Professional Documents
Culture Documents
Integer Arithmetic
In integer arithmetic, we use a set and a few operations. You are familiar with this set and the
corresponding operations, but they are reviewed here to create a background for modular
arithmetic.
Set of Integers
The set of integers, denoted by Z, contains all integral numbers (with no fraction) from negative
infinity to positive infinity (Figure).
In cryptography, we are interested in three binary operations applied to the set of integers. A binary
operation takes two inputs and creates one output.
The following shows the results of the three binary operations on two integers. Because each input
can be either positive or negative, we can have four cases for each operation.
Integer Division
In integer arithmetic, if we divide a by n, we can get q And r . The relationship between these four
integers can be shown as
a=q×n+r
Assume that a = 255 and n = 11. We can find q = 23 and R = 2 using the division algorithm.
finding the quotient and the remainder
Division algorithm for integers
When we use a computer or a calculator, r and q are negative when a is negative. How can we apply
the restriction that r needs to be positive? The solution is simple, we decrement the value of q by 1
and we add the value of n to r to make it positive.
a=q×n
The greatest common divisor of two positive integers is the largest integer that can divide both
integers.
Euclidean Algorithm
Given two integers a and b, we often need to find other two integers, s and t, such that
The extended Euclidean algorithm can calculate the gcd (a, b) and at the same time calculate the
value of s and t.
Given a = 161 and b = 28, find gcd (a, b) and the values of s and t.
MODULAR ARITHMETIC
The division relationship (a = q × n + r) discussed in the previous section has two inputs (a and n) and
two outputs (q and r). In modular arithmetic, we are interested in only one of the outputs, the
remainder r.
Modulo Operator
The modulo operator is shown as mod. The second input (n) is called the modulus. The output r is
called the residue.
a. 27 mod 5 b. 36 mod 12
a. Dividing 27 by 5 results in r = 2
b. Dividing 36 by 12 results in r = 0.
Set of Residues
The modulo operation creates a set, which in modular arithmetic is referred to as the set of least
residues modulo n, or Zn.
Congruence
To show that two integers are congruent, we use the congruence operator ( ≡ ). For example, we
write:
A residue class [a] or [a]n is the set of integers congruent modulo n.
We use modular arithmetic in our daily life; for example, we use a clock to measure time. Our clock
system uses modulo 12 arithmetic. However, instead of a 0 we use the number 12.
Operation in Zn
The three binary operations that we discussed for the set Z can also be defined for the set Zn. The
result may need to be mapped to Zn using the mod operator.
Properties
The following shows the application of the above properties:
117 mod 13 ?
In arithmetic, we often need to find the remainder of powers of 10 when divided by an integer.
We have been told in arithmetic that the remainder of an integer divided by 3 is the same as the
remainder of the sum of its decimal digits. We write an integer as the sum of its digits multiplied by
the powers of 10.
Inverses
When we are working in modular arithmetic, we often need to find the inverse of a number relative
to an operation. We are normally looking for an additive inverse (relative to an addition operation)
or a multiplicative inverse (relative to a multiplication operation).
Additive Inverse
In modular arithmetic, each integer has an additive inverse. The sum of an integer and its additive
inverse is congruent to 0 modulo n.
Find all additive inverse pairs in Z10.
The six pairs of additive inverses are (0, 0), (1, 9), (2, 8), (3, 7), (4, 6), and (5, 5).
Multiplicative Inverse
In Zn, two numbers a and b are the multiplicative inverse of each other if
When it does, the product of the integer and its multiplicative inverse is congruent to 1 modulo n.
There is no multiplicative inverse because gcd (10, 8) = 2 ≠ 1. In other words, we cannot find any
number between 0 and 9 such that when multiplied by 8, the result is congruent to 1.
The extended Euclidean algorithm finds the multiplicative inverses of b in Zn when n and b are given
and
gcd (n, b) = 1.
We need to use Zn when additive inverses are needed; we need to use Zn* when multiplicative
inverses are needed.
MATRICES
In cryptography we need to handle matrices. Although this topic belongs to a special branch of
algebra called linear algebra, the following brief review of matrices is necessary preparation for the
study of cryptography.
A matrix of size l * m
Examples of matrices
Figure shows the product of a row matrix (1 × 3) by a column matrix (3 × 1). The result is a matrix of
size 1 × 1.
Scalar multiplication
The determinant of a square matrix A of size m × m denoted as det (A) is a scalar calculated
recursively as shown below:
Figure shows how we can calculate the determinant of a 2 × 2 matrix based on the determinant of
a 1 × 1 matrix.
Cryptography uses residue matrices: matrices where all elements are in Zn. A residue matrix has a
multiplicative inverse if gcd (det(A), n) = 1.
LINEAR CONGRUENCE
Cryptography often involves solving an equation or a set of equations of one or more variables with
coefficient in Zn. This section shows how to solve equations when the power of each variable is 1
(linear equation).
Equations of the form ax ≡ b (mod n ) might have no solution or a limited number of solutions.
Solve the equation 10 x ≡ 2(mod 15).
First we find the gcd (10 and 15) = 5. Since 5 does not divide 2, we have no solution.
ALGEBRAIC STRUCTURES
Cryptography requires sets of integers and specific operations that are defined for those sets. The
combination of the set and the operations that are applied to the elements of the set is called an
algebraic structure. In this chapter, we will define three common algebraic structures: groups, rings,
and fields.
A group (G) is a set of elements with a binary operation (•) that satisfies four properties (or axioms).
A commutative group satisfies an extra property, commutativity:
Although a group involves a single operation, the properties imposed on the operation allow the
use of a pair of operations as long as they are inverses of each other.
The set of residue integers with the addition operator,
G = < Zn , +>,
is a commutative group. We can perform addition and subtraction on the elements of this set
without moving out of the set.
The set Zn* with the multiplication operator, G = <Zn*, ×>, is also an abelian group.
Let us define a set G = < {a, b, c, d}, •> and the operation as shown in Table.
Is the group H = <Z10, +> a subgroup of the group G = <Z12, +>?
The answer is no. Although H is a subset of G, the operations defined for these two groups are
different. The operation in H is addition modulo 10; the operation in G is addition modulo 12.
Cyclic Subgroups
If a subgroup of a group can be generated using the power of an element, the subgroup is called the
cyclic subgroup.
Four cyclic subgroups can be made from the group G = <Z 6, +>. They are H1 = <{0}, +>, H2 = <{0, 2, 4},
+>, H3 = <{0, 3}, +>, and H4 = G.
Cyclic Groups
A cyclic group is a group that is its own cyclic subgroup.
Three cyclic subgroups can be made from the group G = <Z 10∗, ×>. G has only four elements: 1, 3, 7,
and 9. The cyclic subgroups are H1 = <{1}, ×>, H2 = <{1, 9}, ×>, and H3 = G.
a. The group G = <Z6, +> is a cyclic group with two generators,
g = 1 and g = 5.
Field
A field, denoted by F = <{…}, •, > is a commutative ring in which the second operation satisfies all
five properties defined for the first operation except that the identity of the first operation has no
inverse.
Finite Fields
Galois showed that for a field to be finite, the number of elements should be pn, where p is a
prime and n is a positive integer.
When n = 1, we have GF(p) field. This field can be the set Zp, {0, 1, …, p − 1}, with two arithmetic
operations.
A very common field in this category is GF(2) with the set {0, 1} and two operations, addition and
multiplication, as shown in Figure .
GF(2n) FIELDS
In cryptography, we often need to use four operations (addition, subtraction, multiplication, and
division). In other words, we need to use fields. We can work in GF(2n) and uses a set of 2n
elements. The elements in this set are n-bit words.
Let us define a GF(22) field in which the set has four 2-bit words: {00, 01, 10, 11}. We can redefine
addition and multiplication for this field in such a way that all properties of these operations are
satisfied, as shown in Figure.
where xi is called the ith term and ai is called coefficient of the ith term.
Figure show how we can represent the 8-bit word (10011001) using a polynomials.
To find the 8-bit word related to the polynomial x5 + x2 + x, we first supply the omitted terms.
Since n = 8, it means the polynomial is of degree 7. The expanded polynomial is
Polynomials representing n-bit words use two fields: GF(2) and GF(2 n).
For the sets of polynomials in GF(2n), a group of polynomials of degree n is defined as the
modulus. Such polynomials are referred to as irreducible polynomials.
Addition and subtraction operations on polynomials are the same operation.
Let us do (x5 + x2 + x) Å (x3 + x2 + 1) in GF(28). We use the symbol Å to show that we mean polynomial
addition. The following shows the procedure:
There is also another short cut. Because the addition in GF(2) means the exclusive-or (XOR)
operation. So we can exclusive-or the two words, bits by bits, to get the result. In the previous
example, x5 + x2 + x is 00100110 and x3 + x2 + 1 is 00001101. The result is 00101011 or in polynomial
notation x5 + x3 + x + 1.
Find the result of (x5 + x2 + x) ⊗ (x7 + x4 + x3 + x2 + x) in GF(28) with irreducible polynomial (x8 + x4 +
x3 + x + 1). Note that we use the symbol ⊗ to show the multiplication of two polynomials.
The GF(23) field has 8 elements. We use the irreducible polynomial (x3 + x2 + 1) and show the addition
and multiplication tables for this field. We show both 3-bit words and the polynomials. Note that
there are two irreducible polynomials for degree 3. The other one, (x3 + x + 1), yields a totally
different table for multiplication.
Using a Generator
Sometimes it is easier to define the elements of the GF(2n) field using a generator.
Generate the elements of the field GF(24) using the irreducible polynomial ƒ(x) = x4 + x + 1.
The elements 0, g0, g1, g2, and g3 can be easily generated, because they are the 4-bit representations
of 0, 1, x2, and x3. Elements g4 through g14, which represent x4 though x14 need to be divided by the
irreducible polynomial. To avoid the polynomial division, the relation ƒ(g) = g4 + g + 1 = 0 can be
used.
Primes
Asymmetric-key cryptography uses primes extensively. The topic of primes is a large part of any
book on number theory.
Definition
Given a number n, how can we determine if n is a prime? The answer is that we need to see if the
number is divisible by all primes less than
Is 97 a prime?
The floor of square root of 97 = 9. The primes less than 9 are 2, 3, 5, and 7. We need to see if 97 is
divisible by any of these numbers. It is not, so 97 is a prime.
Euler’s Phi-Function
Euler’s phi-function, f (n), which is sometimes called the Euler’s totient function plays a very
important role in cryptography.
The difficulty of finding ∅ (n) depends on the difficulty of finding the factorization of n.
Solution
Solution
We can use the third rule: ∅ (10) = ∅ (2) × ∅ (5) = 1 × 4 = 4, because 2 and 5 are primes.
First Version
ap − 1 ≡ 1 mod p
Second Version
ap ≡ a mod p
Solution
We have 610 mod 11 = 1. This is the first version of Fermat’s little theorem where p = 11.
Solution
Here the exponent (12) and the modulus (11) are not the same. With substitution this can be solved
using Fermat’s little theorem.
Multiplicative Inverses
The answers to multiplicative inverses modulo a prime can be found without using the extended
Euclidean algorithm:
Euler’s Theorem
First Version
𝒂∅(n) ≡ 1 (mod n)
Second Version
a k ×∅(n) + 1 ≡ a (mod n)
Solution
Solution
Multiplicative Inverses
The answers to multiplicative inverses modulo a composite can be found without using the
extended Euclidean algorithm if we know the factorization of the composite:
PRIMALITY TESTING
Finding an algorithm to correctly and efficiently test a very large integer and output a prime or a
composite has always been a challenge in number theory, and consequently in cryptography.
However, recent developments look very promising.
Deterministic Algorithms
Divisibility Algorithm
Solution
The bit-operation complexity of this algorithm is 2nb/2. This means that the algorithm needs 2100 bit
operations. On a computer capable of doing 2 30 bit operations per second, the algorithm needs 270
seconds to do the testing (forever).
Probabilistic Algorithms
Fermat Test
Use base 2
The number passes the Fermat test, but it is not a prime, because 561 = 33 × 17.
Square Root Test
Solution
The only square roots are 1 and −1. We can see that
Miller-Rabin Test
Solution
Factorization has been the subject of continuous research in the past; such research is likely to
continue in the future. Factorization plays a very important role in the security of several public-
key cryptosystems.
Solution
We run a program based on the algorithm and get the following result.
Fermat Method
Pollard p – 1 Method
Use the Pollard p − 1 method to find a factor of 57247159 with the bound B = 8.
Solution
We run a program based on the algorithm and find that p = 421. As a matter of fact 57247159 =
421 × 135979. Note that 421 is a prime and p − 1 has no factor greater than 8
421 − 1 = 22 × 3 × 5 × 7
Pollard rho Method
We have written a program to calculate the factors of 434617. The result is 709 (434617 = 709 ×
613).
We have written a program to calculate the factors of 434617. The result is 709 (434617 = 709 ×
613).
CHINESE REMAINDER THEOREM
The Chinese remainder theorem (CRT) is used to solve a set of congruent equations with one
variable but different moduli, which are relatively prime, as shown below:
The solution to this set of equations is given in the next section; for the moment, note that the
answer to this set of equations is x = 23. This value satisfies all equations: 23 ≡ 2 (mod 3), 23 ≡ 3
(mod 5), and 23 ≡ 2 (mod 7).
Solution
We follow the four steps.
1. M = 3 × 5 × 7 = 105
Solution
This is a CRT problem. We can form three equations and solve them to find the value of x.
QUADRATIC CONGRUENCE
In cryptography, we also need to discuss quadratic congruence¾that is, equations of the form
a2x2 + a1x + a0 ≡ 0 (mod n). We limit our discussion to quadratic equations in which a2 = 1 and a1 =
0, that is equations of the form
x2 ≡ a (mod n).
The equation x2 ≡ 3 (mod 11) has two solutions, x ≡ 5 (mod 11) and x ≡ −5 (mod 11). But note that
−5 ≡ 6 (mod 11), so the solutions are actually 5 and 6. Also note that these two solutions are
incongruent.
The equation x2 ≡ 2 (mod 11) has no solution. No integer x can be found such that its square is 2
mod 11.
In the equation x2 ≡ a (mod p), a is called a quadratic residue (QR) if the equation has two
solutions; a is called quadratic nonresidue (QNR) if the equation has no solutions.
There are 10 elements in Z11*. Exactly five of them are quadratic residues and five of them are
nonresidues. In other words, Z11* is divided into two separate sets, QR and QNR, as shown in
Figure.
Euler’s Criterion
Special Case: p = 4k + 3
The answers are x ≡ +1 (mod 7), x ≡ − 1 (mod 7), x ≡ + 5 (mod 11), and x ≡ − 5 (mod 11). Now we
can make four sets of equations out of these:
Figure shows the process for calculating y = ax using the Algorithm (for simplicity, the modulus is
not shown). In this case, x = 22 = (10110)2 in binary. The exponent has five bits.
Logarithm
Exhaustive Search
Order of the Group.
What is the order of group G = <Z21∗, ×>? |G| = ∅ (21) = ∅ (3) × ∅ (7) = 2 × 6 =12. There are 12
elements in this group: 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, and 20. All are relatively prime with 21.
Order of an Element
Find the order of all elements in G = <Z10∗, ×>.
Solution
This group has only f(10) = 4 elements: 1, 3, 7, 9. We can find the order of each element by trial
and error.
a. 11 ≡ 1 mod (10) → ord(1) = 1.
b. 34 ≡ 1 mod (10) → ord(3) = 4.
c. 74 ≡ 1 mod (10) → ord(7) = 4.
d. 92 ≡ 1 mod (10) → ord(9) = 2.
Euler’s Theorem
Primitive Roots In the group G = <Z n∗, ×>, when the order of an element is the same as ∅ (n), that
element is called the primitive root of the group.
Table shows that there are no primitive roots in G = <Z 8∗, ×> because no element has the order
equal to f(8) = 4. The order of elements are all smaller than 4.
Table shows the result of ai ≡ x (mod 7) for the group G = <Z7∗, ×>. In this group, ∅ (7) = 6.
The group G = <Zn*, ×> has primitive roots only if n is 2, 4, pt, or 2pt.
For which value of n, does the group G = <Zn∗, ×> have primitive roots: 17, 20, 38, and 50?
Solution
If the group G = <Zn*, ×> has any primitive root, the number of primitive roots is ∅ (∅ (n)).
Cyclic Group If g is a primitive root in the group, we can generate the set Z n* as Zn∗ = {g1, g2, g3,
…, gf(n)}
The group G = <Z10*, ×> has two primitive roots because (10) = 4 and (∅ (10)) = 2. It can be found
that the primitive roots are 3 and 7. The following shows how we can create the whole set Z 10*
using each primitive root.
3. It is cyclic. The elements can be created using gx where x is an integer from 1 to f(n) = p − 1.
4. The primitive roots can be thought as the base of logarithm
The discrete logarithm problem has the same complexity as the factorization problem.
digital signatures – how to verify a message comes intact from the claimed sender
public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
a related private-key, known only to the recipient, used to decrypt messages, and
sign (create) signatures
is asymmetric because
Public-Key Applications
some algorithms are suitable for all uses, others are specific to one
Symmetric and asymmetric-key cryptography will exist in parallel and continue to serve the
community. We actually believe that they are complements of each other; the advantages of one
can compensate for the disadvantages of the other.
Asymmetric key cryptography uses two separate keys: one private and one public.
Plaintext/Ciphertext
Unlike in symmetric-key cryptography, plaintext and ciphertext are treated as integers in
asymmetric-key cryptography.
Encryption/Decryption
C = f (Kpublic , P) P = g(Kprivate , C)
The main idea behind asymmetric-key cryptography is the concept of the trapdoor one-way
function.
1. f is easy to compute.
2. f −1 is difficult to compute.
When n is large, the function y = xk mod n is a trapdoor one-way function. Given x, k, and n, it is
easy to calculate y. Given y, k, and n, it is very difficult to calculate x. This is the discrete logarithm
problem. However, if we know the trapdoor, k′ such that k × k ′ = 1 mod f(n), we can use x = yk′
mod n to find x.
RSA CRYPTOSYSTEM
The most common public-key algorithm is the RSA cryptosystem, named for its inventors (Rivest,
Shamir, and Adleman).
Bob receives the ciphertext 26 and uses the private key 37 to decipher the ciphertext:
Now assume that another person, John, wants to send a message to Bob. John can use the same
public key announced by Bob (probably on his website), 13; John’s plaintext is 63. John calculates
the following:
Bob receives the ciphertext 28 and uses his private key 37 to decipher the ciphertext:
Jennifer creates a pair of keys for herself. She chooses p = 397 and q = 401. She calculates
n = 159197. She then calculates f(n) = 158400. She then chooses e = 343 and d = 12007. Show how
Ted can send a message to Jennifer if he knows e and n.
Suppose Ted wants to send the message “NO” to Jennifer. He changes each character to a number
(from 00 to 25), with each character coded as two digits. He then concatenates the two coded
characters and gets a four-digit number. The plaintext is 1314. Figure 10.7 shows the process.
Bob chooses e = 35535 (the ideal is 65537) and tests it to make sure it is relatively prime with f(n).
He then finds the inverse of e modulo f(n) and calls it d.
Alice wants to send the message “THIS IS A TEST”, which can be changed to a numeric value using
the 00−26 encoding scheme (26 is the space character).
ELGAMAL CRYPTOSYSTEM
Besides RSA and Rabin, another public-key cryptosystem is ElGamal. ElGamal is based on the
discrete logarithm problem
Instead of using P = [C2 × (C1d) −1] mod p for decryption, we can avoid the calculation of
multiplicative inverse and use
P = [C2 × C1 p−1−d] mod p (see Fermat’s little theorem in Chapter 9). In Example 10.10, we can
calculate P = [6 × 5 11−1−3] mod 11
= 7 mod 11.
For the ElGamal cryptosystem, p must be at least 300 digits and r must be new for each
encipherment.
Bob uses a random integer of 512 bits. The integer p is a 155-digit number (the ideal is 300 digits).
Bob then chooses e1, d, and calculates e2, as shown below:
Alice has the plaintext P = 3200 to send to Bob. She chooses r = 545131, calculates C1 and C2, and
sends them to Bob.
Although RSA and ElGamal are secure asymmetric-key cryptosystems, their security comes with a
price, their large keys. Researchers have looked for alternatives that give the same level of security
with smaller key sizes. One of these promising alternatives is the elliptic curve cryptosystem (ECC).
Elliptic curves over real numbers use a special class of elliptic curves of the form
Figure shows two elliptic curves with equations y2 = x3 − 4x and y2 = x3 − 1. Both are nonsingular.
However, the first has three real roots (x = −2, x = 0, and x = 2), but the second has only one real
root (x = 1) and two imaginary ones.]
3. The intercepting point is at infinity; a point O as the point at infinity or zero point, which is the
additive identity of the group.
Finding an Inverse
The inverse of a point (x, y) is (x, −y), where −y is the additive inverse of y. For example, if p = 13,
the inverse of (4, 2) is (4, 11).
Algorithm 10.12 shows the pseudocode for finding the points on the curve Ep(a, b).
Finding Inverses
We can write an algorithm to find the points on the curve using generators for polynomials
discussed in Chapter 7..
Finding Inverses
We can write an algorithm to find the points on the curve using generators for polynomials. This
algorithm is left as an exercise. Following is a verytrivial example.
We choose GF(23) with elements {0, 1, g, g2, g3, g4, g5, g6} using the irreducible polynomial of f(x) =
x3 + x + 1, which means that g3 + g + 1 = 0 or g3 = g + 1. Other powers of g can be calculated
accordingly. The following shows the values of the g’s.
Using the elliptic curve y2 + xy = x3 + g3x2 + 1, with a = g3 and
b = 1, we can find the points on this curve, as shown in Figure 10.15..
Decryption
The security of ECC depends on the difficulty of solving the elliptic curve logarithm problem.
7. Bob receives C1, C2. He uses 4xC1(35,1) to get (23, 25), inverts the points (23, 25) to get the
points (23, 42).
8. Bob adds (23, 42) with C2=(21, 44) to get the original one P=(24, 26).