Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tuesday’s lecture: Today’s lecture: One-way permutations (OWPs)

Published byLeonard McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "Tuesday’s lecture: Today’s lecture: One-way permutations (OWPs)"— Presentation transcript:

0 I538/B609: Introduction to Cryptography
Fall · Lecture 16

1

2 Tuesday’s lecture: Today’s lecture: One-way permutations (OWPs)
PRGs from OWPs Today’s lecture: Basic number theory “secret key” So far: cryptography Going forward: “public key” cryptography

3 Assignment 4 is due Tuesday, October 27!
There will be a quiz on Tuesday, October 27!

4 Divisibility The set of integers is ℤ={…,-3,-2,-1, 0, 1, 2, 3,…}
Let a and b be any two integers Defn: b is called a divisor of a if We write b | a (read “b divides a”) to indicate that b is a divisor of a and b ∤ a to indicate that b is not a divisor of a ∃c∈ℤ such that a=bc ??? If b | a, then a is called a multiple of b Defn: a is called a prime if a>1 and ??? b | a implies that b∈{±1,±a}

5 Divisibility Does 6 divide 12? Does 6 divide 6? Does 0 divide 6?
YES! (Because 6·2=12) every integer divides itself YES! (Because 6·1=6) only 0 divides 0 No! (Because 0·c=0 for all c∈ℤ) every integer divides 0 YES! (Because 6·0=0) No! (Because 4·1<6 and 4·2>6) 1 divides every integer Yes! (Because 1·6=6)

6 Division Algorithm Thm: Let a, b∈ℤ with b>0. Then there exist unique integers q, r∈ℤ such that a=b·q+r and 0≤r<b. The integer q is called the quotient and r the remainder upon division of a by b. If b | a, then r= If b>a, then q= and r= a=17 and b=5 ⇒ a=-23 and b=6 ⇒ a=20 and b=5 ⇒ ?? ?? ?? a ???? q=3 and r=2, since 17 =5·3+2 ???? q=-4 and r=1, since -23=6·(-4) +1 ???? q=4 and r=0, since 20=5·4+0

7 Greatest common divisors (GCDs)
Defn: The greatest common divisor of two non-zero integers a and b is The greatest common divisor of a and b is denoted gcd(a, b). the largest positive divisor of a that is also a divisor of b. ??? gcd(4, 15)= gcd(4, 10)= gcd(22 · 32 · 5, 2 · 33 · 72)= 1 ?? 2 ?? 2 · 32 ?? Defn: a and b are relatively prime if gcd(a, b)=1 ??? a.k.a co-prime

8 Least common multiples (LCMs)
Defn: The least common multiple of two non-zero integers a and b is The least common multiple of a and b is denoted by lcm(a, b). the smallest positive multiple of a that is also a multiple of b. ??? lcm(4, 15)= lcm(4, 10)= lcm(4, 8)= lcm(22 · 32 · 5, 2 · 33 · 72)= 60 (4=22 and 15=3·5) ?? 20 (4=22 and 10=2·5) ?? (4=22 and 8=23) ?? 22 · 33 · 5 · 72 ??

9 Properties of GCDs and LCMs
Let a, b∈ℤ with a>0 and b>0, let d=gcd(a, b) and let m=lcm(a, b). Then a·b=d·m If c | a and c | b, then c | d If a | s and b | s, then m | s Bezout’s identity: There exist integers (unique) s and t such that d=as+bt. a·b=gcd(a, b)·lcm(a,b) every common divisor divides the gcd every common multiple is a multiple of the lcm “gcd is a linear combination”

10 Extended Euclidean Algorithm
Fact 1: If b | a, then gcd(a, b)=b Fact 2: If a=b·q+r, then gcd(a, b)=gcd(b, r) (Assume that a>b; if not, swap a and b) Idea: Apply Facts 1 and 2 repeatedly, using the Division Algorithm to write a=b·q+r at each step a = q 0 b +r0 b = q 1 r0+r1 r0 = q 2 r1+r2 r1 = q 3 r2+r3 rk-3= q k-1rk-2+rk-1 0 = q k rk-1+rk Pseudocode: function gcd(a,b) { while (a ≠ b) if (a >b) a := a − b; else b := b − a; } return a ; r0 = a-q0b r1 = b-q 3 r0 rk-3= rk-5 – q k-3rk-4 rk-2= rk-4 -q k-2rk-3 gcd(a, b)= rk-3-qk-1rk-2 repeated substitution yields s,t such that as+bt=gcd(a,b) gcd(a, b)

11 Euclid’s Lemma Euclid’s Lemma: Let a and b be integers. If p is a prime such that p | a·b, then p | a or p | b (or both). Proof: Assume W.L.O.G. that p is prime and p | a·b but p ∤ a. We prove that p | b. First note that p ∤ a with p prime implies that gcd(a, p)=1; thus, by Bezout’s Theorem, there exist integer s and t such that as+pt=1. Multiplying both sides of this expression by b yields bas+bpt=(ab)s+p(bt)=b. Now, p | (ab)s by assumption and clearly p | p(bt); hence, p | (bas+bpt). But bas+bpt=b and it therefore follows that p | b, as desired ☐

12 Fundamental Theorem of Arithmetic
Fundamental Theorem of Arithmetic: Let n>1 be an arbitrary integer. Then n is a product of (powers of) primes, and this product is unique (up to the order of the prime powers) In other words, every n>1 can be “factored” into primes in one—and only one—way.

13 Clock arithmetic Q:If it is 10:00 am now, what time will it be in 6 hours? A:4:00 pm Q:If it is 2:00 pm now, what time was it 3 hours ago? A:11:00 am Q:It is currently October. What month will it be 25 months from now? A: November Q:On Mercury, each day is 1407 hours long. If it is 1200:00 now, what time will it be in 500 hours? A:293:00 (=1700: :00)

14 Modular arithmetic a=q·n+r, as in the Division Algorithm. ???
Defn: Let a, r, n∈ℤ with n>1 and 0≤r<n. Then a is congruent to r modulo n if We write a≡r mod n to indicate that a is congruent to r modulo n. a=q·n+r, as in the Division Algorithm. ??? 3 ≡ mod 2 6 ≡ mod 2 11≡ mod 3 62 ≡ mod 85 ?? 1 Thm: Let a, b, and n be integers with n≥1, then a≡b mod n if and only if n | a-b. ?? ?? 2 62 ??

15 Notational conventions
p and q typically denote prime numbers n is always a positive integer, which may or may not (though usually not) be prime ℤn≔{0, 1, 2, …, n-1} with arithmetic modulo n ℥n ≔{ a∈ℤn | gcd(a, n)=1 } with arithmetic modulo n

16 Modular inversion Defn: Let a∈ℤn. The (multiplicative) inverse of a modulo n is an element b∈ℤn such that The inverse of a modulo n is denoted by a-1. a·b≡1 mod n ?? 2-1 ≡ mod 3 3-1 ≡ mod 5 2-1 ≡ mod 6 Let n be any odd integer. Then 2-1 ≡ mod n ?? 2 (since 2·2=4=3·1+1≡1 mod 3) 2 (since 3·2=6=5·1+1≡1 mod 5) ?? ⊥ (i.e., the inverse does not exist!) ?? (n+1)/2 ??

17 Modular inverses Q: Which elements of ℤ have inverses modulo n?
Thus, a∈ℤn has an inverse modulo n if and only if a∈℥n Q: Given a∈℥n, how do you compute a-1 mod n? A: By definition, a·a-1≡1 mod n ⇒ a·a-1=1+t·n for some t Hence, a·a-1+(-t)·n=gcd(a, n) ⇒ a-1≡s from Bezout’s Theorem Thus, we can use the Extended Euclidean Algorithm Thm: An integer a∈ℤ has an inverse modulo n if and only if gcd(a, n)=1. Corollary: If p is a prime, then a has an inverse modulo p if and only if a is not a multiple of p; i.e., ℥p={1, 2, …, p-1}.

18 Solving linear equations modulo n
Thm: For any integer n>1, there exists an integer x such that ax≡b mod n if and only if gcd(a, n) | b. Q: Does 6x≡18 mod 36 have a solution? A: YES! Because gcd(6, 18)=6 and 6 | In fact, it has 6 solutions in ℤn:3, 9, 15, 21, 27, 33 Q: Does 2x≡5 mod 10 have a solution? A: NO! Because gcd(2, 10)=2 and 2 ∤ 5

19 Fermat’s Little Theorem
Fermat’s Little Theorem: Let p be a prime. Then for every a∈℥p, we have ap-1≡1 mod p. Corollary: For all a∈ℤp, ap≡a mod p. 34≡ mod 5 84112≡ mod 113 79561≡ mod 113 Trick: To compute ax mod p, reduce the base (i.e., a) modulo p and the exponent (i.e., x) modulo p-1 ?? 1 ?? 1 79 (since 561=5·(113-1)+1) ??

20 Proof of Fermat’s Little Theorem
To prove Fermat’s Little Theorem, we first prove the following lemma. Lemma: If n is an integer and a∈℥n, then a·k1≡a·k2 mod n if and only if k1≡k2 mod n. Proof: Suppose k1a≡k2a. Since a∈℥n, there exists an inverse a-1∈℥n such that a·a-1≡1 mod n. Therefore, (k1a) a-1≡ (k2a) a-1 mod n. But (k1a) a-1=k1 (a·a-1)≡k1 mod p and (k2 a) a-1= k2 (a·a-1)≡k2 mod p; hence, it follows that k1≡k2 mod p, as desired ☐

21 Proof of Fermat’s Little Theorem
Fermat’s Little Theorem: Let p be a prime. Then for every a∈℥p, we have ap-1≡1 mod p. Proof: Consider the product a·(2a)·(3a)⋯((p-1)a) mod p. By the lemma on the previous slide, it follows that the above product is congruent to (p-1)!=1·2·3⋯(p-1) mod p. (Indeed, it is clearly a product of p-1 numbers from ℥p; if these numbers aren’t distinct, then we obtain an immediate contradiction.) In other words, we have that a·(2a)·(3a)⋯((p-1)a)≡1·2·3⋯(p-1) mod p. Rearranging the left-hand side, we get ap-1(p-1)!≡(p-1)! mod p. Thus, a second application of the lemma shows that ap-1≡1 mod p. ☐

22 Generating random (probable) primes
Goal: Generate a random n-bit prime Step 1: Choose n∈R [2n+1, 2n+1-1] Step 2: Check if 2n-1 ≡ 1 mod n If so, output n; otherwise, go to Step 1 If n is prime, then Pr[2n-1≡ 1]=1 If n is not prime, then Pr[2n-1≡1] is “small” - Unless you get unlucky and n is a Carmichael number…

23 Chinese Remainder Theorem
Chinese Remainder Theorem: Let n1, n2, …, nk be positive integers with gcd(ni, nj)=1 whenever i≠j, and let N=n1·n2⋯nk. Then the system of congruence relations x≡ c1 mod n1 x≡ ck mod nk has a unique solution in ℤN. zi≡1 mod ni zi≡0 mod nj when i≠j For each i=1,…,k, set yi ≡ (N/ni)-1 mod ni and zi≡(N/ni)·yi mod N The unique solution is x≡∑zi·ci mod N

24 Euler’s phi function Defn: Let n be a positive integer. Then Euler’s phi function is φ(n)≔|℥n|. In particular, Euler’s phi function of n indicates the number of positive integer less than and relatively prime to n. If p is prime, then φ(p)= If p is prime, then φ(p2)= If p is prime, then φ(pk)= If p and q are distinct prime, then φ(p·q)= If n=p1e1p2e2⋯pkek, then φ(n)= p-1 ?? p(p-1) ?? pk-1(p-1) ?? (p-1)(q-1) ?? p1e1-1(p1-1) p2e2-1(p2-1) ⋯pkek-1(pk-1) ?? Thm (Fermat restatement): If p is prime, then ∀a∈℥p, aφ(p)≡ 1 mod p.

25 Euler’s Theorem Generalization of Fermat’s Little Theorem Euler’s Theorem: For any integer n>1 and a∈℥n, aφ(n)≡1 mod n. 34≡ mod 10 8440≡ mod 100 79441≡ mod 100 The last two digits of are Trick: To compute ax mod n, reduce the base (i.e., a) modulo n and the exponent (i.e., x) modulo φ(n) 1 ?? ?? 1 (since φ(100)=5·(5-1)·2·(2-1)=40) 79 (since 441=11·φ(100)+1) ?? 01 (since 10381≡3 mod 100) ??

26 That’s all for today, folks!

Download ppt "Tuesday’s lecture: Today’s lecture: One-way permutations (OWPs)"

Similar presentations

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.
Having Proofs for Incorrectness

Having Proofs for Incorrectness
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
1 Section 2.4 The Integers and Division. 2 Number Theory Branch of mathematics that includes (among other things): –divisibility –greatest common divisor.

1 Section 2.4 The Integers and Division. 2 Number Theory Branch of mathematics that includes (among other things): –divisibility –greatest common divisor.
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Number Theory and Cryptography

Number Theory and Cryptography
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Basic properties of the integers

Basic properties of the integers
CSC2110 Discrete Mathematics Tutorial 5 GCD and Modular Arithmetic

CSC2110 Discrete Mathematics Tutorial 5 GCD and Modular Arithmetic
Elementary Number Theory and Methods of Proof. Basic Definitions An integer n is an even number if there exists an integer k such that n = 2k. An integer.

Elementary Number Theory and Methods of Proof. Basic Definitions An integer n is an even number if there exists an integer k such that n = 2k. An integer.
Chapter II. THE INTEGERS

Chapter II. THE INTEGERS
6/20/2015 5:05 AMNumerical Algorithms1 x0123456789 x1x1 1739.

6/20/2015 5:05 AMNumerical Algorithms1 x x1x
Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.

Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.
Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.

Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Fall 2002CMSC 203 - Discrete Structures1 Let us get into… Number Theory.

Fall 2002CMSC Discrete Structures1 Let us get into… Number Theory.
CS555Spring 2012/Topic 61 Cryptography CS 555 Topic 6: Number Theory Basics.

CS555Spring 2012/Topic 61 Cryptography CS 555 Topic 6: Number Theory Basics.
Divisibility October 8, 2014 1 Divisibility If a and b are integers and a  0, then the statement that a divides b means that there is an integer c such.

Divisibility October 8, Divisibility If a and b are integers and a  0, then the statement that a divides b means that there is an integer c such.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Chapter 2 The Fundamentals: Algorithms, the Integers, and Matrices

Chapter 2 The Fundamentals: Algorithms, the Integers, and Matrices

Similar presentations

Ads by Google