Date post: | 16-Feb-2019 |
Category: |
Documents |
Upload: | vuongtuyen |
View: | 213 times |
Download: | 0 times |
Why this lesson?
• Do you really know what a group is?
• Do you know how obtain a group?
• Do you know how modular arithmetic works?
• Why crypto assumption works? • How to choose a group?
• Many boring, but useful, things explained in this lesson!
• I hope
Sicurezza delle Reti - Esercitazione
Groups
• Let 𝔾 be a set and ∘(•,•) a binary operator
• We define (𝔾, ∘) as “group” if we have: • Closure: ∀𝑔, ℎ ∈ 𝔾 ⇒ 𝑔 ∘ ℎ ∈ 𝔾 • Identity Element: ∃𝑒 ∈ 𝔾 𝑠. 𝑡. ∀𝑔 ∈ 𝔾 ⇒ 𝑒 ∘ 𝑔 = 𝑔 • Inverse Element: ∃ℎ ∈ 𝔾 𝑠. 𝑡. ∀𝑔 ∈ 𝔾 ⇒ ℎ ∘ 𝑔 = 𝑒 • Associativity: ∀𝑔1, 𝑔2, 𝑔3 ∈ 𝔾 ⇒ (𝑔1∘ 𝑔2) ∘ 𝑔3 = 𝑔1 ∘ (𝑔2∘ 𝑔3)
• A group (𝔾, ∘) is abelian if:
• Commutativity: ∀𝑔, ℎ ∈ 𝔾 ⇒ 𝑔 ∘ ℎ = ℎ ∘ 𝑔
• If 𝔾 has a finite number of elements ⇒ finite group • The order of 𝔾 is denoted by |𝔾|
Sicurezza delle Reti - Esercitazione
Groups: example
• Consider the set of integers ℤ • We have all value in {𝟎, 𝟏, 𝟐, … } ∪ {−𝟏,−𝟐,−𝟑,… }
• What about ℤ, ∘ = (ℤ,+)?
• Closure: 𝑔 + ℎ ∈ ℤ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 + 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 + ℎ = 𝑒? • Associativity: (𝑎 + 𝑏) + 𝑐 = 𝑎 + (𝑏 + 𝑐)?
• Commutativity: 𝑎 + 𝑏 = b + a?
• Finite group?
Sicurezza delle Reti - Esercitazione
Groups: example
• Consider the set of integers ℤ • We have all value in {𝟎, 𝟏, 𝟐, … } ∪ {−𝟏,−𝟐,−𝟑,… }
• What about ℤ, ∘ = (ℤ,+)?
• Closure: 𝑔 + ℎ ∈ ℤ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 + 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 + ℎ = 𝑒? • Associativity: (𝑎 + 𝑏) + 𝑐 = 𝑎 + (𝑏 + 𝑐)?
• Commutativity: 𝑎 + 𝑏 = b + a?
• Finite group?
Sicurezza delle Reti - Esercitazione
Groups: example
• Consider the set of integers ℤ • We have all value in {𝟎, 𝟏, 𝟐, … } ∪ {−𝟏,−𝟐,−𝟑,… }
• What about ℤ, ∘ = (ℤ, ∙)?
• Closure: 𝑔 ∙ ℎ ∈ ℤ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∙ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∙ ℎ = 𝑒? • Associativity: (𝑎 ∙ 𝑏) ∙ 𝑐 = 𝑎 ∙ (𝑏 ∙ 𝑐)?
• Commutativity: 𝑎 ∙ 𝑏 = b ∙ a?
• Finite group?
Sicurezza delle Reti - Esercitazione
Groups: example
• Consider the set of integers ℤ • We have all value in {𝟎, 𝟏, 𝟐, … } ∪ {−𝟏,−𝟐,−𝟑,… }
• What about ℤ, ∘ = (ℤ, ∙)?
• Closure: 𝑔 ∙ ℎ ∈ ℤ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∙ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∙ ℎ = 𝑒? • Associativity: (𝑎 ∙ 𝑏) ∙ 𝑐 = 𝑎 ∙ (𝑏 ∙ 𝑐)?
• Commutativity: 𝑎 ∙ 𝑏 = b ∙ a?
• Finite group?
Sicurezza delle Reti - Esercitazione
Groups: example
• Consider the set of reals ℝ • What about ℝ, ∘ = (ℝ, ∙)?
• Closure: 𝑔 ∙ ℎ ∈ ℝ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∙ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∙ ℎ = 𝑒? • Associativity: (𝑎 ∙ 𝑏) ∙ 𝑐 = 𝑎 ∙ (𝑏 ∙ 𝑐)?
• Commutativity: 𝑎 ∙ 𝑏 = b ∙ a?
• Finite group?
• Try with the set of reals ℝ\{𝟎}
Sicurezza delle Reti - Esercitazione
Groups: example
• Consider the set of reals ℝ • What about ℝ, ∘ = (ℝ, ∙)?
• Closure: 𝑔 ∙ ℎ ∈ ℝ? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∙ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∙ ℎ = 𝑒? • Associativity: (𝑎 ∙ 𝑏) ∙ 𝑐 = 𝑎 ∙ (𝑏 ∙ 𝑐)?
• Commutativity: 𝑎 ∙ 𝑏 = b ∙ a?
• Finite group?
• Try with the set of reals ℝ\{𝟎}
Sicurezza delle Reti - Esercitazione
Divisibility
• In the set of integers ℤ we can’t divide always
𝟐𝟒 ÷ 𝟔 = 𝟒 ∈ ℤ …but… 𝟐𝟒 ÷ 𝟓 ∉ ℤ
• We say that "a divides b" (𝒂|𝒃) if:
∃𝒄 ∈ ℤ: 𝒂 ∙ 𝒄 = 𝒃
• Observe that if 𝑎|𝑏 and 𝑎|𝑐 then:
𝒂| 𝑿𝒃 + 𝒀𝒄 , ∀𝑿, 𝒀 ∈ ℤ
Sicurezza delle Reti - Esercitazione
Primes
• If 𝒂|𝒃: a is divisor for b • If 𝒂|𝒃 and 𝑎 ≠ 1, 𝑏: a is factor of b
• An integer 𝒑 > 𝟏 is prime if has no factors
• A prime can be devided only by 1 and itself
• A positive integer not prime is composite and:
𝑵 = 𝒑𝒊𝒆𝒊
𝒊 , {𝒑𝒊}: 𝒑𝒓𝒊𝒎𝒆𝒔
Sicurezza delle Reti - Esercitazione
Divisibility: obvious
• We can write a relation between integers 𝑎, 𝑏: 𝑎 = 𝑞𝑏 + 𝑟
𝑞 =𝑎
𝑏
• If 𝒄 𝒂𝒃 𝑎𝑛𝑑 𝒈𝒄𝒅 𝒂, 𝒄 = 𝟏 ⇒ 𝒄 𝒃
• If 𝒑 𝑝𝑟𝑖𝑚𝑒 𝑎𝑛𝑑 𝒑 𝒂𝒃 ⇒ 𝒑 𝒂 𝑜𝑟 𝒑|𝒃
• If 𝒈𝒄𝒅 𝒑, 𝒒 = 𝟏 𝑎𝑛𝑑 𝒑|𝑵 𝑎𝑛𝑑 𝒒|𝑵 ⇒ 𝒑𝒒|𝑵
Sicurezza delle Reti - Esercitazione
Modular Arithmetic
• Let 𝑎,𝑁 ∈ ℤ • Remember that: 𝑎 = 𝑞N + 𝑟
𝒂 𝒎𝒐𝒅𝑵 ≡ 𝒓
• We obtained that:
𝑎 ∈ … ,−2,−1,0, 1,2,…
but…
𝑟 ∈ {0, 1, 2,… ,𝑁 − 1} ⇒ ℤ𝑵: {0, … ,𝑁 − 1}
Sicurezza delle Reti - Esercitazione
Modular Arithmetic
• Modular arithmetic works as you expect:
𝑁 = 12 ⇒ ℤ𝟏𝟐: 0,1,2,3,4,5,6,7,8,9,10,11
• 15 + 16 = ? 𝑖𝑛 ℤ𝟏𝟐 • 15 ∗ 16 = ? 𝑖𝑛 ℤ𝟏𝟐 • 15 − 16 = ? 𝑖𝑛 ℤ𝟏𝟐
• Can reduce then compute too:
• 198275 + 982763 = 75 + 63 = 38 𝑖𝑛 ℤ𝟏𝟎𝟎
Sicurezza delle Reti - Esercitazione
Groups: ℤ𝑵
• Consider the set of integers ℤ𝑵 • Let 𝑁 > 1 ⇒ ℤ𝑵: {0, … ,𝑁 − 1} • Define the addition as 𝑎 + 𝑏 ≝ [(𝑎 + 𝑏) 𝑚𝑜𝑑𝑁] • What about ℤ𝑵, ∘ = (ℤ𝑵, +)?
• Closure: 𝑔 + ℎ ∈ ℤ𝑵? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 + 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 + ℎ = 𝑒? • Associativity: 𝑎 + 𝑏 + 𝑐 = 𝑎 + (𝑏 + 𝑐)?
• Commutativity: 𝑎 + 𝑏 = b + a?
• Finite group?
Sicurezza delle Reti - Esercitazione
Groups: ℤ𝑵
• Consider the set of integers ℤ𝑵 • Let 𝑁 > 1 ⇒ ℤ𝑵: {0, … ,𝑁 − 1} • Define the multiplication as 𝑎 ∗ 𝑏 ≝ [(𝑎 ∗ 𝑏) 𝑚𝑜𝑑𝑁] • What about ℤ𝑵, ∘ = (ℤ𝑵,∗)?
• Closure: 𝑔 ∗ ℎ ∈ ℤ𝑵? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∗ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∗ ℎ = 𝑒? • Associativity: 𝑎 ∗ 𝑏 ∗ 𝑐 = 𝑎 ∗ (𝑏 ∗ 𝑐)?
• Commutativity: 𝑎 ∗ 𝑏 = b ∗ a?
• Finite group?
Sicurezza delle Reti - Esercitazione
Groups: ℤ𝑵∗
• Over rationals we define the inverse as:
𝒂−𝟏 =𝟏
𝒂
• In ℤ𝑁 we define the inverse of x as:
𝒚 ∈ ℤ𝑵 s.t. 𝒙 ∙ 𝒚 = 𝟏 in ℤ𝑵
• Then the inverse of 2 in ℤ𝑵 is always: 𝑵+𝟏
𝟐
2 ∗𝑁+1
2= 𝑁 + 1 = 1 in ℤ𝑵
Sicurezza delle Reti - Esercitazione
Groups: ℤ𝑵∗
• Then the inverse of 2 in ℤ𝑵 is: 𝑵+𝟏
𝟐
• Iff 𝑵 is odd! • Else…no inverse!
• An element x in ℤ𝑵 has an inverse iff:
𝒈𝒄𝒅 𝒙,𝑵 = 𝟏 ⇔ 𝒙 𝑎𝑛𝑑 𝑵 𝑎𝑟𝑒 𝒓𝒆𝒍𝒂𝒕𝒊𝒗𝒆𝒔 𝒑𝒓𝒊𝒎𝒆𝒔
• Can we define a multiplicative group over ℤ𝑵?
Sicurezza delle Reti - Esercitazione
Groups: ℤ𝑵∗
• Can we define a multiplicative group over ℤ𝑵?
• ℤ𝑵∗ = 𝑠𝑒𝑡 𝑜𝑓 𝑖𝑛𝑣𝑒𝑟𝑡𝑖𝑏𝑙𝑒 𝑒𝑙𝑒𝑚𝑒𝑛𝑡𝑠 𝑖𝑛 ℤ𝑁 =
= {𝑥 ∈ ℤ𝑁: gcd 𝑥, 𝑁 = 1} Examples:
• 𝒑 𝑝𝑟𝑖𝑚𝑒 ⇒ ℤ𝑝∗ = ℤ𝑝\{0} = 1,2,3,… , 𝑝 − 1
• 𝑵 = 𝟔 ⇒ ℤ6∗ = 1, 5
• 𝑵 = 𝟏𝟐 ⇒ ℤ12∗ = {1, 5, 7, 11}
Sicurezza delle Reti - Esercitazione
Groups: ℤ𝑵∗
• Consider the set of integers ℤ𝑵∗
• Let 𝑁 > 1 ⇒ ℤ𝑵∗
• Define the multiplication as 𝑎 ∗ 𝑏 ≝ [(𝑎 ∗ 𝑏) 𝑚𝑜𝑑𝑁] • What about ℤ𝑵, ∘ = (ℤ𝑵,∗)?
• Closure: 𝑔 ∗ ℎ ∈ ℤ𝑵? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∗ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∗ ℎ = 𝑒? • Associativity: 𝑎 ∗ 𝑏 ∗ 𝑐 = 𝑎 ∗ (𝑏 ∗ 𝑐)?
• Commutativity: 𝑎 ∗ 𝑏 = b ∗ a?
• Finite group?
Sicurezza delle Reti - Esercitazione
Groups: ℤ𝑵∗
• Consider the set of integers ℤ𝑵∗
• Let 𝑁 > 1 ⇒ ℤ𝑵∗
• Define the multiplication as 𝑎 ∗ 𝑏 ≝ [(𝑎 ∗ 𝑏) 𝑚𝑜𝑑𝑁] • What about ℤ𝑵, ∘ = (ℤ𝑵,∗)?
• Closure: 𝑔 ∗ ℎ ∈ ℤ𝑵? • Identity Element: 𝑒 𝑠. 𝑡. 𝑔 ∗ 𝑒 = 𝑔? • Inverse Element: ℎ 𝑠. 𝑡. 𝑔 ∗ ℎ = 𝑒? • Associativity: 𝑎 ∗ 𝑏 ∗ 𝑐 = 𝑎 ∗ (𝑏 ∗ 𝑐)?
• Commutativity: 𝑎 ∗ 𝑏 = b ∗ a?
• Finite group?
Sicurezza delle Reti - Esercitazione
Euclid Algorithm
• For 𝒂, 𝒃 ∈ ℤ: 𝐠𝐜𝐝 𝐚, 𝐛 is the greater common divisor • Exists 𝑿, 𝒀 ∈ ℤ s.t. 𝐗𝒂 + 𝒀𝒃 = 𝒈𝒄𝒅(𝒂, 𝒃)
• How to calculate 𝑔𝑐𝑑(𝑎, 𝑏)?
𝑔𝑐𝑑 12,18 = 6 ⇒ 12X + 18Y = 6
• If 𝐠𝐜𝐝 𝐚, 𝐛 = 𝟏 ⇒ a and b are relatively primes
𝑔𝑐𝑑 5,16 = 1 ⇒ 5X + 16Y = 1
• How to calculate 𝑋 and 𝑌?
Sicurezza delle Reti - Esercitazione
Euclid Algorithm
• For 𝒂, 𝒃 ∈ ℤ: 𝐠𝐜𝐝 𝐚, 𝐛 is the greater common divisor • Exists 𝑿, 𝒀 ∈ ℤ s.t. 𝐗𝒂 + 𝒀𝒃 = 𝒈𝒄𝒅(𝒂, 𝒃)
• How to calculate 𝑔𝑐𝑑(𝑎, 𝑏)? Use Euclid Algorithm
𝑔𝑐𝑑 12,18 = 6 ⇒ 12X + 18Y = 6
• How to calculate 𝑋 and 𝑌? Use Extended Euclid Algorithm
12X + 18Y = 6 ⇒ 12 ∙ 2 + 18 ∙ −1 = 6
Sicurezza delle Reti - Esercitazione
Euclid Algorithm
• We wants to calculate 𝐠𝐜𝐝 𝟏𝟗𝟕𝟎, 𝟏𝟎𝟔𝟔 how to do it? • Prime factorization of composite numbers:
𝟏𝟗𝟕𝟎
𝟐=𝟗𝟖𝟓
𝟓= 197
𝟏𝟎𝟔𝟔
𝟐=𝟓𝟑𝟑
𝟏𝟑= 41
• We can write as:
𝟏𝟗𝟕𝟎 = 2 ∙ 5 ∙ 197 𝟏𝟎𝟔𝟔 = 2 ∙ 13 ∙ 41
Sicurezza delle Reti - Esercitazione
Euclid Algorithm
• We wants to calculate 𝐠𝐜𝐝 𝟏𝟗𝟕𝟎, 𝟏𝟎𝟔𝟔 how to do it? • Use Euclid Algorithm:
Sicurezza delle Reti - Esercitazione
gcd(1970, 1066) ⇒ gcd(1066, 904) gcd(904, 162) ⇒ gcd(162, 94) gcd(94, 68) ⇒ gcd(68, 26) gcd(26, 16) ⇒ gcd(16, 10) gcd(10, 6) ⇒ gcd(6, 4) gcd(4, 2) ⇒ gcd(2, 0)
def gcd(a, b): if (b|a): return b else: return gcd(b, a % b)
Extended Euclid Algorithm
• We wants to calculate 𝑿, 𝒀 how to do it? Remember that ∃𝒒, 𝒓 ∶ 𝒂 = 𝒒𝒃 + 𝒓
• Use Extended Euclid Algorithm:
Sicurezza delle Reti - Esercitazione
egcd(5, 3) = (1, -1, 2) Solving:
q =5
3= 1
r = 5 − 3 = 2
3𝑋 + 2𝑌 = 1 …
def egcd(a, b): if (b|a): return (b,0,1) else:
q =𝑎
𝑏
r = a − qb (d, X, Y) = egcd(b, r) return (d, Y, X-Yq)
Linear equations
• We learned to compute modular arithmetic • We learned that is very simple
• Can we solve modular equations?
𝑎𝑥 + 𝑏 = 0 in ℤ𝑁
𝑥 = −𝑏
𝑎 in ℤ𝑁 ⇒ 𝑥 = −𝑏 ∗ 𝑎
−1 in ℤ𝑁
• Solve the equation 3𝑥 + 2 = 7 in ℤ19 ⇒ 𝑥 = 8
Sicurezza delle Reti - Esercitazione
Cyclic Groups
• Let 𝔾 be a finite group of order m • 𝔾 is a cyclic group if:
∃𝑔 ∶ 𝑔0, 𝑔1, 𝑔2, … , 𝑔𝑚−1 = 𝔾
• Where g is a generator
• 𝑵 = 𝟕 ⇒ ℤ𝑁∗ = {1, 2, 3, 4, 5, 6}
• 𝑔 = 2 ⇒ 20, 21, 22, 23, 24, 25 = 1,2,4, 𝟏, 𝟐, 𝟒
• 𝑔 = 3 ⇒ 30, 31, 32, 33, 34, 35 = {1, 3, 2, 6, 4, 5} = 𝔾
Sicurezza delle Reti - Esercitazione
Cyclic Groups: order
• The group generated by g <g>= {𝑔0, 𝑔1, 𝑔2, …… }
• Defines a sub-group of ℤ𝑁
• The order of <g> is the smallest a s.t. 𝑔𝑎 = 1 in ℤ𝑁
• For groups of prime order ⇒ all elements are generators
• Except the identity!
• N.B. 𝑔 ℤ𝑁 = 1 in ℤ𝑁
• < 3 > = 6 𝑖𝑛 ℤ7, < 2 > = 3 𝑖𝑛 ℤ7, < 1 > = 1 𝑖𝑛 ℤ7
Sicurezza delle Reti - Esercitazione
Cyclic Groups: order
• For an integer N define 𝜑 𝑁 = | ℤ𝑁
∗ | ⇒ Euler’s 𝜑 totient function
• What about 𝜑 𝑁 value? • If N prime: 𝜑 𝑁 = 𝑁 − 1 • If 𝑵 = 𝒑 ∗ 𝒒: 𝜑 𝑁 = 𝑝 − 1 ∗ 𝑞 − 1
• If 𝑵 = 𝒑𝒊𝒊𝒆𝒊: 𝜑 𝑁 = (𝑝𝑖−1)𝑖 ∗ 𝑝𝑖𝑖
𝑒𝑖−1
• ∀𝑥 ∈ ℤ𝑁∗⇒ 𝑥𝜑 𝑁 = 1 in ℤ𝑁
∗
• ∀𝑥 ∈ ℤ𝑁∗⇒ 𝑥𝑖 in ℤ𝑁
∗ = 𝑥𝑖 𝑚𝑜𝑑𝜑 𝑁
• Useful in RSA Assumption! Do you remember it?
Sicurezza delle Reti - Esercitazione
Cyclic Groups: find primes
• If p prime: 𝜑 𝑝 = 𝑝 − 1
• ∀𝑥 ∈ ℤ𝑝∗⇒ 𝒙𝝋 𝒑 = 𝟏 in ℤ𝑝
∗
• We want to generate a prime of ℓ − 𝑏𝑖𝑡𝑠
1. Choose a random 𝑥 ∈ −2ℓ, 2ℓ+1 − 1
2. If we compute 𝑦 = 2𝑥−1 in ℤ𝑥
3. What about 𝑥?
Sicurezza delle Reti - Esercitazione
Cyclic Groups: find primes
• If p prime: 𝜑 𝑝 = 𝑝 − 1
• ∀𝑥 ∈ ℤ𝑁∗⇒ 𝒙𝝋 𝑵 = 𝟏 in ℤ𝑁
∗
• We want to generate a prime of ℓ − 𝑏𝑖𝑡𝑠
1. Choose a random 𝑥 ∈ −2ℓ, 2ℓ+1 − 1
2. If we compute 𝑦 = 2𝑥−1 in ℤ𝑥
3. If 𝑦 = 2𝑥−1 = 1 in ℤ𝑥 ⇒ 𝒙 𝒊𝒔 𝒑𝒓𝒊𝒎𝒆
4. Warning: 𝑷 𝒙 𝒏𝒐𝒕 𝒑𝒓𝒊𝒎𝒆 < 𝟐−𝟔𝟎 Sicurezza delle Reti - Esercitazione
Review
• We defined (𝔾, ∘) group if it has som properties…
• We defined the 𝒂 𝒎𝒐𝒅𝑵 as the remainder of 𝑎
𝑁
• We defined additive ℤ𝑁 and multiplicative ℤ𝑁
∗ groups over 𝑁
• We defined how to find and test a prime
• We discovered when a group is cyclic and what a generator is
Sicurezza delle Reti - Esercitazione
A trick: Chinese Remainder
• We have 𝑵 = 𝒑 ∗ 𝒒 composite • We want compute: 𝑥 𝑚𝑜𝑑𝑁 • Can reduce it…exists a theorem for it!
𝑥 𝑚𝑜𝑑 𝑝 ∗ 𝑞 = { 𝑥 𝑚𝑜𝑑𝑝 , 𝑥 𝑚𝑜𝑑𝑞 }
• Compute:
• 177𝑚𝑜𝑑35 = 177 𝑚𝑜𝑑5 , 177 𝑚𝑜𝑑7 = 2,2 = 2𝑚𝑜𝑑35 • 24𝑚𝑜𝑑35 = 24𝑚𝑜𝑑5 , 24𝑚𝑜𝑑7 = (4, 3)
• Can simplify the representation through pair! • Can improve some computation in RSA!
Sicurezza delle Reti - Esercitazione
All togheter
Remembering above concepts, computes: • 14 ∗ 13 𝑚𝑜𝑑15 = ?
• 112𝑚𝑜𝑑15 = ?
• 29100𝑚𝑜𝑑35 = ?
• 1825𝑚𝑜𝑑35 = ?
• How many elements in ℤ15? What about generators?
Sicurezza delle Reti - Esercitazione
Modular e-roots
• We know how to solve linear equations in ℤ𝑁
𝒂𝒙 + 𝒃 = 𝟎 in ℤ𝑵 ⇒ 𝒙 = −𝒃 ∗ 𝒂−𝟏 in ℤ𝑵
• What about higher degree polynomial?
• How to solve equations like:
𝒙𝟐 = 𝜶 or 𝒙𝟐𝟕 = 𝜶 or 𝒙𝟑𝟐 = 𝜶 𝑖𝑛 ℤ𝑵
Sicurezza delle Reti - Esercitazione
Modular e-roots
• Let 𝒑 be a prime and 𝐜 ∈ ℤ𝒑
• If ∃𝒆 ∶ 𝒙𝒆 = 𝒄 in ℤ𝒑 ⇒ e is an e’th-root of c
• Examples:
• 71
3 in ℤ𝟏𝟏 ⇒ 73−1𝑚𝑜𝑑10 in ℤ𝟏𝟏 = ?
• 31
2 in ℤ𝟏𝟏 ⇒ 32−1𝑚𝑜𝑑10 in ℤ𝟏𝟏 = ?
• 11
3 in ℤ𝟏𝟏 ⇒ 13−1𝑚𝑜𝑑10 in ℤ𝟏𝟏 = ?
Sicurezza delle Reti - Esercitazione
Modular e-roots
• When 𝒄𝟏
𝒆 in ℤ𝑝 exists?
• Suppose gcd 𝑒, 𝑝 − 1 = 1:
• Then ∀𝑥 ∈ ℤ𝑝∗ ⇒ ∃𝑐
1
𝑒 in ℤ𝑝
• But if gcd 𝑒, 𝑝 − 1 ≠ 1?
• Suppose 𝑒 = 2 • If 𝒑 is prime ⇒ gcd 2, 𝑝 − 1 = ?
Sicurezza delle Reti - Esercitazione
Quadratic Residue
• If 𝒑 is prime ⇒ gcd 2, 𝑝 − 1 = 2
• Define quadratic residue the element y ∈ ℤ𝑝∗ :
• If ∃𝒙 ∈ ℤ𝒑∗ s.t. 𝒙𝟐 = 𝒚 𝒎𝒐𝒅𝒑
• In ℤ𝒑
∗ ⇒ 𝑓 𝑥 : 𝑥 ⟶ 𝑥2 is one-way
• 𝑥 in ℤ𝒑 is Q.R. if 𝑥1
2 is computable in ℤ𝒑
Sicurezza delle Reti - Esercitazione
1 10
1
2 9
4
3 8
9
4 7
5
5 6
3
x −x
x2
Quadratic Residue
• If we have 𝒑 = 𝟑𝒎𝒐𝒅𝟒 • Can compute efficiently the square root:
• If 𝒄 ∈ ℤ𝒑∗
is Q.R. ⇒ 𝒄 = 𝒄𝒑+𝟏
𝟒 𝒎𝒐𝒅𝒑
• Usefull when cannot invert 2 in ℤ𝒑−𝟏
• Example:
4 𝐢𝐧 ℤ𝟏𝟏 = 𝟒𝟑𝒎𝒐𝒅𝟏𝟏 = 𝟗 ⇒ 𝟗𝟐𝒎𝒐𝒅𝟏𝟏 = 𝟒
Sicurezza delle Reti - Esercitazione
Quadratic Equations
• We know how to solve linear equations modulo N
𝒂𝒙 + 𝒃 = 𝟎 𝒎𝒐𝒅 𝑵 ⇒ 𝒙 = −𝒃 ∗ 𝒂−𝟏𝒎𝒐𝒅 𝑵
• What about quadratic equations?
𝒂𝒙𝟐 + 𝒃𝒙 + 𝒄 = 𝟎 𝒎𝒐𝒅 𝑵
• Standard solution:
𝒙 =−𝒃 ± 𝒃𝟐 − 𝟒𝒂𝒄
−𝟐𝒂
Sicurezza delle Reti - Esercitazione
Quadratic Equations
• What about quadratic equations?
𝒂𝒙𝟐 + 𝒃𝒙 + 𝒄 = 𝟎 𝒎𝒐𝒅 𝑵
• Standard solution:
𝒙 =−𝒃 ± 𝒃𝟐 − 𝟒𝒂𝒄
−𝟐𝒂 𝒎𝒐𝒅𝑵
1. Compute: −𝟐𝒂 −𝟏𝒎𝒐𝒅𝑵
2. Compute: 𝒃𝟐 − 𝟒𝒂𝒄𝟏
𝟐𝒎𝒐𝒅𝑵
3. Put all togheter!
Sicurezza delle Reti - Esercitazione
Quadratic Equations: example
• What about quadratic equations?
𝒙𝟐 + 𝟒𝒙 + 𝟏 = 𝟎 𝒎𝒐𝒅 𝟐𝟑
• Standard solution:
𝒙 =−𝟒 ± 𝟏𝟔 − 𝟒
−𝟐 𝒎𝒐𝒅𝟐𝟑
1. Compute: −𝟐 −𝟏𝒎𝒐𝒅𝟐𝟑 = 𝟏𝟏
2. Compute: 𝟏𝟔 − 𝟒𝟏
𝟐𝒎𝒐𝒅𝟐𝟑 = 𝟗 3. Put all togheter ⇒ 𝒙𝟏 = 𝟗, 𝒙𝟐 = 𝟓
Sicurezza delle Reti - Esercitazione
Sub-Groups
• If 𝒑 is prime then the set of Q.R. is a sub-group of ℤ𝒑∗
• ℚℝ𝑝 ⊂ ℤ𝒑∗
• The square modulo p is two-to-one function:
ℚℝ𝑝 = ℤ𝒑∗
2=𝑝 − 1
2
• If we choose a prime q:
• If 𝒑 = 𝟐 ∗ 𝒒 + 𝟏 is also prime ⇒ 𝒑 is strong prime
ℚℝ𝑝 = ℤ𝒑∗
2=𝑝 − 1
2=2 ∗ 𝑞
2= 𝑞
Sicurezza delle Reti - Esercitazione
Sub-Groups: example
1. Take: 𝒒 = 𝟓
2. Compute: 𝒑 = 𝟐 ∗ 𝒒 + 𝟏 = 𝟏𝟏 ⇒ prime! Not so strong…
3. We have: ℤ11∗ = {1,2,3,4,5,6,7,8,9,10} ⇒ ℤ11
∗ = 10
4. Take the group of residues ℚℝ11 = {1,3,4,5,9} ⇒ ℚℝ11 = 5 ⇒ The order is prime!
• All elements except the identity are generators!
Sicurezza delle Reti - Esercitazione
Sub-Groups: find generators
Sicurezza delle Reti - Esercitazione
def generate(ℓ): p = find_strong_prime(ℓ) q = (p-1)/2 x = random(ℤ𝑝
∗ )
g = 𝒙𝟐 mod p return (p, q, g)
• We wants to generate a group • We wants to extract a generator of that group
p = 11 q = 5 x = 7 g = 49 mod 11 = 5 return (p, q, g)
< 𝟓 >= 𝟓𝟎, 𝟓𝟏, 𝟓𝟐, 𝟓𝟑, 𝟓𝟒 𝒎𝒐𝒅𝟏𝟏 = 𝟏, 𝟓, 𝟑, 𝟒, 𝟗 = ℚℝ11
How are bignums represented?
Sicurezza delle Reti - Esercitazione
• We need a representation of big-nums • How represent an n-bits number (e.g. n = 2048)? • We have only 32-\64-\128-bits architectures
So…combine registers…
32 bits 32 bits 32 bits 32 bits ⋯
n/32 blocks
Computational costs
Sicurezza delle Reti - Esercitazione
• Given an n-bits integer N • Sum in ℤ𝑵: 𝑻+ = 𝑶 𝒏 ⇒ 𝒍𝒊𝒏𝒆𝒂𝒓
• Multiplication in ℤ𝑵: 𝑻∗ = 𝑶 𝒏
𝟐
• Division in ℤ𝑵: 𝑻÷ = 𝑶 𝒏𝟐
• Exponentiation in ℤ𝑵: 𝑻𝒆𝒙𝒑 < 𝑶 𝒍𝒐𝒈 𝒏 ∗ 𝒏𝟐
Exponentiation
Sicurezza delle Reti - Esercitazione
• Given a finite cyclic group 𝔾 (e.g. 𝔾 = ℤ𝑝∗ )
• Want efficiently compute 𝑔𝑥 Example:
𝑥 = 53 = 110101 2 = 32 + 16 + 4 + 1
𝑔53 = 𝑔32 ∗ 𝑔16 ∗ 𝑔4 ∗ 𝑔1
Easy Problems
Sicurezza delle Reti - Esercitazione
• Given composite 𝑵 and 𝒙 ∈ ℤ𝑵 → find 𝒙−𝟏 in ℤ𝑵
• Use Extended Euclid Algorithm!
• Given prime p and polynomial 𝒇(𝒙) in ℤ𝑵
• find 𝒙 in ℤ𝒑 s.t. 𝒇 𝒙 = 𝟎 in ℤ𝒑
• Need to solve equation in ℤ𝒑
• Running time is linear in 𝒅𝒆𝒈 (𝒇)
• … but many other problems are difficult
Hard Problems
Sicurezza delle Reti - Esercitazione
• Integer Factoring • RSA
• Discrete Logarithm
• Computational Diffie Hellman • Decisional Diffie Hellman
• Many Others…
Factoring Assumption
Sicurezza delle Reti - Esercitazione
• Given p,q primes compute the composite 𝑵 = 𝒑 ∗ 𝒒
• We can say that factoring N is hard • NOT impossible ⇒ No teorethic!
• It depends on 𝒑, 𝒒 generation
• Length • Randomness • Distance between 𝒑, 𝒒
• Many algorithms to solve the factoring problem
• All of that can’t factor big and random N • …in reasonable time
RSA Assumption
Sicurezza delle Reti - Esercitazione
• Assumed that the factorization of 𝑵 = 𝒑 ∗ 𝒒 is hard • We deduce that without knowing 𝒑 ∗ 𝒒:
• We cannot compute 𝝋 𝑵 = (𝒑 − 𝟏)(𝒒 − 𝟏)
• So we cannot work with exponent:
𝒙𝒊 𝒎𝒐𝒅𝑵 = 𝒙𝒊 𝒎𝒐𝒅𝝋 𝑵
• If we need to compute the e-root, we need 𝝋 𝑵 !
𝒙𝒊−𝟏 𝒎𝒐𝒅𝑵 = 𝒙𝒊
−𝟏 𝒎𝒐𝒅𝝋 𝑵
RSA Assumption
Sicurezza delle Reti - Esercitazione
• RSA exploit this obtaining something like factorization hardness!
def generate(ℓ): (N, p, q) = generate_modulus(ℓ) 𝜑 𝑁 = (p-1)(q-1) e = random(ℤ𝑁
∗ ) : gcd(e, 𝜑 𝑁 ) = 1 𝑑 = 𝑒−1𝑚𝑜𝑑𝜑 𝑁 return (N, e, d)
PK: (N, e) SK: (N, d)
• Public Key contains e but…cannot compute: 𝑑 = 𝑒−1𝑚𝑜𝑑𝜑 𝑁
RSA Improvements
Sicurezza delle Reti - Esercitazione
To speed up RSA decryption use small private key d ( 𝑑 ≈
2128 )
𝑐𝑑 = 𝑚 (𝑚𝑜𝑑 𝑁)
Wiener’87: if d < N0.25 then RSA is insecure.
BD’98: if d < N0.292 then RSA is insecure
Insecure: d can be found from (N,e) ⇒ Avoid that!
RSA Improvements
Sicurezza delle Reti - Esercitazione
To speed up RSA encryption use a small e:
• 𝑐 = 𝑚𝑒 (𝑚𝑜𝑑 𝑁)
• Minimum value: 𝒆 = 𝟑 ( gcd (𝑒, (𝑁) ) = 1)
• Recommended value: 𝒆 = 𝟔𝟓𝟓𝟑𝟕 = 𝟐𝟏𝟔 + 𝟏
• Encryption: 17 multiplications
Asymmetry of RSA:
• fast encryption / slow decryption
• slow signature/ fast verification
RSA Length
Sicurezza delle Reti - Esercitazione
Security of public key system should be comparable to security of symmetric cipher:
Cipher key-size Modulus size
80 bits 1024 bits
128 bits 3072 bits
256 bits (AES) 15360 bits
Discrete Log Assumption
Sicurezza delle Reti - Esercitazione
• Fixed a prime 𝑝 > 2 and 𝑔 in ℤ𝑝∗ of order 𝑞:
• Consider the function: 𝒙 ⟼ 𝑔𝑥 in ℤ𝒑
• Now, consider the inverse function:
𝒍𝒐𝒈g (𝒈
𝒙) = 𝒙
Example:
in : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
𝑙𝑜𝑔2(⋅) : 0, 1, 8, 2, 4, 9, 7, 3, 6, 5
Discrete Log Assumption
Sicurezza delle Reti - Esercitazione
• Given 𝔾 and let 𝒈 be a generator
𝔾 = 𝑔0, 𝑔1, … , 𝑔𝑞−1
• Computing discrete log of 𝒈𝒙 is hard
• Because no efficient algorithm exists
• Same as factoring ⇒ No teorethic!
• Hardness depends on the selection of 𝔾
DH Assumptions
Sicurezza delle Reti - Esercitazione
Computational DH (CDH)
• Given 𝔾 and a generator 𝒈 • Given (𝒈, 𝒈𝒂, 𝒈𝒃)
• It’s hard to compute:
𝐡 = 𝒈𝐚𝐛
• e.g. DH Key Exchange
Decisional DH (DDH)
• Given 𝔾 and a generator 𝒈 • Given 𝐓𝐃𝐃𝐇 = (𝒈
𝒂, 𝒈𝒃, 𝒈𝒄) • e.g. 𝒄 = 𝒂𝒃
• The tuple 𝐓𝐃𝐃𝐇 • Looks random in 𝔾
• e.g. El-Gamal Encryption
Strong primes
• Strong primes can be used to obtain special groups
• Why choose strong primes for RSA Cryptosystems? • Improve the factoring hardness of the system • Gives sub-group where all elements has inverse!
• Why choose strong primes for DH Cryptosystems?
• Discrete-Log problem hardest in prime-order groups • Gives sub-group where all elements are generator!
Sicurezza delle Reti - Esercitazione