Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assignment 4 is due! Assignment 5 is out and is due in two weeks!

Published byShawn Wells Modified over 7 years ago

Similar presentations

Presentation on theme: "Assignment 4 is due! Assignment 5 is out and is due in two weeks!"— Presentation transcript:

0 B504/I538: Introduction to Cryptography
Spring • Lecture 19 (2017—03—21)

1 Assignment 4 is due! Assignment 5 is out and is due in two weeks!
(2017—04—04) (Please get started early!!)

2 Recall: Groups Defn: Let G be a non-empty set and let ‘•’ be a binary operation acting on ordered pairs of elements from G. The pair (G,•) is called a group if Closure: ∀a,b∈G, Associativity: ∀a,b,c∈G, Identity: ∃e∈G, Inverses: ∀a∈G, The group (G,•) is abelian (or commutative) if Commutative: ∀a,b∈G, a•b∈G ??? ??? (a•b)•c=a•(b•c) ∀a∈G, a•e=e•a=a ??? ??? ∃a-1∈G such that a•a-1=a-1•a=e a•b=b•a ??? Note: We often refer to just the set G as the group if the operation is clear

3 Recall: Exponentiation in a group
For n∈{1,2,3,…} we define an=a•a•a•••a For n=0, we define an=e For n∈{-1,-2,-3, …} we define an=(a-1)-n Additive notation: If (G,+) is a group under addition, then we write n•a≔a+a+⋯+a n times Thm (law of exponents): Let (G,•) be a group and let m,n∈ℤ. For each a∈G, am•an=am+n and (am)n=amn. n times

4 eth roots e≠identity! (from here on, we’ll denote the identity by 1) Defn: Let (G,•) be a group and let a∈G. An eth root of a in G is an element b∈G such that ??? a≡be in G. Common notations include: b ≔ e a = a1⁄e = ae-1 161/2≡ in (ℤ,•) ½·3≡ in (ℤ7,+) 81/2≡ in (℥17 ,⊡), where ⊡ is multiplication modulo 17 4 16 ≡ in (ℝ,•) 4 ?? ?? 5 ?? 5 (since 5•5=25≡8 mod 17) ?? 2 Defn: An eth root of a modulo n is an eth root of a in (℥n,⊡), where ⊡ denotes multiplication modulo n.

5 eth roots Q: Do eth roots modulo n always exist? A: No! (So when do they exist?) Q: If an eth root of a modulo n exists, is it unique? A: In general, no! (But when is it unique?) Q: If an eth root of a modulo n exists, is it easy to compute? A: Yes, provided we know the factorization of n! (21/2 mod 11 does not exist, since 12≡1, 22≡4, 32≡9, 42≡5, 52≡3, 62≡3, 72≡5, 82≡9, 92≡4, 102≡1!) (31/2≡5 or 6 mod 11, since 52=25≡3 mod 11 and 62=36≡ 3 mod 11)

6 eth roots modulo p Suppose p>2 is prime and let a∈ℤp
Q: When does a unique solution for a1⁄e mod p exist? A: If gcd(e,p-1)=1, then a1/e≡ad mod p where d≔e-1 mod p-1 If gcd(e,p-1)≠1, then a1/e may or may not exist; if it does exist, then it is not unique! Fact: If p>2 is prime, then the squaring function, which maps each a∈G to a2 is a 2—to—1 function in ℥p.

7 Quadratic residues Defn: An element a∈ℤn is a quadratic residue modulo n if and only if it has a square root modulo n. At most half of elements in ℤn can be quadratic residues modulo n! The set of quadratic residues modulo n is denoted QRn. Fact: (QRn,⊡) is a group, where ⊡ is multiplication modulo n! More generally, a is an eth residue modulo n if it has an eth root modulo n.

8 Legendre symbols Defn: If p>2 is prime, then ( a p )≔a(p-1)⁄2 is called the Legendre Symbol of a modulo p. Q: What makes ( a p ) worthy of special consideration? A: Fermat’s Little Theorem implies that ( a p )2≡1 whenever a∈℥p! (Note: ( a p )∈{-1,0,1}) Thm (Euler’s Criterion): a∈℥p is a quadratic residue modulo p if and only if ( a p )=1; that is, if and only if ( a p )≡1.

9 Jacobi Symbols The Legendre Symbol generalizes to composite moduli, but the properties are slightly trickier: If ( a n )=1, then a is definitely not a quadratic residue modulo n If a is a quadratic residue modulo n, then ( a n ) is definitely equal to 1 However, if ( a n )=1, then a may or may not be a quadratic residue modulo n! We will discuss Jacobi Symbols later on when we see the Goldwasser—Micali cryptosystem

10 Computing square roots modulo n
Thm: If p is a prime such that p≡3 mod 4 and a is a quadratic residue modulo p, then a1/2≡a(p+1)⁄4 mod p. Proof: (a(p+1)⁄4)2 ≡a(p+1)⁄2 (law of exponents) ≡a1+(p-1)⁄2 (rearranging) ≡a•a(p-1)⁄2 ≡a (Euler’s Criterion) ☐ Q: Why do we insist on p≡3 mod 4? A: If p≡1 mod 4, then (p+1)⁄4 is not an integer! (If p≡1 mod 4, more complicated algorithm compute a1/2 in O(lg3 p) steps)

11 eth roots modulo n Suppose n is composite and let a∈℥n
Q: When does a solution for a1⁄e mod n exist? When is it unique? A: If gcd(e,φ(n))=1, then a1/e≡ad mod n where d≔e-1 mod φ(n) If gcd(e,φ(n))≠1, then a1/e may or may not exist; if it does exist, then it is not unique! Note: Suppose n=pq for distinct primes p and q. Then knowledge of φ(n) is sufficient to determine n It appears hard to determine existence of a1/e when factorization of n is not known…

12 Computing p and q from φ(pq)
Goal: Given n=pq and φ(n), determine p and q. φ(n)=(p-1)(q-1)=pq-p-q+1=(n+1)-p-q (defn of φ(n)) ⇒ (n+1)-φ(n)=p+q so that q=(n+1)-φ(n)-p (rearranging) ⇒ n=p(n+1-φ(n)-p)=-p2+(n+1φ(p)) (substitute into n=pq) ⇒ p2-(n+1-φ(n))p+n= (rearranging) This is a quadratic equation in indeterminant p with a=1 b=-(n+1-φ(n)) c=n ⇒ the quadratic formula yields p and q as the two roots!

13 The eth root problem Defn: The eth root problem (aka the RSA problem) is: Given (n,e,a) such that n=pq for distinct s-bit primes p and q, a∈℥n, and gcd(e,φ(n))=1, compute a1/e mod n. One possible solution: compute d≔e-1 mod φ(n) and output ad mod n Fact: Computing d is equivalent to factoring n! Q: Is solving eth root as hard as factoring? A: Well…err, maybe? I dunno! (It may be possible to compute a1/e directly!)

14 Practice: Computing square roots modulo p
Compute the square roots of 3 mod 139, if they exist. Compute the square roots of 5 mod 139, if they exist. Legendre Symbol: 3(139-1)/2≡138≡-1 mod 139 Roots do not exist! Legendre Symbol: 5(139-1)/2 = 1 mod 139 Roots exist! Mod 4 congruence: 139 = 3 mod 4 Simple formula for computing roots! “Positive” root: 5(139+1)/4 = 127 mod 139 “Negative” root: = 12 mod 139

15 Practice: Computing eth roots modulo n
Compute 511/11 mod (Note: =113·97) Compute φ(10 961): (113-1)(97-1)=10 752 Relative primeness: gcd(11, 112·96) = 1 unique root exists! Inverse mod : 11-1≡1955 mod Compute root: = mod

16 Logarithms Defn: The logarithm of a to the base b is the number x such that We denote that x is the logarithm of a to the base b by logba=x ??? a=bx log4 16= log5 125= log2 128= log2 16= 2, since 42=16 ??? ??? 3, since 53=125 7, since 27=128 ??? 4, since 24=16 ???

17 Recall: Order of a group element
Defn: The number of elements in a group (G,•) is called its order. We write |G| to denote the order of (G,•). Defn: Let (G,•) be a group and let a∈G. The smallest positive integer i such that ai=e is called the order of a in (G,•). We write |a| to denote the order of a∈G. If |a|=|G|, then we call a a generator of (G,•).

18 Euler’s Theorem for finite groups
Thm: Let (G,•) be a group and let a∈G. a i=a j in G if and only if i≡j mod |a|. Lagrange’s Theorem: Let (G,•) be a group with order |G|=N. Then |a| divides N for all a∈G. Corollary: If i≡j mod |G|, then ai=a j in G. Trick: To compute ai mod n, first reduce the exponent (i.e., i) modulo |a|, or |G| if |a| is not known.

19 Cyclic groups Defn: If (G,•) has one or more generators, then we call it a cyclic group. Thm: If |G| is prime, then (G,•) is cyclic. This follows directly from the generalization of Euler’s Theorem on the last slide! Note: If (G,•) is cyclic and |G| is given, then given any generator g∈G, it is easy to select h∊G is easy. (How?) - Choose r∊{0,1,…,|G|-1} and output h=gr

20 Discrete logarithms ??? h=gx in G.
Defn: Let G be a group with |G|=n and let g,h∈G. A discrete logarithm (DL) of h to the base g in G is a number x∈ℤn such that ??? h=gx in G. Q: Does the DL of h to the base g always exist? A: No! (So when does it exist?) Q: If the DL of h to the base g exists, is it unique? A: Sort of… If x1 and x2 are DLs of h to the base g, then x1≡x2 mod |g| Thm: If (G,•) is a cyclic group of order n with g a generator, then ∀h∈G, x=loggh exists and is unique in ℤn - We therefore speak of the DL of h to the base g

21 The DL problem Defn: Let (G,•) be a cyclic group of order n and let g be a generator of G. Then the DL problem in (G,•) is: Given (G,n,g,h) where g,h∈G with |g|=n, compute x=loggh

22 That’s all for today, folks!

Download ppt "Assignment 4 is due! Assignment 5 is out and is due in two weeks!"

Similar presentations

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.
Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”

Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”
Section 11 Direct Products and Finitely Generated Abelian Groups One purpose of this section is to show a way to use known groups as building blocks to.

Section 11 Direct Products and Finitely Generated Abelian Groups One purpose of this section is to show a way to use known groups as building blocks to.
Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.

Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel:03- 5742968, Fax : 886-3-572-3694.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
and Factoring Integers

and Factoring Integers
Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.

Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.

Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.

Cryptography Lecture 6 Stefan Dziembowski

Cryptography Lecture 6 Stefan Dziembowski
1 Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 4 – Finite Fields.

1 Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 4 – Finite Fields.
Information Security and Management 4. Finite Fields 8

Information Security and Management 4. Finite Fields 8
By: Hector L Contreras SSGT / USMC

By: Hector L Contreras SSGT / USMC
Prelude to Public-Key Cryptography Rocky K. C. Chang, February 2014 1.

Prelude to Public-Key Cryptography Rocky K. C. Chang, February
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Similar presentations

Ads by Google