Chapter 2 Mathematical Foundations Cryptography-Application and Practice Harbin Institute of...
-
Upload
mercy-holmes -
Category
Documents
-
view
225 -
download
2
Transcript of Chapter 2 Mathematical Foundations Cryptography-Application and Practice Harbin Institute of...
Chapter 2 Mathematical Foundations
Cryptography-Application and PracticeHarbin Institute of TechnologySchool of Computer Science and Technology
Zhijun Lihttpcsthiteducn~lizhijun
lizhijun_oshiteducn
Zhijun Li S1034040Autumn08HIT 2
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 3
Why Prime Numbers
bull Why numbersndash Encryption Mathematical Transformationndash Information Discrete eventsndash So Numbersndash Example A0 B1 hellip Z25
bull Why prime numbersndash Prime numbers is the foundation of numbers
Zhijun Li S1034040Autumn08HIT 4
Divisibility
bull Definition b is divisible by a if and only if a divides b without a remainder (or b=ma) denoted as a|bndash Example 3|6 5|20 -5|25 3|8
bull Properties ndash a|b b|c a|c
bull Proof a|bb=ma b|cc=nb=mna a|c
ndash a|b b|a |a|=|b|ndash a|b a|c a|bxcy
bull Proof
Zhijun Li S1034040Autumn08HIT 5
Prime and Composite Numbers
bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip
bull Denotation The set of all primes is P
bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip
Zhijun Li S1034040Autumn08HIT 6
bull Theorem(Fundamental Theorem of Arithmetic)
nN n= p1e1 p2
e2hellippkek ( or piP pei)
where ep is the exponent of the prime factor p
bull Note the result of factorization is uniquebull Example 84=2237
Factorizing in Product of Primes
Zhijun Li S1034040Autumn08HIT 7
Primes Amount
bull Theorem There are infinitely many primes
bull Proof (by contradiction) Assume Pmax build a number N is
N=P1P2hellipPmax+1
N can not be represented as P1e
1 P2e
2 hellip Pmaxe
max Therefore N is a new prime
Zhijun Li S1034040Autumn08HIT 8
Primes Density
(x) is a function gives the number of all primes contained in lt1xgt
(x)xln(x)
bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion
((x)ln(x)x)x = 1
Zhijun Li S1034040Autumn08HIT 9
Greatest Common Divisor
bull Definition the greatest common divisor(GCD) is the number c
c=gcd(ab)=maxd|d|ad|bbull Properties
ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)
bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b
bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 2
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 3
Why Prime Numbers
bull Why numbersndash Encryption Mathematical Transformationndash Information Discrete eventsndash So Numbersndash Example A0 B1 hellip Z25
bull Why prime numbersndash Prime numbers is the foundation of numbers
Zhijun Li S1034040Autumn08HIT 4
Divisibility
bull Definition b is divisible by a if and only if a divides b without a remainder (or b=ma) denoted as a|bndash Example 3|6 5|20 -5|25 3|8
bull Properties ndash a|b b|c a|c
bull Proof a|bb=ma b|cc=nb=mna a|c
ndash a|b b|a |a|=|b|ndash a|b a|c a|bxcy
bull Proof
Zhijun Li S1034040Autumn08HIT 5
Prime and Composite Numbers
bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip
bull Denotation The set of all primes is P
bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip
Zhijun Li S1034040Autumn08HIT 6
bull Theorem(Fundamental Theorem of Arithmetic)
nN n= p1e1 p2
e2hellippkek ( or piP pei)
where ep is the exponent of the prime factor p
bull Note the result of factorization is uniquebull Example 84=2237
Factorizing in Product of Primes
Zhijun Li S1034040Autumn08HIT 7
Primes Amount
bull Theorem There are infinitely many primes
bull Proof (by contradiction) Assume Pmax build a number N is
N=P1P2hellipPmax+1
N can not be represented as P1e
1 P2e
2 hellip Pmaxe
max Therefore N is a new prime
Zhijun Li S1034040Autumn08HIT 8
Primes Density
(x) is a function gives the number of all primes contained in lt1xgt
(x)xln(x)
bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion
((x)ln(x)x)x = 1
Zhijun Li S1034040Autumn08HIT 9
Greatest Common Divisor
bull Definition the greatest common divisor(GCD) is the number c
c=gcd(ab)=maxd|d|ad|bbull Properties
ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)
bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b
bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 3
Why Prime Numbers
bull Why numbersndash Encryption Mathematical Transformationndash Information Discrete eventsndash So Numbersndash Example A0 B1 hellip Z25
bull Why prime numbersndash Prime numbers is the foundation of numbers
Zhijun Li S1034040Autumn08HIT 4
Divisibility
bull Definition b is divisible by a if and only if a divides b without a remainder (or b=ma) denoted as a|bndash Example 3|6 5|20 -5|25 3|8
bull Properties ndash a|b b|c a|c
bull Proof a|bb=ma b|cc=nb=mna a|c
ndash a|b b|a |a|=|b|ndash a|b a|c a|bxcy
bull Proof
Zhijun Li S1034040Autumn08HIT 5
Prime and Composite Numbers
bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip
bull Denotation The set of all primes is P
bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip
Zhijun Li S1034040Autumn08HIT 6
bull Theorem(Fundamental Theorem of Arithmetic)
nN n= p1e1 p2
e2hellippkek ( or piP pei)
where ep is the exponent of the prime factor p
bull Note the result of factorization is uniquebull Example 84=2237
Factorizing in Product of Primes
Zhijun Li S1034040Autumn08HIT 7
Primes Amount
bull Theorem There are infinitely many primes
bull Proof (by contradiction) Assume Pmax build a number N is
N=P1P2hellipPmax+1
N can not be represented as P1e
1 P2e
2 hellip Pmaxe
max Therefore N is a new prime
Zhijun Li S1034040Autumn08HIT 8
Primes Density
(x) is a function gives the number of all primes contained in lt1xgt
(x)xln(x)
bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion
((x)ln(x)x)x = 1
Zhijun Li S1034040Autumn08HIT 9
Greatest Common Divisor
bull Definition the greatest common divisor(GCD) is the number c
c=gcd(ab)=maxd|d|ad|bbull Properties
ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)
bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b
bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 4
Divisibility
bull Definition b is divisible by a if and only if a divides b without a remainder (or b=ma) denoted as a|bndash Example 3|6 5|20 -5|25 3|8
bull Properties ndash a|b b|c a|c
bull Proof a|bb=ma b|cc=nb=mna a|c
ndash a|b b|a |a|=|b|ndash a|b a|c a|bxcy
bull Proof
Zhijun Li S1034040Autumn08HIT 5
Prime and Composite Numbers
bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip
bull Denotation The set of all primes is P
bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip
Zhijun Li S1034040Autumn08HIT 6
bull Theorem(Fundamental Theorem of Arithmetic)
nN n= p1e1 p2
e2hellippkek ( or piP pei)
where ep is the exponent of the prime factor p
bull Note the result of factorization is uniquebull Example 84=2237
Factorizing in Product of Primes
Zhijun Li S1034040Autumn08HIT 7
Primes Amount
bull Theorem There are infinitely many primes
bull Proof (by contradiction) Assume Pmax build a number N is
N=P1P2hellipPmax+1
N can not be represented as P1e
1 P2e
2 hellip Pmaxe
max Therefore N is a new prime
Zhijun Li S1034040Autumn08HIT 8
Primes Density
(x) is a function gives the number of all primes contained in lt1xgt
(x)xln(x)
bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion
((x)ln(x)x)x = 1
Zhijun Li S1034040Autumn08HIT 9
Greatest Common Divisor
bull Definition the greatest common divisor(GCD) is the number c
c=gcd(ab)=maxd|d|ad|bbull Properties
ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)
bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b
bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 5
Prime and Composite Numbers
bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip
bull Denotation The set of all primes is P
bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip
Zhijun Li S1034040Autumn08HIT 6
bull Theorem(Fundamental Theorem of Arithmetic)
nN n= p1e1 p2
e2hellippkek ( or piP pei)
where ep is the exponent of the prime factor p
bull Note the result of factorization is uniquebull Example 84=2237
Factorizing in Product of Primes
Zhijun Li S1034040Autumn08HIT 7
Primes Amount
bull Theorem There are infinitely many primes
bull Proof (by contradiction) Assume Pmax build a number N is
N=P1P2hellipPmax+1
N can not be represented as P1e
1 P2e
2 hellip Pmaxe
max Therefore N is a new prime
Zhijun Li S1034040Autumn08HIT 8
Primes Density
(x) is a function gives the number of all primes contained in lt1xgt
(x)xln(x)
bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion
((x)ln(x)x)x = 1
Zhijun Li S1034040Autumn08HIT 9
Greatest Common Divisor
bull Definition the greatest common divisor(GCD) is the number c
c=gcd(ab)=maxd|d|ad|bbull Properties
ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)
bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b
bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 6
bull Theorem(Fundamental Theorem of Arithmetic)
nN n= p1e1 p2
e2hellippkek ( or piP pei)
where ep is the exponent of the prime factor p
bull Note the result of factorization is uniquebull Example 84=2237
Factorizing in Product of Primes
Zhijun Li S1034040Autumn08HIT 7
Primes Amount
bull Theorem There are infinitely many primes
bull Proof (by contradiction) Assume Pmax build a number N is
N=P1P2hellipPmax+1
N can not be represented as P1e
1 P2e
2 hellip Pmaxe
max Therefore N is a new prime
Zhijun Li S1034040Autumn08HIT 8
Primes Density
(x) is a function gives the number of all primes contained in lt1xgt
(x)xln(x)
bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion
((x)ln(x)x)x = 1
Zhijun Li S1034040Autumn08HIT 9
Greatest Common Divisor
bull Definition the greatest common divisor(GCD) is the number c
c=gcd(ab)=maxd|d|ad|bbull Properties
ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)
bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b
bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 7
Primes Amount
bull Theorem There are infinitely many primes
bull Proof (by contradiction) Assume Pmax build a number N is
N=P1P2hellipPmax+1
N can not be represented as P1e
1 P2e
2 hellip Pmaxe
max Therefore N is a new prime
Zhijun Li S1034040Autumn08HIT 8
Primes Density
(x) is a function gives the number of all primes contained in lt1xgt
(x)xln(x)
bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion
((x)ln(x)x)x = 1
Zhijun Li S1034040Autumn08HIT 9
Greatest Common Divisor
bull Definition the greatest common divisor(GCD) is the number c
c=gcd(ab)=maxd|d|ad|bbull Properties
ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)
bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b
bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 8
Primes Density
(x) is a function gives the number of all primes contained in lt1xgt
(x)xln(x)
bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion
((x)ln(x)x)x = 1
Zhijun Li S1034040Autumn08HIT 9
Greatest Common Divisor
bull Definition the greatest common divisor(GCD) is the number c
c=gcd(ab)=maxd|d|ad|bbull Properties
ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)
bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b
bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 9
Greatest Common Divisor
bull Definition the greatest common divisor(GCD) is the number c
c=gcd(ab)=maxd|d|ad|bbull Properties
ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)
bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b
bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 10
Finding GCD
bull Theorem a=i pi
ai b=i pi
bi
gcd(ab)= i pi
min(ai bi)
bull Example
a=882=2 32 72
b=3465=33 5 7 11
gcd(ab)= 32 7 = 63
bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 11
Euclidean Algorithm Example
1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)
GCD(19701066)
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 12
Euclidean Algorithm
bull Step 1 r0 =a and r1 =b
bull Step 2 r0 =q1r1+ r2
r1 =q2r2+ r3
helliphellip
rn-2 = qn-1rn-1+ rn
until rn=0 and rn-1 0
bull Step 3 rn-1 = gcd(ab)
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 13
Euclidean Algorithm Proof
bull rn = 0 rn-1| rn-2
rn-1| rn-3 hellip rn-1| a and rn-1| b
rn-1| gcd(ab)
bull gcd(ab)| r0 and gcd(ab)|r1
gcd(ab) | r0 ndash q1r1 gcd(ab)| r2
hellip gcd(ab) | rn-1
bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 14
Euclidean Algorithm Complexity
bull Time Complexityndash Iteration
bull Each rigt1 iteration = O(log2a)
ndash Division
bull O(log22a)
ndash T(n)=O(log32n)
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 15
Modular Arithmetic
bull Why modular arithmetic
01100hellip0100
Plaintext 2n
11010hellip0111
Ciphertext 2n
+ addition multiplication
Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 16
Modular Operation
bull Definition a mod n(modulo operator) is the remainder when a is divided by n
bull a mod n is r a=qn+r (0ltrltn)
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 17
Congruence Modulo n
bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 18
Congruence Properties
bull Propertiesndash a b (mod n) c d (mod n)
a+c b+d (mod n)
ac bd (mod n)ndash Example
10 1 mod 9 102 1 mod 9 hellip
a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9
ndash a b (mod n) d|n a b (mod d)
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 19
Congruence Relation
bull Congruence relation is an equivalence relationndash Reflexive
bull a andash Symmetric
bull a b b a ndash Transitive
bull a b b c a c
bull Equivalence relation Partition
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 20
Example Integers Modulo 7
bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence
Z7 residues modulo 7
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 21
Set of Residues
bull Definition if a b mod n and bltn b is called a residue of a modulo n
bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i
n the set satisfies bri mod n
bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele
ment is relatively prime to n
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 22
Set of Residues Example
bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379
bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 23
Modular Arithmetic
bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1
bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n
bull Proof Let a=q1n+r1 b=q2n+r2
bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n
ndash [(a mod n) (b mod n)] mod n = (ab) mod n
bull (+ ) (-)
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 24
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)
What
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 25
Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )
NOT all elements in Z8
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 26
Modular Arithmetic Remark
bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n
bull ((-a)+a+b) ((-a)+a+c) mod n
bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8
ndash When
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 27
Multiplicative Inverse in Modular
bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n
bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists
bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=
0
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 28
Multiplicative Inverse Theorem
bull Proof
ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1
ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n
ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 29
Eulerrsquos phi Function
bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn
ndash Is the number of elements in the reduced set of residues for modulo n
(n) calculation
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 30
Chinese Remainder Theorem
bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)
x a1 mod n1
x a2 mod n2
helliphellip
x ak mod nk
There exists a unique solution of x modulo n=n1
n2hellipnk
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 31
Proof of CRT
bull Consider a one-to-one map Zn Zn1
Zn2 hellipZnk
(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)
(a1 a2 hellip ak) = i=1kaimiyi mod n
ndash mi = nni gcd(mini)=11ik ndash yi = mi
-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj
-1 mod nj mjyj1 mod nj ajmjyjaj mod nj
(a1 a2 hellip ak) mod nj = aj
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 32
Finding Eulerrsquos phi Function
bull Theorem if gcd(mn)=1 then (mn)=(m)(n)
bull Proof ndash A number x mod mn is represented uniquely by the p
air (a b) (x mod m x mod n) (CRT)
ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively
ndash So (mn)=(m)(n)
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 33
Finding Eulerrsquos phi Function
(n) calculation for n = i=1k pi
ei
(p) = p-1 (pe) = pe ndash pe-1
ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1
( i=1kpi
ei ) = i=1k(pi
ei ndash piei -1)
(n) = n(1-1p1)(1-1p2)hellip(1-1pk)
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 34
Eulerrsquos Theorem
bull Theorem If gcd(an)=1 then a(n) 1 mod n
bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues
modulo n
2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)
3 i=1(n) ri = i=1
(n) ari a(n) i=1(n) ri mod n
4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 35
Fermatrsquos Little Theorem
bull For Eulerrsquos Theorem
Let n is p and p is a prime
Because for all 0ltaltp gcd(ap)=1 then
ap-1 1 mod p
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 36
bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)
bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)
bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)
Finding a-1 mod n
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 37
From Euclidean Algorithm
bull r0 =1r0+ 0r1 = s0r0+t0r1
bull r1 =0r0+ 1r1 = s1r0+t1r1
bull r2 = r0-q1r1 = s2r0+t2r1
bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1
helliphellipbull rn-1 = sn-1r0+tn-1r1
bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1
-1 mod r0
bull Find tn-1
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 38
si and ti
bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1
si=si-2-qi-1si-1
ti=ti-2-qi-1ti-1
bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 39
Step 1 r0 =n and r1 =a
Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n
r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n
let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip
rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1
Step 3 Result is xn-2 =a-1 mod n
Extended Euclidean Algorithm
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 40
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 41
bull Why Structuresndash Cryptographic transforms are normally in
some structures
bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying
some specific conditions
Algebraic Structures
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 42
Group
bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions
ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 43
Group Example
bull ltZ +gt e=0 a-1 = - a
bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a
bull ltZ2 gt is also a group
bull ltZp gt (Zp
=1hellipp-1 lsquorsquo is multiplicative)
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 44
Group Properties
bull Definition The order of a finite group is the number of the elements in the group
bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S
bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 45
Lagrange Theorem Proof
(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H
(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a
ll coset is a partition of G
(4) the order of aH = the order of H
So the order of H divides the order of G
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 46
The Order of Group Element
bull Definition The order of group element a is defined as the least positive integer n that
an = a a hellip a =e
bull The order of a is denoted as ord(a)
bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 47
ord(a)|n Proof
bull Proofndash For group G and aG the set a a2 hellip aord
(a) and the operator of G forms a subgroup of G
aord(a)=e (ai)-1=a(ord(a)-i)
ndash This subgroup is denoted as ltagt
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 48
The Generator of Group
bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group
bull Examplendash Considering the ltZ7
gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod
7hellipbull lt124gt subgroup
ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 49
Ringbull Definition A ring R=ltS+gt (+ is addition is
multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac
bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio
n and multiplication mod n is a ring
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 50
Field
bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic
ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers
e a-1 a = a-1 a = 1
bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 51
Field +-x
Relationship
Ring +-x
+-Group
Used In Cryptography
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 52
Several Important Structures
bull Zn
bull Zn
bull Zp
bull Polynomial Rings
bull Galois Field F2n
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 53
Zn
bull Zn is the ldquoringrdquo of integers modulo n
ndash Zn=0 1 2 hellipn-1
ndash Normal addition modulo nndash Normal multiplication modulo n
bull Example
ndash Z26 for English
ndash Z256 for ASCII
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 54
Zn Properties
bull Additive and multiplicative identities in Zn
ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n
bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn
bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn
ndash The elements in Zn have inverse x|gcd(xn)=1
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 55
Zn
bull Zn is a ldquogrouprdquo of integers modulo n
ndash Zn=x| gcd(xn)=1
ndash |Zn|=(n)
ndash Normal multiplication modulo n
bull Zn may not a group over +
ndash Example n=20 35 Zn but 3+5=8 Zn
bull So Zn may not a field
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 56
Zp
bull Zp is the ldquofieldrdquo of integers modulo n
ndash Zp=012hellipp-1
ndash Normal addition modulo pndash Normal multiplication modulo p
bull ExampleZ2+ 0 1
01
0 11 0
0 1
01
0 00 1
w -w w-1
01
01 1
XOR AND
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 57
Polynomial Ring
bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0
bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 58
Polynomial Ring Example
bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]
ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 59
Set of Residues Modulo p(x)
bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R
bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 60
Congruent Polynomials
bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))
bull Example
ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)
bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 61
Irreducible Polynomials
bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)
bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 62
Example [Z2(x)]x3+x+1
bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1
bull For any f(x)Z2[x] f(x) mod p(x)S
bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1
bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 63
[Z2(x)]x3+x+1 Properties
bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0
bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find
bull [Z2(x)]x3+x+1 is a Field
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 64
Galois Field
bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible
bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 65
Why Galois Field
bull For a 8-bit Block
ndash Z256 =01hellip255 is not a field
ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted
bull Is that possible to find a field for Z256
ndash Yes ndash Galois Field
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 66
Galois Field for Z256
bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block
bull It is Z2[x]p(x) where deg p(x) = 8
bull Note many cryptographic designs use binary Galois fields GF(2n)
10010111
1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 67
Galois Field Example AES
s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1
bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6
+x3+x 11001010
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 68
bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)
= x8 + x(x2+x+1) mod p(x)
(b6b5b4b3b2b1b00)(00011011)
xf(x) 02= (b6b5b4b3b2b1b00)
(b6b5b4b3b2b1b00) (00011011)
if b7=0
if b7=1
Galois Field Example AES
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 69
Outline
bull Number Theoryndash Prime Numbersndash Modular Arithmetic
bull Algebraic Structures in Computing
bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 70
Mathematical Model for Ciphers
bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1
Np(ai)=1
bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1
Sp(bi)=1
bull C=c|c=ek(m) kK mM
mcSender Encryption Decryption Receiver
Secure Channel
Cryptanalysism
k
Key Space(K)
Message Space(P)
Ciphertext Space(C)
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 71
Claude Shannon
Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung
R G GallagerClaude Shannon
1916-2001
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 72
Probability Distribution of C
bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]
ndash C(k) = ek(m)|mP
bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]
bull Pr[P = m|C = c]
= Pr[C = c|P = m]Pr[P = m]Pr[C = c]
= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 73
Shannon Security
bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo
bull Definition An encryption scheme is Shannon secure if probability distribution of P
cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 74
Perfect Secrecy Theorem
bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|
bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t
hat ek(x) = y
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 75
Proof of
kKx=dk(y) Pr[K = k]Pr[x = x]
bull Pr[x = x|y = y]=
kKyC(k) Pr[K = k]Pr[x = dk(y)]
kKx=dk(y) Pr[K = k]=1|K|
kKyC(k) Pr[K = k]Pr[x = dk(y)]
=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 76
Proof of
bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]
bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y
bull |ek(x)|kK|=|C|=|K|
ndash There is not ek1 ek2 and ek1(x) = ek2(x)
ndash There is a unique key k such that ek(x) = y
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 77
Proof of
bull Let n=|K| and P=xi|1in
bull Given a fixed y assume k1k2hellipkn where eki (xi)
=y
bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]
bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 78
ldquoBad Newsrdquo for Perfect Secrecy
bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n
bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m
Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m
ndash As one key can decrypt c into one message at least n keys are needed
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 79
Introduction of the Complexity
bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi
t)
bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 80
Problems
bull Definition A problem is a general question with associated parameters whose values are not specified
bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a
nd bndash An instance of GCD problem what is gcd(2416)
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 81
bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi
ft right
Turing Machine
hellip 0 1 1 0 0 0 1 1 hellip
State Machine
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 82
Algorithms
bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer
bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 83
PROBLEM
INSTANCES
ALGORITHM
Input
Output
Problems and Algorithms
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 84
Complexity of Algorithm
bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n
bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions
f(n)=na aNndash Exponential functions
f(n)=(an) aN and exist bN f(n)=O(bn)
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 85
Complexity of Problem
bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis
bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 86
Classes of Problem
bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem
bull Decidable ndash P ndash can be solved in polynomial time using DTM
bull Example ABndash NP ndash can be solved in polynomial time using NDTM
SB 2S
ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 87
NP Problem
bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution
bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition
bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 88
Polynomial Reduction
bull Definition Assume Q1Q2NP and I1+ and I2
+ are all lsquoyesrsquo instances
Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM
ndash for all x I1+ iff f(x)I2
+
bull Note ndash Q2 is more complexity than Q1
ndash Denoted as Q1polyQ2
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 89
bull Definition The NPC problem is the Qc for any QNP we have Q polyQc
bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla
uses over Undash Question Is there a satisfying truth assignment for C
bull How to prove a problem Q NPCndash SAT polyQ
NP Completeness (NPC)
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 90
P=NP
bull P=NP or pNPpP
bull If P=NPndash Modern cryptography is NOT secure
bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 91
BPP
bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms
bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 92
Problems in Cryptography
bull FACTORING Factorize n (= p1e1 p2
e2hellippkek)
bull DLP Find x satisfying x (mod p)
bull DHP Find ab (mod p) from a (mod p) and b (mod p)
bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s
bull QRP Decide a is a quadratic residue modulo n
bull SQROOT Find x satisfying x2 a (mod n)
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 93
bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com
plexityndash Leak partial informationndash Approximate perfect secrecy
bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits
Semantic Security
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 94
IND-CPA
bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary
wins the following game with probability of 05 +
Challenger Adversary
picks random k andpicks random b 01isin
picks M0 M1 of equal length
Attacker wins game if b=brsquo
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 95
Bit Secure
bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M
Attacker wins game if a=irsquoth bit of M
3 Picks i
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 96
Semantic Security
bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure
bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 97
Summary
bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic
bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)
bull Shannon Securityndash Perfect secrecyndash Probability
bull Complexity of Computingndash P NP NPC BPP
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-
Zhijun Li S1034040Autumn08HIT 98
Homework
bull HTTP URL
httpcsthiteducncryptography
bull Due Date
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
- Slide 79
- Slide 80
- Slide 81
- Slide 82
- Slide 83
- Slide 84
- Slide 85
- Slide 86
- Slide 87
- Slide 88
- Slide 89
- Slide 90
- Slide 91
- Slide 92
- Slide 93
- Slide 94
- Slide 95
- Slide 96
- Slide 97
- Slide 98
-