (X)) is the lcm of the multiplicative ordersof X in F2[X]/(Pj(X)αj ). When P (X) has no square factor, all these rings are fields, and the orderof X in F2[X]/(Pj(X)) is thus a divisor of 2degPj − 1. This gives a way of finding the period.

Exercises:

1. Let P = X5 + X4 + 1 = (X3 + X + 1)(X2 + X + 1). Find the period of the output of thecorresponding LFSR when Q0 = 1 and when Q0 = X3 + 1.

34 UFR IM2AG – UGAM1 Maths/MSIAM

Page 35: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

6.5 Minimal polynomial of a linear recurring sequence

First remark that with the Chinese Remainder Theorem, we have

F2[X]/(P (X)) ' R1 ×R2.

with R1 = F2[X]/(X3 + X + 1) and R2 = F2[X]/(X2 + X + 1). As |R×1 ] = 23 − 1 = 7, theorder of X in this quotient is 7 and as |R×2 ] = 22 − 1 = 3, the order of X in that quotient is3. Thus the order of X in F2[X]/(P (X)) is 21 and if Q0 = 1, the period of the LFSR remains21.Now if Q0 = X3 + 1, the period of (XkQ0)k becomes 1 modulo X2 + X + 1 and remains 7modulo X3 +X + 1. Thus the period of the corresponding LFSR is 7.

2. When P is not square-free, determining the period may be more difficult. Two examples:

(a) Let P = (X + 1)2 = X2 + 1. Depending on Q0, find all the possible periods.

If Q0 = 0, the period is 1.If Q0 ∧ (X + 1) = 1, the period is the order of X in F2[X]/((X + 1)2) = {1, X} whichequals 2.Finally, if Q0 = X + 1, as X(X + 1) = X + 1 modulo P , the period of the LFSR equals1.

(b) Same question with P = (X2 +X + 1)2 = X4 +X2 + 1.

If Q0 = 0, the period is 1.If Q0 ∧X2 +X + 1 = 1, then Q is invertible in F2[X]/(P ) and the period of the LFSRis equal to the order of X modulo P . As the non invertible elements of F2[X]/(P ) aremultiple of (X2+X+1), there are exactly 4 non invertible elements and thus 24−4 = 12invertible elements. In particular the order of X divides 12, but X4 = X2+1 6= 1 mod Pand X6 = 1 mod P but X2 and X3 are different from 1 modulo P , so the order of X is6.Finally, if Q0 equals X2 + X + 1 up to an invertible element, wlog we can assumethat Q0 = X2 + X + 1. Then XQ0 = X3 + X2 + X, X2Q0 = X3 + 1 mod P andX3Q0 = Q0 mod P , so the period of the LFSR is 3.

3. Determine all the possible periods of the output of an LFSR with 4 states.

Work in F2[X]/(P ) with degP = 4 and distinguish the cases corresponding the differentfactorisation patterns of the modulus polynomial P . For example if P is irreducible, youshould find 5 or 15 for the possible orders of X, thus a LFSR with period 1, 5 or 15 dependingon the chosen seed...

6.5 Minimal polynomial of a linear recurring sequence

Unfortunately, the sequence generated by a LFSR is not cryptographically secure. Indeed, it is possibleto recover efficiently its feedback polynomial knowing only 2L consecutive bits of the sequence, afterwhich the entire sequence can be recomputed. More precisely, the Berlekamp-Massey algorithm allowsto find the minimal polynomial of a linear recurring sequence.

Let E = FN2 be the F2-vector space of all sequences with values in F2. The shift operator D is the

endomorphism of E defined by

∀u ∈ E, ∀n ∈ N, (Du)n = un+1.

UFR IM2AG – UGAM1 Maths/MSIAM

35

Page 36: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

Cryptology lectures

For any polynomial P =∑d

k=0 akXK ∈ F2[X], the endomorphism P (D) satisfies (P (D)u)n =∑d

k=0 akun+k for all sequence u and all n ∈ N. Now given a sequence u, it is not difficult to seethat the set of all P ∈ F2[X] such that P (D)u = 0 (i.e. the null sequence) is an ideal of F2[X].

Definition. A sequence u = (un) ∈ FN2 satisfies a linear recurrence relation if and only if the ideal

Iu = {P ∈ F2[X] | P (D)u = 0}

is not {0}. In this case, the minimal polynomial of Iu (i.e. the smallest degree non-zero polynomialin Iu, or equivalently the unique monic polynomial π such that Iu = π.F2[X]) is called the minimalpolynomial of u.

If s = (si) is the output of a LFSR, then clearly its characteristic polynomial P (X) satisfies P (D)s = 0,thus the minimal polynomial of s is a divisor of P (X). When the LFSR has maximal period thenP (X) is irreducible so is equal to this minimal polynomial.

Let u be a linear recurring sequence. In order to determine if a polynomial P satisfies P (D)u = 0, itis (fortunately) not necessary to test that (P (D)u)n = 0 for all integer n, as long as a bound is knownon the degree of the minimal polynomial. More precisely:

Proposition. Let Q ∈ F2[X] be such that (Q(D)u)n = 0 for all n ∈ J0, N − 1K, where N is an integergreater than or equal to the degree of the minimal polynomial of u. Then Q(D)u is the zero sequence,so Q is a multiple of the minimal polynomial.

Exercise: prove this proposition. More precisely, if P is the minimal polynomial of u and v =Q(D)(u),

1. show that P (D)(v) = 0, so that v satisfies an order deg(P ) linear recurrence relation;

2. deduce that v = 0.

Proof. Let P = Xd−∑d−1

k=0 akXk be the minimal polynomial of u. Then P (D)◦Q(D) = (PQ)(D) =

(QP )(D) = Q(D) ◦ P (D). In particular P (D)(Q(D)(u)) = Q(D)(P (D)(u)) = Q(D)(0) = 0, thusQ(D)(u) is again a linear recurring sequence, satisfying the same recurrence relation as u:

∀n ∈ N, (Q(D)u)n+d =d−1∑k=0

ak (Q(D)u)n+k.

But the d first terms of this sequence are equal to zero, so Q(D)u is the zero sequence.

Exercise:

1. Let u and v be two linear recurring sequences (with potentially different minimal polynomials).Show that u+ v is a linear recurring sequence.

36 UFR IM2AG – UGAM1 Maths/MSIAM

Page 37: Cryptology lecturesviva/teaching/MATHS/...Cryptology lectures Contents 1 First concepts in cryptography 4 2 Modular arithmetic and complexity 8 2.1 Large integer arithmetic ...

6.6 Cryptanalysis of LFSR

Just take the lcm of the two minimum polynomials of u and v.

2. Deduce that the set of all linear recurring sequences is a vector space.

This a vector space over F2.

6.6 Cryptanalysis of LFSR

Let u be a linear recurring sequence, of minimal polynomial P . If a bound L is known on thedegree of P , as well as 2L consecutive terms (without loss of generality, these terms can be takenas u0, u1, . . . , u2L−1), there is a simple method to recover the minimal polynomial. Indeed, writing

P =L∑k=0

akXk, for all n ∈ J0, L− 1K it holds that (P (D)u)n =

L∑k=0

akun+k = 0. This yields the system

u0 u1 . . . uLu1 u2 . . . uL+1...

...uL−1 uL . . . u2L−1

a0a1...aL

=

00...0

,

which can be solved using e.g. Gaussian elimination.

A faster method has been proposed by Berlekamp and Massey in the late 60’s. The idea is tocompute iteratively, for each 0 ≤ N ≤ 2L, a minimal polynomial PN of the truncated sequence(u0, u1, . . . , uN−1); this will be studied during the exercise session. (Another, asymptotically fastermethod is based on the extended Euclid algorithm stopped at the middle, but it requires to havethe whole sequence (u0, . . . , u2L−1) beforehand, while Berlekamp-Massey’s algorithm can be fed oneelement at a time.)

This means that using one LFSR is not cryptographically secure. A solution is to use several LFSRsand combine their results in a non-linear way; this is the basis of the A5/1 and E0 stream ciphers(used in GSM and Bluetooth respectively). Another example is the shrinking generator: it consistsof two LFSRs A and S. The shrinking generator outputs the value of the output bit of A, but onlywhen the output of S is equal to 1. For example, if the output sequences of A and S are

S : 10010101110101001A : 00110111100010100

then the output of the shrinking generator is 011110000. It is secure if the feedback polynomials aresecret, but may be susceptible to timing attacks since the basic output rate is irregular.

Exercise : Let u and v be the binary sequences output by two different LFSRs. Show that thesequence u+ v is not suitable for cryptography. What about the sequence u× v?

The sequence u+ v is a linear recurring sequence and thus not secure as an output of a LFSR. Thesequence u× v is not a secure sequence (two many zeroes in the sequence)

UFR IM2AG – UGAM1 Maths/MSIAM

37


Recommended