Math Review For Asymmetric Crypto

Divisibility

a|b

means a divides b:

a|b \rightarrow b = ac

for some c.

2|4
10|100
2|b, \text{b even}

Examples:

Prime Numbers

A number p is prime if the only 

numbers that divide it are 1 and p itself.

First few:

2,3,5,7,11,13,17,19,23,29,31...

The most important thing about prime numbers is that they are building blocks of the integers.

Fundamental Theorem of Arithmetic

All numbers can be written uniquely as a product of prime numbers.

Examples:

1000 = 2^3 \cdot 5^3
1001 = 7\cdot 11 \cdot 13
18446744073709558080 = 2^6\cdot 3^2 \cdot 5 \cdot 167^2 \cdot 409 \cdot 761 \cdot 859^2

This is not true when composite numbers are involved:

30 = 3\cdot 10 = 5\cdot 6

Greatest Common Divisor (GCD)

The GCD of two numbers is the largest number that divides both of them.

If the GCD is 1, the two numbers are said to be coprime or relatively prime.

Examples:

\gcd(14,21) = 7
\gcd(12,60) = 12
\gcd(5,7) = 1

Calculating the GCD

can be done very efficiently,

even without knowing the factorizations

of the numbers themselves!

Solving 

Given two integers a and b, the Euclidean algorithm will produce the GCD as well as two integers u and v that solve the above.

def egcd(a,b):
  """Extended GCD algorithm"""
  if b == 0:
    return (a, 1, 0)
  else:
    g, x, y = egcd(b, a%b)

  u = y
  v = x - (a/b)*y
  assert a*u + b*v == g

  GCD = namedtuple('GCD', 'gcd u v')
  return GCD(gcd = g, u = y, v = x - (a/b)*y)

print egcd(18,24)

$ python gcd.py
GCD(gcd=6, u=-1, v=1)
au + bv = \text{gcd}(a,b)
18\cdot(-1) + 24\cdot1 = 6, u = -1, v=1

Congruences: Modular arithmetic

a \equiv b \mod m

means a - b is divisible by m.

Or: a and b differ only by a multiple of m.

Examples:

13 = 1 \mod 12
9 + 8 \equiv 5 \mod 12
7 \equiv 0 \mod 7
-4 \equiv 13 \mod 17

Addition and Multiplication mod p

\mathbb{Z}_p

The set of numbers mod p is often written

\mathbb{Z}_6
\mathbb{Z}_6

Addition in

Multiplication in

Division in

\mathbb{Z}_p

Let's say you want to solve for x:

ax = b \mod p

This has a unique answer if and only if 

\gcd(a,p) = 1

Example:

5x = 7 \mod 11
\gcd(5,11) = 1

Brute-force guessing gives: 

5\cdot 8 \equiv 40 \equiv 7 \mod 11
x = 8 \mod 11
7/5 \equiv 8 \mod 11

Using the Euclidean Algorithm to find Inverses in

\mathbb{Z}_p
ax = 1 \mod p \rightarrow ax + kp = 1 = \gcd(a,p)
1583x \equiv 1\text{ mod 7918}
\text{gcd}(1583, 7918) = 1

Thus 1583 and 7918 are coprime, and we can use Euclid's algorithm.

def invmod(a, m):
  assert gcd(a,m) == 1
  g = egcd(a,m)
  result = g.u
  # find the smallest positive solution
  while result < 0: 
    result += m
  return result

$ python invmod.py
5277

>>> (5277 * 1583) % 7918
1
x \equiv 5277\text{ mod 7918}

Modular inverse example

Chinese Remainder Theorem

Suppose x = 25 mod 42.

This means x = 25 + 42*k for some integer k.

This means x = 25 + 6*(7k) = 25 + 6m for some m. So x = 1 mod 6. Also,

x = 25 + 7*(6k) = 25 + 7n for some n. So x = 4 mod 7.

x = 25 \mod 42 \rightarrow
x = 4 \mod 7
x = 1 \mod 6

The CRT says this process can be reversed if m and n are coprime.

x = a_1 \mod m
x = a_2 \mod n
\rightarrow x = c \mod m\cdot n

Big numbers: 

Modular exponentiation

In crypto, calculating these numbers raised to large powers happens all the time.  Here's an example of the algorithm.

Let's calculate:

3^{218}\text{ mod 1000}
3^{218} = 3^{2 + 2^3 + 2^4 + 2^6 + 2^7} = 3^2\cdot3^{2^3}\cdot3^{2^4}\cdot3^{2^6}\cdot3^{2^7}

Notice how each subsequent term involves squaring the previous one (sometimes multiple times)

Write the exponent in binary.
Then reading the bits from right to left, you can build a table of intermediate products, taking mods at each step.

218 = (11011010)_2
3^{218} = 3^2\cdot3^{2^3}\cdot3^{2^4}\cdot3^{2^6}\cdot3^{2^7}
3^{218} \equiv 9\cdot561\cdot721\cdot281\cdot961\text{ mod 1000} \equiv 489\text{ mod 1000}
def expmod(g, A, m):
  bits = bin(A)[2:][::-1]
  a = []
  for i, bit in enumerate(bits):
    a.append(g%m)
    g = (g%m) * (g%m)

  res = 1
  for i, bit in enumerate(bits):
    res *= a[i]**(int(bit)) % m
    res %= m

  return res

print expmod(3, 218, 1000)

$ python expmod.py
489

"Fast Powering"

In Python, the "pow" function

does this for you, likely faster!

Fermat's Theorem

a^{p-1} \equiv 1\text{ mod p}, p\nmid a

Here, p is a prime number, and doesn't divide a.

Example: let a = 2, and

x = 31987937737479355332620068643713101490952335301
2^{x-1} = 1281265953551359064133601216247151836053160074\text{ mod x}

Thus we know the number is composite!  

(But no idea what its factors are)

Primitive Roots

Let 

x = 3 \mod 7
3^1 \equiv 3
3^2 \equiv 2
3^3 \equiv 6
3^4 \equiv 4
3^5 \equiv 5
3^6 = 1
\mathbb{Z}_7 = \{0,1,2,3,4,5,6\}

Thus 3 generates all the nonzero members of this set.

We call 3 a primitive root.

\mathbb{F}^*_7 = \{1,2,3,4,5,6\}

Public-Key Cryptosystem

In 1976, Diffie and Hellman came up with defined a PKC and trapdoor information.

Domain

Range

f
f^{-1}

Easy!

Very difficult!

Easy, with some trapdoor information!

f^{-1}
f

is a one-way function, easy to compute in one direction, very hard to invert without special information.

Are there truly one-way functions?

No one has concluded for sure that they exist. What we do have are several problems that people believe are very hard. Decades of trying to break them have failed--so far.

Two very common cryptosystems in use today depend on hard problems:

RSA: integer factorization problem

ECDH (Elliptic Curve Diffie-Hellman): discrete log problem (DLP)

Today we focus only on the DLP.

The Discrete Log Problem

Let p be a prime number. Then

\mathbb{F}^*_p = \{1,2,3,...p-1\}
\mathbb{F}^*_p

Every element of

has an inverse, mod p.

You can prove that there is a primitive root g in this set. This means that g generates the set:

\mathbb{F}^*_p = \{1,g,g^2,...,g^{p-2}\}

Let g be a primitive root for 

\mathbb{F}_p

Let h be an element of 

\mathbb{F}_p

Find x such that:

g^x = h \mod p
627^i \mod 941

Discrete Logs Look Random

Diffie-Hellman Exchange

Step 0: Pick a (large) p and a primitive root g.

Step 1: Alice picks a secret integer a mod p and computes:

A = g^a \mod p

Step 2: Bob picks a secret integer b mod p and computes:

B = g^b \mod p

Step 3: Alice sends A to Bob. Bob sends B to Alice.

Step 4: Alice and Bob can compute a shared secret:

A^b = B^a = g^{ab} \mod p

Eve's Hacking Challenge, mod p

She knows:

g,p,g^a,g^b

She wants: 

g^{ab}

This is the Diffie-Hellman Problem (DHP).

It is certainly no harder than the DLP. 

If she solves the DLP (which is really difficult to solve) and gets a and b, she can solve the DHP.

If she solves the DHP, can she solve the DLP?

No one knows!

p \approx 2^{1000}

This problem is unfeasible to crack brute-force if

Key Exchange Example

Alice and Bob agree to use p = 941 and primitive root g = 627. This information is public. Even Eve knows it.

Alice chooses a secret key, 347. Bob chooses a secret 781.

Alice computes:

A = 627^{347} \mod 941 = 390

Bob computes:

B = 627^{781} \mod 941 = 691

Alice sends A to Bob. Bob sends B to Alice. Eve can see all this.

Alice and Bob can compute a shared secret key:

K = 627^{347 \cdot 781} \mod 941 = 470

Breaking Lame Crypto: Pohlig-Hellman Theorem

The prime number you choose has to be very large, but that's not all.

Let's say p-1 factors into a product of "small" prime numbers.

Then for each small prime number r, I have a set of numbers:

\mathbb{F}^*_r = \{1,g_i,g_i^2,...,g_i^{r-2}\}
g_i

generates 

\mathbb{F}^*_r

Eve gives this small generator to Bob, who computes a number 

h_i
g_i^{x_i} = h_i \mod r

Now solve for each small factor.

Then stitch together x from all the x_i using the CRT!

Made with Slides.com