Products of Small Primes in Cryptology, Coding and Theoretical Computer Science David Naccache ENS

Gödel Numbering In 1930, Kurt Gödel proved that : “In any consistent formalization of mathematics that is sufficiently strong to define the concept of natural numbers, one can construct a statement that can be neither proved nor disproved within that system”. This is Gödel’s famous incompleteness theorem

Gödel’s Theorem Very much simplified, the proof of this theorem is the following. Encode (assign a positive integer to) each propositional calculus symbol: Logical symbolsEncoding (integers  12)Meaning ¬1not  2for all  3if, then ⋀ 4and ⋁ 5or (6 )7…

For Integers > 10 Predicates symbols are encoded by multiples of 3 SymbolEncoding P12 Q15 R18 Variables are encoded by integers  1 mod 3 Symbol Encoding x13 y16 z19 Propositional symbols are encoded by integers  2 mod 3 Symbol Encoding E14 F17 G20

Gödel’s Numbering Arithmetical statements are assigned unique Gödel numbers. This is based on a simple code which essentially reads prime 1 character[1]  prime 2 character[2]  … For example the statement  x, P(x) Becomes 2 2  3 16  5 12  7 6   13 7= Because character[  ]=2, character[x]=16, character[P]=12, character[(]= 6, character[x]=16, character[)]=7 We say that 142…2500 is the Gödel Number (GN) of  x, P(x)

This Lecture Is About Applications of Gödel’s way of encoding information: prime 1 character[1]  prime 2 character[2]  …

Back to Gödel’s Theorem Sequences of statements are also assigned Gödel numbers. e.g. if : a=GN(  x,P(x)), b=GN(  x,¬P(x)), c=GN(  x,¬Q(x)^P(x)) Then the sequence of statements:  x,P(x)  x,¬P(x)  x,¬Q(x)^P(x) gets the GN 2 a  3 b  5 c, which we will call d. The proof of the incompleteness theorem depends on the fact that, in formal arithmetic, some statement sequences logically entail (prove) other statements.

Gödel’s Theorem For example it might be shown that a, b, and c together, (i.e. d), prove e. Because this is a demonstrable relationship between numbers it is entitled to its own symbol, for example R. R(v,x) would then mean "x proves v". In the case where x and v are Gödel numbers e and d we would say R(e,d). Put more simply: R(e,d) means “the sequence of statements which GN is d is the proof of the statement which GN is e.”

Gödel’s Punchline The punchline is that we can write the statement  x,¬R(v,x) which means: no proposition of type v can be proved The Gödel number for this statement would be 2 2  3 16  5 1  7 18  11 6    19 7 but we will just call it r. Now if we consider the statement  x,¬R(r,x) we will realise that it says: no proposition that says 'no proposition of type v can be proved' can be proved. This collapses into the statement this proposition cannot be proved, which is inconsistent, because if it is provable then it is not provable, and vice versa.

ciphertext public key secret key message encryption algorithm decryption algorithm More Than Forty Years Pass… Diffie and Hellman invent public-key cryptography.

Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.

Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.

Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.

Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.

Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.

Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.

Diffie-Hellman Key Exchange Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.

Diffie-Hellman Key Exchange In reality, Diffie and Hellman provided a mathematical analogy to the protocol that we have just illustrated. Their solution is based on the assumption that the following problem (known as the Discrete Logarithm Problem) is hard: Given g, a, p find x such that g x = a mod p pick random xpick random y compute a=g x mod pcompute b=g y mod p send a send b compute k=b x mod pcompute k=a y mod p

Discrete Log “Gödel” Encryption Generate a public large prime integer p, select a large secret s and publish the public keys v 1,…,v k where v i s = p i mod p where p i stands for the i th prime (p 1 =2, p 2 =3, p 3 =5,…) To encrypt a message m (whose bits we denote m[1],…,m[k]) the sender computes the ciphertext: c= v 1 m[1]  …  v k m[k] mod p c is decrypted by computing d=c s mod p = p 1 m[1]  …  p k m[k] and factoring the result over the integers to determine m.

Discrete Log “Gödel” Encryption For this to work we need to have that p 1  …  p k <p The security of this cryptosystem is based on the hardness of the discrete logarithm problem: Generate and public large prime p, select a large secret s and publish the public keys v 1,…,v k where v i s = p i mod p where p i stands for the i th prime (p 1 =2, p 2 =3, p 3 =5,…) Discrete Logarithm Problem: Given g, a, p find x such that g x = a mod p

A Toy Example

As We Are In an ECC Conference We must say something about ECs.

As We Are In an ECC Conference We must say something about ECs. Can the previous encryption scheme run on an EC?

As We Are In an ECC Conference We must say something about ECs. Can the previous encryption scheme run on an EC? Answer is yes, but only in theory…

As We Are In an ECC Conference We must say something about ECs. Can the previous encryption scheme run on an EC? Answer is yes, but only in theory… We might use, instead of small primes, small rational points on an EC. Publish s p i as public keys.

As We Are In an ECC Conference We must say something about ECs. Can the previous encryption scheme run on an EC? Answer is yes, but only in theory… We might use, instead of small primes, small rational points on an EC. Publish s p i as public keys. As we get the ciphertext and multiply it over the curve by the inverse of s how do we see which rational points are in there?! Use height and projective coordinates!

As We Are In an ECC Conference Get ciphertext multiply by inverse of s and attempt to subtract each rational point from the result. Height decreases  good guess Height increases  bad guess

Problem We do not know ECs with enough independent small rational points on them. World record is 28. Meaning that we could “encode” 28 message bits in a bit ciphertext (plaintext too small to be secure). This can be improved slightly by using signed rational points (bandwidth improves to 28 log 2 3). We can also shoot for low density message encoding - which allows to stuff more bits into the ciphertext using only 28 points but the price of ciphertext size explosion. Any more elegant ideas to make this fly?

“Gödel” Error-Correction Gödel’s encoding can also be used for error correction. In a very inefficient but yet rather curious way… Before we proceed a few reminders about error correcting codes.

Ideal Communication eHllo

eHllo

eHllo

eHllo

Real Communication eHllo

eHllo

eHllo

eHll!

eHll!

eHll! ?!!

Real Communication

Error Correcting Codes eHllo encoding algorithm z4%J9ds

Error Correcting Codes z4%J9ds

z4%J9ds

z4%J9ds

zt%Jxds

zt%Jxds

zt%Jxds

decoding algorithm zt%Jxds eHllo

Error Correcting Codes A bit of terminology. The number of errors correctable by a code is called the code’s correction capacity (denoted t). The ratio between the length of the encoded message and the original message (in our example 1.4=7/5) is called the code’s expansion rate (denoted r).

“Gödel” Error Correction Generate a large prime p, here again p i stands for the i th prime (p 1 =2, p 2 =3, p 3 =5,…) To encode a message m (whose bits we denote m[1],…,m[k]) the sender computes: c = p 1 m[1]  …  p k m[k] mod p While the couple {c,m} is sent over the noisy channel, we start by assuming that errors occurred only in m. Upon reception of {c,m’} the receiver can compute c’ = p 1 m’[1]  …  p k m’[k] mod p And divide-out all the common (unflipped bits) of m and m’ Let d=c/c’ mod p

“Gödel” Error Correction We now use the extended Euclidean algorithm to write d as a modular ratio of two integers A, B of size  p Let s=A/B mod p Now, if there hasn’t been too many errors, A and B factor over the integers into products of small primes.

“Gödel” Error Correction We now use the extended Euclidean algorithm to write d as a modular ratio of two integers A, B of size  p Let s=A/B mod p Now, if there hasn’t been too many errors, A and B factor over the integers into products of small primes. The primes present in A encode the bits set to 1 in m and reset to 0 in m’. The primes present in B encode the bits equal to 0 in m that flipped into 1 in m’.

Parameter Sizes To correct t errors in a k-bit message the size of p should be: 2p k 2t < p <4p k 2t We simply bound the worst case where all errors affect the end of the message. Now using the fact that p k  k log k we get that log 2 p  2t log(k log k) / log 2 Which gives a simple relation - allowing to instantiate the code given a desired t and k.

Remember… While the couple {c,m} is sent over the noisy channel, we start by assuming that errors occurred only in m. What if c gets corrupted, or if both c and m get corrupted?

Protecting c The solution consists in repeating the procedure recursively by sending not only c (that we will denote now c(m) given that it is a function of m) but: m, c(m), c(c(m)),… c(c(c(…c(m)…))) As after each application of c a smaller prime p will be used the size of the successive nested c-s decreases. Assuming that no errors occurred in the last c(c(c(…c(m)…))) the decoding procedure runs backwards until errors in m are corrected. It remains to correct u=c(c(c(…c(m)…))) against errors. But since u is small it suffices to replicate it 2t+1 times and use a majority vote to spot the errors in u.

Variants - In the paper (available on line) - we propose a more efficient variant (better expansion rate) but where with negligibly little probability the receiver might not be able to correct errors. -Instead of nesting c-s one can transmit {m,RM(c)} where RM stands for a classic Reed-Muller code (for instance). The receiver then corrects the errors in RM(c), recovers c and proceeds as we previously described. For some {t,k} values sending {m,RM(c)} happens to be more economic than sending RM(m).

{m, RM(c)} versus RM(m) For some {t,k} values sending {m,RM(c)} happens to be more economic than sending RM(m). e.g to protect against 31 errors a 5812 bit message, Reed Muller will transmit 8192 bits. Sending {m,RM(c)} costs only 7860 bits.

{m, RM(c)} versus RM(m) In general the sending of {m,RM(c)} will be more economic for long messages over not too noisy channels. RM(m) will perform better than {m,RM(c)} as noise increases or message size decreases. The comparison to Reed-Muller is just illustrative (other error- correcting codes can be benchmarked here as well).

Comparing Permuted Objects Products of small primes were also exploited in the literature to determine, in a very constrained space, if a list of integers L 1 contains exactly the same elements as list L 2. The comparison algorithm is probabilistic and very simple.

As a Conclusion We have seen in this lecture that the simple message encoding format devised by Gödel can give birth to: p 1 m[1]  p 2 m[2]  …

As a Conclusion We have seen in this lecture that the simple message encoding format devised by Gödel can give birth to: p 1 m[1]  p 2 m[2]  … a proof of the incompleteness theorem

As a Conclusion We have seen in this lecture that the simple message encoding format devised by Gödel can give birth to: p 1 m[1]  p 2 m[2]  … a proof of the incompleteness theorem public key cryptosystems

As a Conclusion We have seen in this lecture that the simple message encoding format devised by Gödel can give birth to: p 1 m[1]  p 2 m[2]  … An ingredient in the proof of the incompleteness theorem public key cryptosystems error correcting schemes

As a Conclusion The “small prime factors” theme (a.k.a. smoothness) is also useful for attacking schemes (index calculus algorithms). We didn’t overview this in this lecture. p 1 m[1]  p 2 m[2]  … Desmedt-Odlyzko attack on RSA factoring algorithms discrete log algorithms Point counting on elliptic curves (Schoof’s algorithm)