Download presentation
Presentation is loading. Please wait.
ECE578: Cryptography 6: Primes, Galois Fields, ECC, and the Discrete Logarithm Problem Professor Richard A. Stanley, P.E. Spring 2010 © , Richard A. Stanley
Map to the Endpoint Class # Date Topic 6 5/10
Primes, Galois fields, ECC, discrete logarithm problem 7 5/17 Advanced Encryption System 8 5/24 Authentication, Signatures, PKI 5/31 No class—Memorial Day 9 6/7 Student presentations; take-home final 10 6/14 Final exam due by Spring 2010 © , Richard A. Stanley
Review: Asymmetric Key Protocol
Spring 2010 © , Richard A. Stanley
RSA Setup Spring 2010 © , Richard A. Stanley
En/Decryption Spring 2010 © , Richard A. Stanley
Asymmetric Key Summary
Public key, or asymmetric cryptosystems add a new dimension to cryptography The difficulty of attacking these systems is believed to be equivalent to factoring, but this has not been formally proven Asymmetric cryptography is slower than symmetric cryptography, thus hybrid systems are commonly used Spring 2010 © , Richard A. Stanley
The Problem With Assumptions
As you have seen from the homework, it was assumed that hash functions required approximately 269 operations to create a collision, and systems were based on that Now, we discover that as few as 28 operations may be required, a reduction in complexity of 261 2 x 1018 What does this mean for asymmetric cryptography? Spring 2010 © , Richard A. Stanley
Prime Numbers Essential to some forms of asymmetric key cryptography, as they underlie the key generation Finding primes is difficult Database approach Generate primes Test for primality Spring 2010 © , Richard A. Stanley
The Search for Prime Numbers
Before computers, a 44-digit prime was found in 1951 = (2148+1)/17 That same year, a computer found a 79-digit prime Spring 2010 © , Richard A. Stanley
Database of Primes? Infinitely many primes, as proven by Euclid long ago 5000 largest known primes take up a text file of about 460 KB Storable, searchable Not fast Spring 2010 © , Richard A. Stanley
Construct a Prime? A formula which will generate all of the primes?
Determine the nth prime, for any value of n? A few tantalizing pattern fragments: 31, 331, 3331, 33331, , , and are all prime but the next number in this sequence: is not prime; it can be factored as 17 times n2 + n =41 produces prime numbers for n = 0, 1, 2, ..., 40; but fails at n = 41. There is no polynomial that produces only prime numbers as values. Spring 2010 © , Richard A. Stanley
One Process Start with the number 2, the first prime
Keep a list of new primes as they are discovered Examine each positive integer in turn Test each integer to see if it is divisible by any of the primes in the list with zero residue If yes, then the new number is not prime If no, then it is prime, and we add it to the list of primes Do-able, but slow (because most integers are not prime) Spring 2010 © , Richard A. Stanley
Fermat’s Little Theorem
If p is a prime and if a is any integer, then ap = a (mod p). In particular, if p does not divide a, then ap-1 = 1 (mod p) Test for compositeness: Given n > 1, choose a > 1 and calculate an-1 modulo n If the result is not 1 modulo n, then n is composite If the result is 1 modulo n, then n might be prime Spring 2010 © , Richard A. Stanley
Mersenne Numbers A Mersenne number is a number that is one less than a power of two, e.g. Mn = 2n − 1 A Mersenne prime is a Mersenne number that is a prime number As of August 2008, only 45 Mersenne primes are known; the largest known prime number (243,112,609−1) is a Mersenne prime of 12,978,189 digits In modern times the largest known prime has nearly always been a Mersenne prime If Mn is a Mersenne prime, the exponent n itself must be prime Spring 2010 © , Richard A. Stanley
What Good Are They? Mersenne primes are used in some PRNGs
Finding new Mersenne primes could lead to better pseudorandom number generation The search for new Mersenne primes is time-consuming and has become somewhat of a fad Spring 2010 © , Richard A. Stanley
To Factor n in RSA Cryptography…
Why not just keep a database of all known products of all known primes and search for n? Spring 2010 © , Richard A. Stanley
Other Approaches? Many of them
e.g. Yaschenko’s book on cryptography Search continues for practical and fast way to construct primes Corollary is search for primality tests that are also fast and efficient Spring 2010 © , Richard A. Stanley
Galois Fields A Galois Field is a field of finite order
Notation: GF(n) = Galois Field of order n Named in honor of Évariste Galois French mathematician ( ) Laid foundations for this branch of abstract algebra Spring 2010 © , Richard A. Stanley
Galois Field Arithmetic - 1
Theorem: The integers 0, 1 …p-1 where p is a prime, form the field GF(p) under modulo p addition and multiplication. Definition: Let β be an element in GF(q). The order of β is the smallest positive integer m such that βm = 1 Spring 2010 © , Richard A. Stanley
Galois Field Arithmetic - 2
Definition: An element with order (q-1) in GF(q) is called a primitive element in GF(q) Every field GF(q) contains at least one primitive element α. All nonzero elements in GF(q) can be represented as (q-1) consecutive powers of a primitive element α Spring 2010 © , Richard A. Stanley
Galois Field Arithmetic - 3
Theorem: The order q of a Galois Field GF(q) must be a power of a prime Spring 2010 © , Richard A. Stanley
Theorem For any prime number n, and any natural number p, there exists a unique field GF[np] called Galois field of order np. Let’s take a look at some GFs Galois fields with p=1 Spring 2010 © , Richard A. Stanley
Polynomials over Galois Fields
Definition: GF(q)[x] = α0+α1x+α2x2+…+xn the collection of all polynomials of arbitrary degree with coefficients {αi} in the finite field GF(q). Definition: A polynomial p(x) is irreducible in GF(q) if p(x) cannot be factored into a product of lower-degree polynomials in GF(q)[x]. Definition: An irreducible polynomial p(x) GF(q)[x] of degree m is said to be primitive if the smallest positive integer n for which p(x) divides xn-1 is n = qm - 1 Spring 2010 © , Richard A. Stanley
Roots Theorem: The roots {αj} of an mth-degree primitive polynomial p(x) GF(q)[x] have order qm - 1. Theorem implies that the roots {αj} are primitive elements in GF(qm). Spring 2010 © , Richard A. Stanley
Construction of Galois Field GF (2m)
Construction of GF(8) Spring 2010 © , Richard A. Stanley
Logarithms: A Review If 102=100, then log10 100 = 2
Logarithms can use any base: 10, 2, etc. For example: 23 = 8, therefore log2 = 3 Logarithms calculated to different bases are related by a constant factor Spring 2010 © , Richard A. Stanley
So What? Logarithms can simplify complex and resource-intensive calculations Multiplication becomes addition, etc. Example: 100 x 100 = 10,000 multiplication log log = log10 (100x100) add log10-1 (100x100) = 10,000 lookup Spring 2010 © , Richard A. Stanley
Discrete Logarithms (DL)
DL is the underlying one-way function for: Diffie-Hellman key exchange DSA (digital signature algorithm) El Gamal encryption/digital signature scheme Elliptic curve cryptosystems. DL is based on finite groups Spring 2010 © , Richard A. Stanley
Groups A group is a set G of elements together with a binary operation “o” such that: If a, b G then a o b = c G (closure) If (a o b) o c = a o (b o c) (associativity) There exists an identity element e G: e o a = a o e = a (identity) There exists an inverse element ã, for all a G: a o ã = e (inverse) Spring 2010 © , Richard A. Stanley
Examples Spring 2010 © , Richard A. Stanley
Definition “Z*n” denotes the set of numbers i, 0 < i < n, which are relatively prime to n Example: Spring 2010 © , Richard A. Stanley
Theorem Z*n forms a group under modulo n multiplication
The identity element is e = 1 The inverse of a Z*n can be found through the extended Euclidean algorithm Spring 2010 © , Richard A. Stanley
Finite Groups A group (G, o) is finite if it has a finite number of g elements. We denote the cardinality of G by |G| Spring 2010 © , Richard A. Stanley
Order The order of an element a (G; o) is the smallest positive integer o such that a o a … o a = a0 = 1 Spring 2010 © , Richard A. Stanley
Cyclic Groups A group G is called cyclic if there exists an element g G such that G = { gn} where n is an integer Example: if G = { g0, g1, g2, g3, g4, g5 } is a group, then g6 = g0, and G is cyclic For every positive integer n there is exactly one cyclic group whose order is n Spring 2010 © , Richard A. Stanley
P vs. NP The Class P consists of all those decision problems that can be solved on a deterministic sequential machine in an amount of time that is polynomial in the size of the input The class NP consists of all those decision problems whose positive solutions can be verified in polynomial time given the right information, or equivalently, whose solution can be found in polynomial time on a non-deterministic machine Spring 2010 © , Richard A. Stanley
NP-Problems A problem is assigned to the NP (nondeterministic polynomial time) class if it is solvable in polynomial time by a nondeterministic Turing machine A problem is NP-hard if an algorithm for solving it can be translated into one for solving any NP-problem A problem is NP-complete if it is both NP and NP-hard (e.g. traveling salesman problem) Spring 2010 © , Richard A. Stanley
Traveling Salesman Problem
Given a collection of cities and the cost of travel between each pair of them, the traveling salesman problem, or TSP for short, is to find the cheapest way of visiting all of the cities and returning to your starting point. In the standard version we study, the travel costs are symmetric in the sense that traveling from city X to city Y costs just as much as traveling from Y to X. The simplicity of the statement of the problem is deceptive -- the TSP is one of the most intensely studied problems in computational mathematics and yet no effective solution method is known for the general case. Indeed, the resolution of the TSP would settle the P versus NP problem and fetch a $1,000,000 prize from the Clay Mathematics Institute. Spring 2010 © , Richard A. Stanley
Example Spring 2010 © , Richard A. Stanley
Generators Spring 2010 © , Richard A. Stanley
Example Spring 2010 © , Richard A. Stanley
Properties of Cyclic Groups
Spring 2010 © , Richard A. Stanley
General DL Problem Spring 2010 © , Richard A. Stanley
Example 1 Spring 2010 © , Richard A. Stanley
Example 2 Spring 2010 © , Richard A. Stanley
Attacks on Discrete Logarithms
Brute Force Spring 2010 © , Richard A. Stanley
Attacks on Discrete Logarithms
Shank's algorithm (Baby-step giant-step) and Pollard's- method Spring 2010 © , Richard A. Stanley
Attacks on Discrete Logarithms
Pohlig-Hellman Algorithm Spring 2010 © , Richard A. Stanley
Attacks on Discrete Logarithms
Index-Calculus Method Spring 2010 © , Richard A. Stanley
Elliptic Curve Cryptosystem
Relatively new cryptosystem, suggested independently: 1987 by Koblitz at the University of Washington, 1986 by Miller at IBM Believed to be more secure than RSA/DL in Z*p , but uses arithmetic with much shorter numbers ( bits vs bits). It can be used instead of D-H and other DL-based algorithms Spring 2010 © , Richard A. Stanley
ECC Drawbacks Not as well studied as RSA and DL-base public-key schemes Conceptually more difficult. Finding secure curves in the set-up phase is computationally expensive Spring 2010 © , Richard A. Stanley
Elliptic Curves Spring 2010 © , Richard A. Stanley
Elliptic Curves - 2 Spring 2010 © , Richard A. Stanley
Elliptic Curve Definition
Spring 2010 © , Richard A. Stanley
Elliptic Curves Spring 2010 © , Richard A. Stanley
Objective Goal: Finding a (cyclic) group (G, o) so that we can use the DL problem as a one-way function. We have a set (points on the curve). We “only” need a group operation on the points. Spring 2010 © , Richard A. Stanley
Finding the Set Spring 2010 © , Richard A. Stanley
Point Addition (group operation)
Spring 2010 © , Richard A. Stanley
Theorem Theorem: The points on an elliptic curve, together with O , have cyclic subgroups Remark: Under certain conditions all points on an elliptic curve form a cyclic group as the following example shows Spring 2010 © , Richard A. Stanley
Example (con’t.) In general, finding the group order of #E is computationally very complex Spring 2010 © , Richard A. Stanley
So What? Are there practical uses for elliptic curves in cryptography?
What are the implications of computational complexity? What might they be? What could be the benefits of using ECs rather than traditional methods of structuring groups? Spring 2010 © , Richard A. Stanley
Homework Read Stinson, Chapters 5 & 6
Come to our next class prepared to describe and discuss the El Gamal cryptosystem. What are its benefits? What are its drawbacks? Why is it not more widely used? Spring 2010 © , Richard A. Stanley
Similar presentations
© 2025 Inc.
All rights reserved.