Chapter 2 Mathematical Foundations

Cryptography-Application and PracticeHarbin Institute of TechnologySchool of Computer Science and Technology

Zhijun Lihttpcsthiteducn~lizhijun

lizhijun_oshiteducn

Zhijun Li S1034040Autumn08HIT 2

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 3

Why Prime Numbers

bull Why numbersndash Encryption Mathematical Transformationndash Information Discrete eventsndash So Numbersndash Example A0 B1 hellip Z25

bull Why prime numbersndash Prime numbers is the foundation of numbers

Zhijun Li S1034040Autumn08HIT 4

Divisibility

bull Definition b is divisible by a if and only if a divides b without a remainder (or b=ma) denoted as a|bndash Example 3|6 5|20 -5|25 3|8

bull Properties ndash a|b b|c a|c

bull Proof a|bb=ma b|cc=nb=mna a|c

ndash a|b b|a |a|=|b|ndash a|b a|c a|bxcy

bull Proof

Zhijun Li S1034040Autumn08HIT 5

Prime and Composite Numbers

bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip

bull Denotation The set of all primes is P

bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip

Zhijun Li S1034040Autumn08HIT 6

bull Theorem(Fundamental Theorem of Arithmetic)

nN n= p1e1 p2

e2hellippkek ( or piP pei)

where ep is the exponent of the prime factor p

bull Note the result of factorization is uniquebull Example 84=2237

Factorizing in Product of Primes

Zhijun Li S1034040Autumn08HIT 7

Primes Amount

bull Theorem There are infinitely many primes

bull Proof (by contradiction) Assume Pmax build a number N is

N=P1P2hellipPmax+1

N can not be represented as P1e

1 P2e

2 hellip Pmaxe

max Therefore N is a new prime

Zhijun Li S1034040Autumn08HIT 8

Primes Density

(x) is a function gives the number of all primes contained in lt1xgt

(x)xln(x)

bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion

((x)ln(x)x)x = 1

Zhijun Li S1034040Autumn08HIT 9

Greatest Common Divisor

bull Definition the greatest common divisor(GCD) is the number c

c=gcd(ab)=maxd|d|ad|bbull Properties

ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)

bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b

bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 2

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 3

Why Prime Numbers

bull Why numbersndash Encryption Mathematical Transformationndash Information Discrete eventsndash So Numbersndash Example A0 B1 hellip Z25

bull Why prime numbersndash Prime numbers is the foundation of numbers

Zhijun Li S1034040Autumn08HIT 4

Divisibility

bull Definition b is divisible by a if and only if a divides b without a remainder (or b=ma) denoted as a|bndash Example 3|6 5|20 -5|25 3|8

bull Properties ndash a|b b|c a|c

bull Proof a|bb=ma b|cc=nb=mna a|c

ndash a|b b|a |a|=|b|ndash a|b a|c a|bxcy

bull Proof

Zhijun Li S1034040Autumn08HIT 5

Prime and Composite Numbers

bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip

bull Denotation The set of all primes is P

bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip

Zhijun Li S1034040Autumn08HIT 6

bull Theorem(Fundamental Theorem of Arithmetic)

nN n= p1e1 p2

e2hellippkek ( or piP pei)

where ep is the exponent of the prime factor p

bull Note the result of factorization is uniquebull Example 84=2237

Factorizing in Product of Primes

Zhijun Li S1034040Autumn08HIT 7

Primes Amount

bull Theorem There are infinitely many primes

bull Proof (by contradiction) Assume Pmax build a number N is

N=P1P2hellipPmax+1

N can not be represented as P1e

1 P2e

2 hellip Pmaxe

max Therefore N is a new prime

Zhijun Li S1034040Autumn08HIT 8

Primes Density

(x) is a function gives the number of all primes contained in lt1xgt

(x)xln(x)

bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion

((x)ln(x)x)x = 1

Zhijun Li S1034040Autumn08HIT 9

Greatest Common Divisor

bull Definition the greatest common divisor(GCD) is the number c

c=gcd(ab)=maxd|d|ad|bbull Properties

ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)

bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b

bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 3

Why Prime Numbers

bull Why numbersndash Encryption Mathematical Transformationndash Information Discrete eventsndash So Numbersndash Example A0 B1 hellip Z25

bull Why prime numbersndash Prime numbers is the foundation of numbers

Zhijun Li S1034040Autumn08HIT 4

Divisibility

bull Definition b is divisible by a if and only if a divides b without a remainder (or b=ma) denoted as a|bndash Example 3|6 5|20 -5|25 3|8

bull Properties ndash a|b b|c a|c

bull Proof a|bb=ma b|cc=nb=mna a|c

ndash a|b b|a |a|=|b|ndash a|b a|c a|bxcy

bull Proof

Zhijun Li S1034040Autumn08HIT 5

Prime and Composite Numbers

bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip

bull Denotation The set of all primes is P

bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip

Zhijun Li S1034040Autumn08HIT 6

bull Theorem(Fundamental Theorem of Arithmetic)

nN n= p1e1 p2

e2hellippkek ( or piP pei)

where ep is the exponent of the prime factor p

bull Note the result of factorization is uniquebull Example 84=2237

Factorizing in Product of Primes

Zhijun Li S1034040Autumn08HIT 7

Primes Amount

bull Theorem There are infinitely many primes

bull Proof (by contradiction) Assume Pmax build a number N is

N=P1P2hellipPmax+1

N can not be represented as P1e

1 P2e

2 hellip Pmaxe

max Therefore N is a new prime

Zhijun Li S1034040Autumn08HIT 8

Primes Density

(x) is a function gives the number of all primes contained in lt1xgt

(x)xln(x)

bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion

((x)ln(x)x)x = 1

Zhijun Li S1034040Autumn08HIT 9

Greatest Common Divisor

bull Definition the greatest common divisor(GCD) is the number c

c=gcd(ab)=maxd|d|ad|bbull Properties

ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)

bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b

bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 4

Divisibility

bull Definition b is divisible by a if and only if a divides b without a remainder (or b=ma) denoted as a|bndash Example 3|6 5|20 -5|25 3|8

bull Properties ndash a|b b|c a|c

bull Proof a|bb=ma b|cc=nb=mna a|c

ndash a|b b|a |a|=|b|ndash a|b a|c a|bxcy

bull Proof

Zhijun Li S1034040Autumn08HIT 5

Prime and Composite Numbers

bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip

bull Denotation The set of all primes is P

bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip

Zhijun Li S1034040Autumn08HIT 6

bull Theorem(Fundamental Theorem of Arithmetic)

nN n= p1e1 p2

e2hellippkek ( or piP pei)

where ep is the exponent of the prime factor p

bull Note the result of factorization is uniquebull Example 84=2237

Factorizing in Product of Primes

Zhijun Li S1034040Autumn08HIT 7

Primes Amount

bull Theorem There are infinitely many primes

bull Proof (by contradiction) Assume Pmax build a number N is

N=P1P2hellipPmax+1

N can not be represented as P1e

1 P2e

2 hellip Pmaxe

max Therefore N is a new prime

Zhijun Li S1034040Autumn08HIT 8

Primes Density

(x) is a function gives the number of all primes contained in lt1xgt

(x)xln(x)

bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion

((x)ln(x)x)x = 1

Zhijun Li S1034040Autumn08HIT 9

Greatest Common Divisor

bull Definition the greatest common divisor(GCD) is the number c

c=gcd(ab)=maxd|d|ad|bbull Properties

ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)

bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b

bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 5

Prime and Composite Numbers

bull Definition An integer p is a prime if p is divisible only by +p-p1 and -1ndash Example 2357111317hellip101hellip

bull Denotation The set of all primes is P

bull Definition An integer n that is not a prime is called a composite numberndash Example 4625900hellip

Zhijun Li S1034040Autumn08HIT 6

bull Theorem(Fundamental Theorem of Arithmetic)

nN n= p1e1 p2

e2hellippkek ( or piP pei)

where ep is the exponent of the prime factor p

bull Note the result of factorization is uniquebull Example 84=2237

Factorizing in Product of Primes

Zhijun Li S1034040Autumn08HIT 7

Primes Amount

bull Theorem There are infinitely many primes

bull Proof (by contradiction) Assume Pmax build a number N is

N=P1P2hellipPmax+1

N can not be represented as P1e

1 P2e

2 hellip Pmaxe

max Therefore N is a new prime

Zhijun Li S1034040Autumn08HIT 8

Primes Density

(x) is a function gives the number of all primes contained in lt1xgt

(x)xln(x)

bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion

((x)ln(x)x)x = 1

Zhijun Li S1034040Autumn08HIT 9

Greatest Common Divisor

bull Definition the greatest common divisor(GCD) is the number c

c=gcd(ab)=maxd|d|ad|bbull Properties

ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)

bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b

bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 6

bull Theorem(Fundamental Theorem of Arithmetic)

nN n= p1e1 p2

e2hellippkek ( or piP pei)

where ep is the exponent of the prime factor p

bull Note the result of factorization is uniquebull Example 84=2237

Factorizing in Product of Primes

Zhijun Li S1034040Autumn08HIT 7

Primes Amount

bull Theorem There are infinitely many primes

bull Proof (by contradiction) Assume Pmax build a number N is

N=P1P2hellipPmax+1

N can not be represented as P1e

1 P2e

2 hellip Pmaxe

max Therefore N is a new prime

Zhijun Li S1034040Autumn08HIT 8

Primes Density

(x) is a function gives the number of all primes contained in lt1xgt

(x)xln(x)

bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion

((x)ln(x)x)x = 1

Zhijun Li S1034040Autumn08HIT 9

Greatest Common Divisor

bull Definition the greatest common divisor(GCD) is the number c

c=gcd(ab)=maxd|d|ad|bbull Properties

ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)

bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b

bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 7

Primes Amount

bull Theorem There are infinitely many primes

bull Proof (by contradiction) Assume Pmax build a number N is

N=P1P2hellipPmax+1

N can not be represented as P1e

1 P2e

2 hellip Pmaxe

max Therefore N is a new prime

Zhijun Li S1034040Autumn08HIT 8

Primes Density

(x) is a function gives the number of all primes contained in lt1xgt

(x)xln(x)

bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion

((x)ln(x)x)x = 1

Zhijun Li S1034040Autumn08HIT 9

Greatest Common Divisor

bull Definition the greatest common divisor(GCD) is the number c

c=gcd(ab)=maxd|d|ad|bbull Properties

ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)

bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b

bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 8

Primes Density

(x) is a function gives the number of all primes contained in lt1xgt

(x)xln(x)

bull Gauss (x)xln(x)bull Legendre (x)x(ln(x)-108366) bull Hadamard de la Vallee-Poussion

((x)ln(x)x)x = 1

Zhijun Li S1034040Autumn08HIT 9

Greatest Common Divisor

bull Definition the greatest common divisor(GCD) is the number c

c=gcd(ab)=maxd|d|ad|bbull Properties

ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)

bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b

bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 9

Greatest Common Divisor

bull Definition the greatest common divisor(GCD) is the number c

c=gcd(ab)=maxd|d|ad|bbull Properties

ndash d|n1d|n2hellipd|nk d|gcd(n1n2hellipnk)ndash gcd(ab) = gcd(b a mod b)

bull a mod b = r = a-qb 0ltrltb bull Hint a|b b|a a = b

bull Definition if gcd(ab)=1 then a and b are relatively prime(coprime)

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 10

Finding GCD

bull Theorem a=i pi

ai b=i pi

bi

gcd(ab)= i pi

min(ai bi)

bull Example

a=882=2 32 72

b=3465=33 5 7 11

gcd(ab)= 32 7 = 63

bull Complexityndash Need factoring the a and b ndash T(n) = O(cO(n))

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 11

Euclidean Algorithm Example

1970 = 1 x 1066 + 904 gcd(1066 904)1066 = 1 x 904 + 162 gcd(904 162)904 = 5 x 162 + 94 gcd(162 94)162 = 1 x 94 + 68 gcd(94 68)94 = 1 x 68 + 26 gcd(68 26)68 = 2 x 26 + 16 gcd(26 16)26 = 1 x 16 + 10 gcd(16 10)16 = 1 x 10 + 6 gcd(10 6)10 = 1 x 6 + 4 gcd(6 4)6 = 1 x 4 + 2 gcd(4 2)4 = 2 x 2 + 0 gcd(2 0)

GCD(19701066)

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 12

Euclidean Algorithm

bull Step 1 r0 =a and r1 =b

bull Step 2 r0 =q1r1+ r2

r1 =q2r2+ r3

helliphellip

rn-2 = qn-1rn-1+ rn

until rn=0 and rn-1 0

bull Step 3 rn-1 = gcd(ab)

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 13

Euclidean Algorithm Proof

bull rn = 0 rn-1| rn-2

rn-1| rn-3 hellip rn-1| a and rn-1| b

rn-1| gcd(ab)

bull gcd(ab)| r0 and gcd(ab)|r1

gcd(ab) | r0 ndash q1r1 gcd(ab)| r2

hellip gcd(ab) | rn-1

bull rn-1| gcd(ab) gcd(ab) | rn-1 gcd(ab) = rn-1

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 14

Euclidean Algorithm Complexity

bull Time Complexityndash Iteration

bull Each rigt1 iteration = O(log2a)

ndash Division

bull O(log22a)

ndash T(n)=O(log32n)

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 15

Modular Arithmetic

bull Why modular arithmetic

01100hellip0100

Plaintext 2n

11010hellip0111

Ciphertext 2n

+ addition multiplication

Problems 1 the set of plaintext (and ciphertext) finite 2 how to define +-x operations in finite

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 16

Modular Operation

bull Definition a mod n(modulo operator) is the remainder when a is divided by n

bull a mod n is r a=qn+r (0ltrltn)

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 17

Congruence Modulo n

bull Definition Integers a and b are congruence modulo nndash If a mod n=b mod nndash Denoted as a b mod nndash Example 100 34 mod 11ndash a b mod n a = b+kn n|(a-b)

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 18

Congruence Properties

bull Propertiesndash a b (mod n) c d (mod n)

a+c b+d (mod n)

ac bd (mod n)ndash Example

10 1 mod 9 102 1 mod 9 hellip

a = am10m+hellip+a110+a0 am+hellip+a1+a0 mod 9

ndash a b (mod n) d|n a b (mod d)

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 19

Congruence Relation

bull Congruence relation is an equivalence relationndash Reflexive

bull a andash Symmetric

bull a b b a ndash Transitive

bull a b b c a c

bull Equivalence relation Partition

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 20

Example Integers Modulo 7

bull Integers can always write a = qn + r (0 r n-1) -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 congruence

Z7 residues modulo 7

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 21

Set of Residues

bull Definition if a b mod n and bltn b is called a residue of a modulo n

bull The complete set of residues modulo nndash The set r1r2helliprn if for every integer b exactly one ri i

n the set satisfies bri mod n

bull The reduced set of residues(RSR)ndash A subset of the complete set of residues that each ele

ment is relatively prime to n

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 22

Set of Residues Example

bull N=10ndash The complete set of residues is 012hellip9ndash The reduced set of residues is 1379

bull N=p (p is a prime)ndash The complete set of residues is 012hellipp-1ndash The reduced set of residues is 12hellipp-1

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 23

Modular Arithmetic

bull We can define the modular arithmetic in the set of integers Zn=0 1 2 hellip n-1

bull Under normal arithmetic (+ )ndash [(a mod n) + (b mod n)] mod n = (a+b) mod n

bull Proof Let a=q1n+r1 b=q2n+r2

bull (r1+r2) mod n = (q1n+r1+q2n+r2) mod n = (r1+r2) mod n

ndash [(a mod n) (b mod n)] mod n = (ab) mod n

bull (+ ) (-)

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 24

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 +)

What

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 25

Modular Arithmetic Examplebull (Z8=0 1 2 hellip 7 )

NOT all elements in Z8

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 26

Modular Arithmetic Remark

bull Additive Inverse Always Existsndash (a+(-a)) = 0 mod n -a = n-andash if (a+b) (a+c) mod n then b c mod n

bull ((-a)+a+b) ((-a)+a+c) mod n

bull Multiplicative Inverse NOT Always Existsndash Example 6 in Z8

ndash When

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 27

Multiplicative Inverse in Modular

bull Definition a-1 mod n is the multiplicative inverse of a12hellipn-1 when ax1 mod n

bull Theorem If and only if gcd(an)=1 then the a-1 mod n exists

bull Lemma If gcd(an)=1 then ai aj mod n for all 0iltjltn (i j)ndash Proof assume ai aj mod n n|a(i-j) N|i-j i-j=

0

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 28

Multiplicative Inverse Theorem

bull Proof

ndash gcd(an)=1 a1hellipn-1 mod n is the permutation of 1hellipn-1

ndash So there exists only an i that ai 1 mod nndash Therefore i is a-1 mod n

ndash Suppose a-1 exists call it xndash ax 1 (mod n) and ax + yn = 1 for some integer yndash gcd(a n)=1 (gcd(an)|ax+yn gcd(an)|1)

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 29

Eulerrsquos phi Function

bull Eulerrsquos ldquophirdquo function (n)ndash Is the number of invertible elements of Zn

ndash Is the number of elements in the reduced set of residues for modulo n

(n) calculation

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 30

Chinese Remainder Theorem

bull Theorem let n1 n2 hellip nk be integers st gcd(ninj)=1(ij)

x a1 mod n1

x a2 mod n2

helliphellip

x ak mod nk

There exists a unique solution of x modulo n=n1

n2hellipnk

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 31

Proof of CRT

bull Consider a one-to-one map Zn Zn1

Zn2 hellipZnk

(x) = (x mod n1 x mod n2 hellip x mod nk)ndash CRT is find -1 = (a1 a2 hellip ak)

(a1 a2 hellip ak) = i=1kaimiyi mod n

ndash mi = nni gcd(mini)=11ik ndash yi = mi

-1 mod ni1ikndash mi 0 mod nj for ji aimiyi 0 mod nj for ji ndash yj mj

-1 mod nj mjyj1 mod nj ajmjyjaj mod nj

(a1 a2 hellip ak) mod nj = aj

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 32

Finding Eulerrsquos phi Function

bull Theorem if gcd(mn)=1 then (mn)=(m)(n)

bull Proof ndash A number x mod mn is represented uniquely by the p

air (a b) (x mod m x mod n) (CRT)

ndash A number is relatively prime to both m and n iff a and b are relatively prime to m and n respectively

ndash So (mn)=(m)(n)

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 33

Finding Eulerrsquos phi Function

(n) calculation for n = i=1k pi

ei

(p) = p-1 (pe) = pe ndash pe-1

ndash The numbers with gcd(kp pe) = p when k=1hellippe-1-1 ndash So (pe) = pe -1ndash pe-1 -1

( i=1kpi

ei ) = i=1k(pi

ei ndash piei -1)

(n) = n(1-1p1)(1-1p2)hellip(1-1pk)

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 34

Eulerrsquos Theorem

bull Theorem If gcd(an)=1 then a(n) 1 mod n

bull Proof 1 Let R= r1 r2 hellip r(n)be a residue set of residues

modulo n

2 ar1 ar2 hellip ar(n) is a permutation of R (gcd(arin)=1)

3 i=1(n) ri = i=1

(n) ari a(n) i=1(n) ri mod n

4 gcd( i=1(n) rin)=1 Hence a(n) 1 mod n

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 35

Fermatrsquos Little Theorem

bull For Eulerrsquos Theorem

Let n is p and p is a prime

Because for all 0ltaltp gcd(ap)=1 then

ap-1 1 mod p

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 36

bull Search through 1hellipn-1 until an a-1 is found such that aa-1 1 (mod n)ndash T(n)=O(n)

bull Compute a-1 = a(n)-1 mod nndash Find (n) factoring nndash T(n)=O(na)

bull Use the Extended Euclidean Algorithmndash T(n)=O(logan)

Finding a-1 mod n

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 37

From Euclidean Algorithm

bull r0 =1r0+ 0r1 = s0r0+t0r1

bull r1 =0r0+ 1r1 = s1r0+t1r1

bull r2 = r0-q1r1 = s2r0+t2r1

bull r3 = r1-q2r2 = r1-q2(r0-q1r1) = s3r0+t3r1

helliphellipbull rn-1 = sn-1r0+tn-1r1

bull rn-1=gcd(r0 r1)bull sn-1r0+tn-1r1 =1 tn-1r1 1 mod r0 tn-1 r1

-1 mod r0

bull Find tn-1

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 38

si and ti

bull r0 = s0r0+t0r1 s0=1 t0=0bull r1 = s1r0+t1r1 s1=0 t1=1 helliphellipbull ri = ri-2-qi-1ri-1 = si-2r0+ti-2r1-qi-1si-1r0-qi-1ti-1r1 = sir0+tir1

si=si-2-qi-1si-1

ti=ti-2-qi-1ti-1

bull Only ti is needed bull ri = sir0+tir1 = tir1 mod r0

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 39

Step 1 r0 =n and r1 =a

Step 2 r0 =q1r1+ r2 r2 =r0 - q1r1 =-q1r1 mod n let x2= -q1 then r2 =x2r1 mod n

r1 =q2r2+ r3 r3 =r1 ndash q2r2 =(1-x2q2 ) r1 mod n

let x3= 1-x2q2 then r3 =x3r1 mod n helliphellip

rn-3 = qn-2rn-2+ rn-1 rn-1 =rn-3 ndash qn-2rn-2 mod n let xn-1= xn-3-xn-2qn-2 then rn-1 =xn-1r1 mod n Now rn-1=1

Step 3 Result is xn-2 =a-1 mod n

Extended Euclidean Algorithm

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 40

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 41

bull Why Structuresndash Cryptographic transforms are normally in

some structures

bull Definition It is the collection of a set (S) with one (more) operations () which performed on the elements of the Sndash Different algebraic structures is ltS gt satisfying

some specific conditions

Algebraic Structures

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 42

Group

bull Definition A group G= ltS gt is an algebraic structure that satisfies the following conditions

ndash G1 abS abS (closure rule) ndash G2 abcS (ab)c = a(bc) ndash G3 (eS)aS ae = ea = a ndash G4 (aS)a-1S aa-1 = a-1a = e ndash [G5 Abelian group] ab ab = ba

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 43

Group Example

bull ltZ +gt e=0 a-1 = - a

bull ltZn +gt (ZN=01hellipn-1 lsquo+rsquo is addition modulo n) e=0 a-1 = n ndash a

bull ltZ2 gt is also a group

bull ltZp gt (Zp

=1hellipp-1 lsquorsquo is multiplicative)

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 44

Group Properties

bull Definition The order of a finite group is the number of the elements in the group

bull Definition A group G1=ltS1 gt is a subgroup of the group G=ltS gt if S1 S

bull Lagrange Theorem The order of a subgroup H of a finite group G divides the order of G

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 45

Lagrange Theorem Proof

(1) Definition of Coset Let G be a group and H is the subgroup of G for aG set aH=ah | hH is called a coset of H

(2) abG aH = bH or aHbH=(3) Each element of G is in some coset(eH) So a

ll coset is a partition of G

(4) the order of aH = the order of H

So the order of H divides the order of G

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 46

The Order of Group Element

bull Definition The order of group element a is defined as the least positive integer n that

an = a a hellip a =e

bull The order of a is denoted as ord(a)

bull Corollary Suppose G is a finite group whose order is n and aG then ord(a)|n

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 47

ord(a)|n Proof

bull Proofndash For group G and aG the set a a2 hellip aord

(a) and the operator of G forms a subgroup of G

aord(a)=e (ai)-1=a(ord(a)-i)

ndash This subgroup is denoted as ltagt

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 48

The Generator of Group

bull Definition A group whose all elements can be generated by a single element g g is called the generator of the group

bull Examplendash Considering the ltZ7

gtndash 2 generates 21=2 22=4 23=8equiv1 mod 724=16equiv2 mod

7hellipbull lt124gt subgroup

ndash 3 generates 31=3 32equiv2 33equiv634equiv435equiv536equiv1hellipbull 3 is the generator

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 49

Ringbull Definition A ring R=ltS+gt (+ is addition is

multiplication) such thatndash R1 abS a+bS abS (closure rule) ndash R2 ltS+gt is an additive Abelian groupndash R3 abcS (ab)c = a(bc) ndash R4 abcS a(b+c) = ab + ac

bull Examplendash The set of even integers with + and are ringndash pq are two primes n=pq Zn=01hellipn-1 with additio

n and multiplication mod n is a ring

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 50

Field

bull Definition Field F is ltS+gt withndash F1 ltS+gt is a commutative ring (ab=ba)ndash F2 Exist identity element 1 with respected to multiplic

ation a1 = 1 a = andash F3 Any nonzero element aS a has its unique invers

e a-1 a = a-1 a = 1

bull Example ndash Zn=lt01hellipn-1+gt is a field if n is a prime

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 51

Field +-x

Relationship

Ring +-x

+-Group

Used In Cryptography

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 52

Several Important Structures

bull Zn

bull Zn

bull Zp

bull Polynomial Rings

bull Galois Field F2n

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 53

Zn

bull Zn is the ldquoringrdquo of integers modulo n

ndash Zn=0 1 2 hellipn-1

ndash Normal addition modulo nndash Normal multiplication modulo n

bull Example

ndash Z26 for English

ndash Z256 for ASCII

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 54

Zn Properties

bull Additive and multiplicative identities in Zn

ndash Additive identity is 0 mod nndash Multiplicative identity is 1 mod n

bull Additive inverse Yesndash A number y such that x + y = x for all x in Zn

bull Multiplicative inverse Not for all xndash A number y such that xy = 1 for all x in Zn

ndash The elements in Zn have inverse x|gcd(xn)=1

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 55

Zn

bull Zn is a ldquogrouprdquo of integers modulo n

ndash Zn=x| gcd(xn)=1

ndash |Zn|=(n)

ndash Normal multiplication modulo n

bull Zn may not a group over +

ndash Example n=20 35 Zn but 3+5=8 Zn

bull So Zn may not a field

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 56

Zp

bull Zp is the ldquofieldrdquo of integers modulo n

ndash Zp=012hellipp-1

ndash Normal addition modulo pndash Normal multiplication modulo p

bull ExampleZ2+ 0 1

01

0 11 0

0 1

01

0 00 1

w -w w-1

01

01 1

XOR AND

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 57

Polynomial Ring

bull Definition If R is a commutative ring then a polynomial in x over the ring R is an expression of the form f(x)=anxn+an-1xn-1+ hellip + a1x+a0 where each aiR and n0

bull Note If R is a commutative ring the polynomial ring R[x] is the ring formed by the set of all polynomials in x having coefficients from R

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 58

Polynomial Ring Example

bull Example Let f(x)=x3+x+1 and g(x)=x2+x be elements in Z2[x]

ndash f(x)+g(x) = x3+x2+1ndash f(x)-g(x) = f(x)+g(x) = x3+x2+1ndash f(x)g(x) = x5+x4+x3+x

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 59

Set of Residues Modulo p(x)

bull Definition A set of residues modulo p(x) of R[x] is the set of R[x] mod p(x)ndash p(x) is a irreducible polynomial over R

bull A set of residues modulo p(x) of R[x] is denoted as R[x]p(x)

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 60

Congruent Polynomials

bull Definition a(x)b(x) are congruent modulo p(x) or a(x) b(x) mod p(x) iff p(x)|(a(x)-b(x))

bull Example

ndash Z5[x] 3x3+4x+4 x+4 mod x2+1bull 3x3+4x+4 ndash (x+4) = 3x3+3x = 3x(x2+1)

bull Definition If a(x)b(x) 1 mod p(x) then b(x)=a-1(x) mod p(x)

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 61

Irreducible Polynomials

bull Definition if a(x)=q(x)b(x) then a(x) is divisible by b(x) and denoted as b(x)|a(x)

bull Definition a polynomial a(x) is irreducible over a R if there is NO polynomials b(x)R[x] with deg b(x) lt deg a(x) b(x)a(x)

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 62

Example [Z2(x)]x3+x+1

bull S=01xx+1x2x2+1x2+xx2+x+1 bull p(x)=x3+x+1

bull For any f(x)Z2[x] f(x) mod p(x)S

bull Examplendash x4+1=xx3+1 mod p(x)=x(x+1)+1=x2+x+1

bull Note R[x]p(x) when p(x) is irreducible is the all polynomials in f(x)R[x] with deg f(x) lt deg p(x)

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 63

[Z2(x)]x3+x+1 Properties

bull S is group over addition in Rndash 0 is e and the inverse of aS is a itselfndash Example (x2+1) + (x2+1) = 0

bull S is group over multiplication mod p(x)ndash 1 is e and the inverse of aS is existndash Example (x2+1)x = x3+x x+1+x mod x3+x+1 = 1 ndash Note Can use Extended Euclidean Algorithm to find

bull [Z2(x)]x3+x+1 is a Field

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 64

Galois Field

bull Definition Galois field = (S + ) ndash S = F[x]p(x) ndash F is field ZN (N is prime)ndash + is addition in F is multiplication modulo p(x)ndash p(x) is irreducible

bull The Galois field over ZN[x]p(x) is denoted as GF(Nn) when n = deg p(x)

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 65

Why Galois Field

bull For a 8-bit Block

ndash Z256 =01hellip255 is not a field

ndash Z251 =01hellip250 is a fieldbull The largest prime lt 256 is 251bull 251hellip255 are wasted

bull Is that possible to find a field for Z256

ndash Yes ndash Galois Field

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 66

Galois Field for Z256

bull Build a mapping from n-bit block to polynomialsbull Example 8-bit block

bull It is Z2[x]p(x) where deg p(x) = 8

bull Note many cryptographic designs use binary Galois fields GF(2n)

10010111

1x7+0x6+0x5+1x4+0x3+1x2+1x1+1x0

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 67

Galois Field Example AES

s in AES uses GF(28) = Z2[x]p(x) where p(x) = x8 + x4 + x3 + x + 1

bull Examplendash 01010011 x6+x4+x+1ndash (01010011)-1 (x6+x4+x+1)-1 mod p(x) = x7+x6

+x3+x 11001010

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 68

bull Examplebull 0287= bull 87 = 10000111 f(x) = x7+x2+x+1bull 02 = 00000010 f(x) = xbull 0287 xf(x) = x(x7+x2+x+1) mod p(x)

= x8 + x(x2+x+1) mod p(x)

(b6b5b4b3b2b1b00)(00011011)

xf(x) 02= (b6b5b4b3b2b1b00)

(b6b5b4b3b2b1b00) (00011011)

if b7=0

if b7=1

Galois Field Example AES

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 69

Outline

bull Number Theoryndash Prime Numbersndash Modular Arithmetic

bull Algebraic Structures in Computing

bull Security Foundations of Cryptographyndash Information Theory ndash Complexity of Computingndash Semantic Security

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 70

Mathematical Model for Ciphers

bull P=ML = m=(m1m2hellipmL)|miM ndash M=ai i=12hellipN p(ai)0 i=1

Np(ai)=1

bull K= BR = b=(b1b2hellipbR)|biB ndash B=bi i=12hellipS p(bi)0 i=1

Sp(bi)=1

bull C=c|c=ek(m) kK mM

mcSender Encryption Decryption Receiver

Secure Channel

Cryptanalysism

k

Key Space(K)

Message Space(P)

Ciphertext Space(C)

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 71

Claude Shannon

Shannon was the person who saw that the binary digit was the fundamental element in all of communication That was really his discovery and from it the whole communications revolution has sprung

R G GallagerClaude Shannon

1916-2001

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 72

Probability Distribution of C

bull Pr[C = c] = kKcC(k) Pr[K = k]Pr[m = dk(c)]

ndash C(k) = ek(m)|mP

bull Pr[C = c|P = m] = kKm=dk(c) Pr[K = k]

bull Pr[P = m|C = c]

= Pr[C = c|P = m]Pr[P = m]Pr[C = c]

= (Pr(m)k|m=dk(c)Pr(k))kKcC(k) Pr(k)Pr(dk(c))

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 73

Shannon Security

bull Basic Idea Ciphertext should provide no ldquoinformationrdquo about Plaintextndash How to define the ldquoinformationrdquo

bull Definition An encryption scheme is Shannon secure if probability distribution of P

cm Pr[P=m] = Pr[P=m|C=c]bull Also say such a scheme has perfect secrecy

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 74

Perfect Secrecy Theorem

bull Suppose (P C K E D) is a cryptosystem where |K| = |P| = |C|

bull Then the cryptosystem provides perfect secrecy if and only if ndash every key is used with equal probability 1|K|ndash and x P and y C there is a unique key k such t

hat ek(x) = y

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 75

Proof of

kKx=dk(y) Pr[K = k]Pr[x = x]

bull Pr[x = x|y = y]=

kKyC(k) Pr[K = k]Pr[x = dk(y)]

kKx=dk(y) Pr[K = k]=1|K|

kKyC(k) Pr[K = k]Pr[x = dk(y)]

=1|K|kKyC(k) Pr[x = dk(y)]=1|K|xPPr[x=x]=1|K|

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 76

Proof of

bull Pr[y] gt 0bull Pr[x|y]=Pr[x] Pr[y|x]=Pr[y]

bull Fixed xP yC we have Pr[y|x]=Pr[y]gt0 thus at least exists k that satisfies ek(x)=y

bull |ek(x)|kK|=|C|=|K|

ndash There is not ek1 ek2 and ek1(x) = ek2(x)

ndash There is a unique key k such that ek(x) = y

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 77

Proof of

bull Let n=|K| and P=xi|1in

bull Given a fixed y assume k1k2hellipkn where eki (xi)

=y

bull Pr[xi|y]=Pr[y|xi]Pr[xi]|Pr[y]=Pr[K=ki]Pr[xi]|Pr[y]

bull Pr[xi|y]=Pr[xi] Pr[K=ki]=Pr[y] ndash Every key is used with equal probability 1|K|

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 78

ldquoBad Newsrdquo for Perfect Secrecy

bull Theorem Let the plaintext space P has size n any cipher with perfect secrecy has |K|n

bull Proof ndash Consider a nonezero probability distribution of Pndash Given any C=c for every m

Pr[P=m|C=c] = Pr[P=m] gt 0 thus there must exist one key that decrypts c into m

ndash As one key can decrypt c into one message at least n keys are needed

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 79

Introduction of the Complexity

bull Perfect Secrecy key-length msg-lengthndash Can NOT use one key to encrypt many messagendash Such as use 56-bit key to encrypt a document(gt56-bi

t)

bull So in modern cryptographyndash NOT perfect secrecy ndash IS secure under limited resource (complexity)ndash Mean that the key(or plaintext) recovery is difficultndash Complexity is the foundation of modern cryptography

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 80

Problems

bull Definition A problem is a general question with associated parameters whose values are not specified

bull Examplendash Name GCD problemndash Instance Two natural numbers ab Nndash Question What is the greatest common divisor of a a

nd bndash An instance of GCD problem what is gcd(2416)

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 81

bull Definition A Turing Machine is SB S SB Blrndash When S is State B is Characters l is shift left r is shi

ft right

Turing Machine

hellip 0 1 1 0 0 0 1 1 hellip

State Machine

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 82

Algorithms

bull Definition An algorithm is a step-by-step procedure (based on Turing Machine) which for an instance produces the correct answer

bull Description An algorithm is said to solve a problem if it produces the correct answers for all instances of a problem

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 83

PROBLEM

INSTANCES

ALGORITHM

Input

Output

Problems and Algorithms

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 84

Complexity of Algorithm

bull Definition time complexity of an algorithm is how many steps (based on TM) are necessary to produce the solution for a given instance of the size n

bull Time complexity function (TCF)ndash Logarithmic functions f(n)=log(n)ndash Polynomial functions

f(n)=na aNndash Exponential functions

f(n)=(an) aN and exist bN f(n)=O(bn)

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 85

Complexity of Problem

bull Definition The complexity of a problem is complexity of the best algorithm for a problem OR the least complexity of all algorithmsndash The complexity of problem is much more difficultndash It relay on the mathematical analysis

bull Definition Complexity theory is mathematical discipline that classifies problems based on the difficulty to solve them

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 86

Classes of Problem

bull Undecidable ndash provably intractable ndash There is no algorithm solves itndash Such as Turing Halting Problem

bull Decidable ndash P ndash can be solved in polynomial time using DTM

bull Example ABndash NP ndash can be solved in polynomial time using NDTM

SB 2S

ndash BPP ndash can be ldquosolvedrdquo in polynomial time using PTM SB01 S (Randomized algorithms)

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 87

NP Problem

bull NPP A problem is solved by the NDTM if NTDM produces ldquoYESrdquo whenever there is a solution

bull Remarkndash P Problem NP Problemndash NP Problem is ldquomore difficultrdquo from intuition

bull NPC The most difficult problem in NP ndash How to define the difficultyndash P problem is considered as easy problem

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 88

Polynomial Reduction

bull Definition Assume Q1Q2NP and I1+ and I2

+ are all lsquoyesrsquo instances

Q1 is polynomially reducible to Q2 if there is a function f I1I2 stndash f is computable in polynomial time by a DTM

ndash for all x I1+ iff f(x)I2

+

bull Note ndash Q2 is more complexity than Q1

ndash Denoted as Q1polyQ2

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 89

bull Definition The NPC problem is the Qc for any QNP we have Q polyQc

bull Examplendash Name Satisfiability problem(SAT)ndash Instance A set U of variables and a collection C of cla

uses over Undash Question Is there a satisfying truth assignment for C

bull How to prove a problem Q NPCndash SAT polyQ

NP Completeness (NPC)

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 90

P=NP

bull P=NP or pNPpP

bull If P=NPndash Modern cryptography is NOT secure

bull If pNPpPndash A one-way function can be build based on pndash Indistinguishable pseudorandom functions existndash They are foundations of modern cryptography

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 91

BPP

bull There are random algorithms in cryptographyndash Especially in cryptanalysisndash BPP is the model for random algorithms

bull Remark of BPPndash The problem can be solved with error probabilityndash The error probability can be reduced by repeatndash Security of cryptography is meaningful under BPPndash Will be deeply analyzed in future

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 92

Problems in Cryptography

bull FACTORING Factorize n (= p1e1 p2

e2hellippkek)

bull DLP Find x satisfying x (mod p)

bull DHP Find ab (mod p) from a (mod p) and b (mod p)

bull Subset-Sum Given a set of positive integers A=a1a2hellipan and a positive integer s determine there is a subset of A whose sum is s

bull QRP Decide a is a quadratic residue modulo n

bull SQROOT Find x satisfying x2 a (mod n)

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 93

bull Ideas of Semantic Securityndash Between Shannon secure and security based on Com

plexityndash Leak partial informationndash Approximate perfect secrecy

bull Definition of Semantic Securityndash Indistinguishability of Ciphertextsndash Difficult to distinguish ciphertext for different plaintextsndash Difficult to distinguish ciphertext from random bits

Semantic Security

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 94

IND-CPA

bull Definition IND-CPA(indistinguishability under a chosen-plaintext attack)ndash A cipher is (t) IND-CPA secure if no t-time adversary

wins the following game with probability of 05 +

Challenger Adversary

picks random k andpicks random b 01isin

picks M0 M1 of equal length

Attacker wins game if b=brsquo

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 95

Bit Secure

bull A cipher is (t ) bit secure if no t-time adversary wins the following game with probability 05 + Challenger Adversary1 Picks random k2 Picks random M

Attacker wins game if a=irsquoth bit of M

3 Picks i

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 96

Semantic Security

bull Any cipher that is (t) IND-CPA secure against eavesdroppers is also (t) bit secure

bull Proof Given a (t) attacker against bit security build a (t) attacker against IND-CPA security

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 97

Summary

bull Number Theoryndash Prime gcd Eulerrsquo Theorem CRTndash Modula arithmetic

bull Algebraic Structuresndash Group Fieldndash ZnZpGF(2n)

bull Shannon Securityndash Perfect secrecyndash Probability

bull Complexity of Computingndash P NP NPC BPP

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98

Zhijun Li S1034040Autumn08HIT 98

Homework

bull HTTP URL

httpcsthiteducncryptography

bull Due Date

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 24
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 73
• Slide 74
• Slide 75
• Slide 76
• Slide 77
• Slide 78
• Slide 79
• Slide 80
• Slide 81
• Slide 82
• Slide 83
• Slide 84
• Slide 85
• Slide 86
• Slide 87
• Slide 88
• Slide 89
• Slide 90
• Slide 91
• Slide 92
• Slide 93
• Slide 94
• Slide 95
• Slide 96
• Slide 97
• Slide 98