1. CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie

2. CNS2009handout 8 :: introduction to number theory2 introduction to number theory Motivation: –To understand the security of Diffie-Hellman –To understand asymmetric crypto (e.g. RSA) –Slides 1..9 are background Notation: Z the set of all integers Z + the set of all non-negative integers a|ba divides b i.e. there exists c є Z such that b=ac -3|18, since 18 = (-3)(-6) 173|0, since 0 = (173)(0) p, qwill be reserved for prime numbers The prime decomposition of n є Z + is n = Π p i ei where e i є Z + –in other words, n = p 1 e1 p 2 e2 p 3 e3 … p k ek (note e i can be zero)

3. CNS2009handout 8 :: introduction to number theory3 groups A Group (G, *) consists of a set G with a binary operation * on G satisfying: –The group operation is associative i.e. a*(b*c) = (a*b)*c –There is an element 1 є G called the identity element a * 1 = 1 * a = a for all a є G –For each element a є G, there exists and element a -1 є G, called the inverse of a, such that a * a -1 = a -1 * a = 1 A Group is commutative, if furthermore: –a * b = b * a for all a, b є G Example: the set of integers Z with addition forms a group –The identity element is 0 and the inverse of a is -a

4. CNS2009handout 8 :: introduction to number theory4 rings A ring (R, +, x) consists of a set R with two binary operations arbitrarily denoted + (addition) and x (multiplication) on R where: –(R, +) is a commutative group –The operation x is associative i.e. a x (b x c) = (a x b) x c –There is a multiplicative identity denoted 1, with 1 ≠ 0 such that 1 x a = a x 1 = a for all a є R –The operation x is distributive over +, that is: a x (b + c) = (a x b) + (a x c) and (b + c) x a = (b x a) + (c x a) The ring is a commutative ring if: –a x b = b x a for all a, b є R Example: the set of integers Z with addition and multiplication forms a commutative ring

5. CNS2009handout 8 :: introduction to number theory5 fields A field is a commutative ring in which all non-zero elements have inverses. Fact: Z p is only a field if p is a prime number. For example, Z n = where n is a composite (product of two primes) is not a field (it is a ring). e.g. Z 6 = 2 x 3 = 0 (mod 6) 2 -1 does not exist so Z 6 is not a field –no element e such that 2 x e = 1 (mod 6)

6. CNS2009handout 8 :: introduction to number theory6 gcd, lcm The greatest common divisor, gcd(a,b) of a, b є Z is the largest possible integer, d, such that d|a and d|b. –e.g. gcd(12, 18) = 6 The least common multiple, lcm(a,b) of a, b є Z is the smallest integer, m, such that a|m and b|m. –e.g. lcm(12, 18) = 36 In terms of prime factors, if a = Π p i di and b = Π p i ei then gcd(a,b) = p 1 min(d1,e1) p 2 min(d2,e2)... p k min(dk,ek) = Π p i min(di,ei) lcm(a,b) = p 1 max(d1,e1) p 2 max(d2,e2)... p k max(dk,ek) = Π p i max(di,ei)

7. CNS2009handout 8 :: introduction to number theory7 euclidean algorithm Suppose we wish to find gcd(a, b) with a ≥ b Algorithm: while b ≠ 0 do: set r ← a mod b, a ← b, b ← r return a Example: gcd(4864, 3458): 4864= 1. 3458 + 1406 3458= 2. 1406 + 646 1406= 2. 646 + 114 646= 5. 114 + 76 114= 1. 76 + 38 76= 2. 38 + 0 Hence gcd(4864, 3458) = 38

8. CNS2009handout 8 :: introduction to number theory8 extended euclidean algorithm EEA: extended to find u,v such that gcd(a, b) = ua + vb Algorithm: INPUT: two non-negative integers a, b with a ≥ b OUTPUT: d = gcd(a, b) and integers x, y such that ax + by = d (1) If b = 0 then set d ← a, x ← 1, y ← 0 and return (d, x, y) (2) Set x 2 ← 1, x 1 ← 0, y 2 ← 0, y 1 ← 1 (3) While b > 0 do : q ← floor(a/b), r ← a - qb, x ← x 2 - qx 1, y ← y 2 - qy 1 a ← b, b ← r, x 2 ← x 1, x 1 ← x, y 2 ← y 1, y 1 ← y (4) Set d ← a, x ← x 2, y ← y 2 and return (d, x, y)

9. CNS2009handout 8 :: introduction to number theory9 finite fields, Zn and Zp Again, Z p = where p is prime is a called a field –In a field we can add, multiply, take inversions, and the commutative and distributive laws hold. If a and b are integers, then a is said to be congruent to b mod p, if p divides (a-b) i.e. p|a-b a ≡ b (mod p) We can say b is a residue of a (mod p) The inverse of a є Z is b є Z such that ab ≡ 1 (mod p) We can find a -1 by noting that gcd(a, p) = 1, since p is prime.

10. CNS2009handout 8 :: introduction to number theory10 inverses So by the Extended Euclidean Algorithm (EEA) we can find u, v such that ua + vp = 1 therefore ua = -vp + 1 i.e.ua ≡ 1 (mod p) sou (mod p) = a -1 є Z p Again Z n = where n is a composite (product of two or more primes) is a ring. If a є Z n is such that gcd(a, n) = 1, then we say a is relatively prime to n. Then, by the EEA, there exists u є Z (the inverse) where : ua ≡ 1 (mod n)

11. CNS2009handout 8 :: introduction to number theory11 Z*, Φ (n) Define Z n * = {a є Z n | gcd (a, n) = 1} –i.e. all the integers of Z n relatively prime to n (n is composite) –otherwise known as the reduced set of residues (mod n) –in other words, all the elements which have inverses Since 0 is not є Z n *, Z n * forms a multiplicative group –a,b є Z n * implies ab є Z n * –a є Z n * implies a -1 є Z n * We define Euler’s (“Oiler”) Totient Function Φ (n) as the number of elements in this set Z n * –If p is prime, then Φ (p) = p - 1 –If gcd(m, n) = 1, then Φ (mn) = Φ (m). Φ (n)

12. CNS2009handout 8 :: introduction to number theory12 finding inverses with euler’s theorem Euler’s theorem states that for any a є Z n –(a is relatively prime to n) a Φ (n) ≡ 1 (mod n) This is Euler’s generalisation of Fermat’s little theorem –If p is prime and a is a positive integer not divisible by p then a p-1 ≡ 1 (mod p) Now finding an inverse a -1 mod n is easy: x = a Φ (n)-1 mod n Example: what is the inverse of 5 (mod 7)? –Since 7 is prime, Φ (n) = 7-1 = 6 –x = 5 6-1 mod 7 = 5 5 mod 7 = 3

13. CNS2009handout 8 :: introduction to number theory13 order, generators An element, a є Z n * has order d if d is the smallest positive integer such that: a d ≡ 1 (mod n) It may be that all of the elements in Z n * can be obtained as powers of a single element, g, called the generator or primitive element of Z n * : Z n * = = If it has a generator, we say Z n * is a cyclic group. It may be shown that Z n * is a cyclic group if and only if n = 2, 4, p a, 2p a for odd primes p

14. CNS2009handout 8 :: introduction to number theory14 exponentiation in Zn Can be done efficiently with repeat-and-square Algorithm: INPUT: a є Z n and integer 0 ≤ k < n (where k is t-bits in binary = Σ i=0 k i 2 i ) OUTPUT: a k mod n (1) b ← 1. If k = 0 then return (b) (2) A ← a (3) If k 0 = 1 then b ← a (4) for i = 1.. t do A ← A 2 mod n if k i = 1 then b ← A. b mod n (5) return b t

15. CNS2009handout 8 :: introduction to number theory15 computing in Zp Let p be a large prime (~300 digits or 1024 bits). The following are easy to do in Z p : –Generate a random element. –Addition and multiplication. –Computing g r mod p, even if r is large. –Inverting an element. –Solving linear systems. –Solving polynomial equations of degree d in polynomial time d. Problems believed to be hard: –Let g be a generator of Z p. Given x є Z p find r such that x = g r mod p. –This is known as the discrete log problem.

16. CNS2009handout 8 :: introduction to number theory16 computing in Zn Let’s now consider Zn where n is instead a large composite (~1024 bits) which is a product of two primes (~512 bits). The following are easy to do in Z n : –Generating a random element. –Addition and multiplication. –Computing g r mod n, even if r is large. –Inverting an element. –Solving linear systems. Problems believed to be hard if the factorisation of n is unknown: –Finding prime factors of n. –Computing the square root (as hard as factoring n). –Solving polynomial equations of degree d.

17. CNS2009handout 8 :: introduction to number theory17 hard problems in Z n Discrete Log Problem –Let g be a generator of Z n *. –Given x є Z n * find r such that x = g r mod n. –This is known as the discrete log problem. Diffie-Hellman Problem –Let g be a generator of Z n *. –Given x, y є Z n * where x = g a and y = g b, find g ab. –This is known as the Diffie-Hellman problem.

18. CNS2009handout 8 :: introduction to number theory18 discrete log problem revisited Given: Consider the finite field Z p * = Let g є Z p be the generator, i.e. Z p * = g p-1 ≡ 1 mod p The discrete log problem asks how to find r given g r Example : Z 11 * = –Consider : g = 2, g 2 = 4, g 3 = 8, g 4 = 5, g 5 = 10 = -1 g 6 = 9, g 7 = 7, g 8 = 3, g 9 = 6, g 10 = 1 (thus 2 is a generator) –Now consider g = 3, 3 2 = 9, 3 3 = 5, 3 4 = 4, 3 5 = 1 thus 3 is not a generator of Z 11 * - order 5 not order 10

19. CNS2009handout 8 :: introduction to number theory19 diffie-hellman key exchange AliceBob p, g, g a (mod p) g b (mod p) Computes g ab (mod p) Eve ??? Only knows p, g, g a, g b

20. CNS2009handout 8 :: introduction to number theory20 diffie-hellman key exchange Protocol: Consider the finite field Z p * = Let g є Z p be the generator, i.e. Z p * = g p-1 ≡ 1 mod p g and p are public information (1)Alice: Alice chooses a random large integer a є Z p (2)Alice → Bob: Alice sends Bob g a (mod p) (3)Bob: Bob chooses a random large integer b є Z p (4)Bob → Alice: Bob sends Alice g b (mod p) (5)Alice and Bob: compute g ab : Alice computes (g b ) a = g ab (mod p) : Bob computes (g a ) b = g ab (mod p) => Alice and Bob now share secret g ab

21. CNS2009handout 8 :: introduction to number theory21 strength of diffie-hellman The strength of Diffie-Hellman is based upon two issues: –given p, g, g a, it is difficult to calculate a (the discrete logarithm problem) –given p, g, g a, g b it is difficult to calculate g ab (the Diffie-Hellman problem) –we know that DL → DH but it is not known if DH → DL Essentially, the strength of the system is based on the difficulty of factoring numbers the same size as p.

22. CNS2009handout 8 :: introduction to number theory22 attacks on discrete log Question: –Given: G=, g n = 1, y = g a where 1≤ a ≤n-1 –Find: a = log g (y) Most obvious algorithm: exhaustive search Algorithm: –Compute g, g 2, g 3, … until we find g a = y (i.e. a) Problem: –computation is O(n) –i.e. slow

23. CNS2009handout 8 :: introduction to number theory23 attacks on discrete log Question: –Find a = log g (y) Baby-step giant-step (square root) algorithm A time-memory tradeoff of the exhaustive search method. Algorithm: Let m = floor(√n) Create a table containing j, g j (j = 0.. m-1) Sort the table by g j Compute g -m Set γ = y for i = 0.. m-1 1. if γ is in the table then break; 2. Else set γ = γ g -m and loop output a = j + im

24. CNS2009handout 8 :: introduction to number theory24 example of baby-step giant-step Let p = 113, g = 3 is a generator of Z 113 * of order n= 112 Question: Find log 3 57 : Set m ← floor(√112) = 11 j0 1 8 2 5 9 3 7 6 10 4 3 j mod 1131 3 7 9 17 21 27 40 51 63 81 Now g -1 = 3 -1 mod 113 = 38 as (38. 3) = 1 mod 113 So g -m = 38 11 mod 113 = 58 Next γ = y g -mi for i = 0, 1, 2 … i 0 1 2 3 4 5 6 7 8 9 γ = 57.58 i mod 113 57 29 100 37 112 55 26 39 2 3 Since y g -9m = 3 is in the table (g 1 ), we output a = j +im = 1 + 9.11 = 100 i.e. 57 = 3 100 or log 3 57 = 100 Baby Step Giant Step

25. CNS2009handout 8 :: introduction to number theory25 attacks on discrete log Baby-step giant-step is a time-memory tradeoff of the exhaustive search method (which is obviously O(n)). –Requires O( √ n) storage for group elements –Requires O( √ n) multiplications to construct –Requires O( √ n log n) to do sort of table –Loop takes O( √ n) multiplications and O( √ n) table lookups Under the assumption that group multiplication takes longer than log n comparisons –the running time complexity of baby-step giant-step is O( √ n) –the storage complexity is O( √ n) Pollard-rho is another, more efficient attack on DL.

26. CNS2009handout 8 :: introduction to number theory26 references Handbook of Applied Cryptography –read §1, §2-2.4.4, §2.5 - 2.5.3 Stallings –§7