Cryptography Lecture 20 Guest lecturer: Neal Gupta - PowerPoint Presentation

1. CryptographyLecture 20Guest lecturer: Neal Gupta

2. Our goalCover basic number theory quickly!Cover the minimum needed for all the applications we will studySome facts stated without proofCan take entire classes devoted to this materialAbstracting some of the ideas makes things easier to understand

3. Computational number theoryWe will be interested in the computational difficulty of various problemsDifferent from most of mathematics!Measure running times of algorithms in terms of the input lengths involvedǁxǁ = O(log x); x = 2ǁxǁ

4. Computational number theoryOur goal: classify various problems as either “easy” or “hard”I.e., polynomial-time algorithms known or notWe will not focus on optimizations, although these are very important in practiceFor “easy” problems: speed up cryptographic implementationsFor “hard” problems: need to understand concrete hardness for concrete security

5. Representing integers (e.g., in C)Cryptography involves very large numbers!Standard (unsigned) integers in C are small, fixed length (e.g., 16 or 32 bits)For crypto, need to work with integers that are much longer (e.g., 2000 bits)Solution: use an arrayE.g., “bignum” = array of unsigned chars (bytes)Useful to also maintain a variable indicating the length of the array

6. Example: additionNow need to define all arithmetic operations on bignumsE.g., how to add two bytes?Note that C will discard the overflow, i.e., it does addition modulo 28

7. Example: additionNote a ≥ 27 iff msb(a)=1AddWithCarry(char a, char b, char carry)// carry is 0 or 1If a < 27 and b < 27 res=a+b+carry, carry=0If a < 27 and b ≥ 27 res=a+(b-27)+carryIf res ≥ 27 res=res-27, carry=1Else res=res+27, carry=0If a ≥ 27 and b ≥ 27 res=(a-27)+(b-27)+carry, carry=1

8. Example: additionAdd(bignum a, l1, bignum b, l2)Use grade-school addition, using AddWithCarry element-by-element…Running time O(max{l1, l2}) = O(max{ǁaǁ, ǁbǁ})If ǁaǁ=ǁbǁ=n then O(n)Is it possible to do better?No – must read input (O(n)) and write output (O(n))

9. Example: multiplicationWhat is the length of the result?ǁabǁ=O(log ab)=O(log a + log b) =O(ǁaǁ+ǁbǁ)Use grade-school multiplication…Running time O(ǁaǁǁbǁ)If ǁaǁ=ǁbǁ=n then O(n2)Can we do better?Surprisingly…yes! But we will not cover here…

10. Basic arithmetic operationsAddition / subtraction / multiplication can all be done efficiently Using grade-school algorithmsDivision-with-remainder can also be done efficientlyMuch less obvious!

11. Modular arithmeticNotation:[a mod N] is the remainder of a when divided by NNote 0 ≤ [a mod N] ≤ N-1a = b mod N  [a mod N] = [b mod N]

12. Modular arithmeticNote that [a+b mod N] = [[a mod N] + [b mod N] mod N][a-b mod N] = [[a mod N] - [b mod N] mod N]and[ab mod N] = [[a mod N][b mod N] mod N]I.e., can always work with reduced intermediate valuesThis can be used to speed up computations

13. Modular arithmeticNot true for division!I.e., [9/3 mod 6] = [3 mod 6] = 3but [[9 mod 6]/[3 mod 6] mod 6] = 3/3 = 1We will return to division later…

14. Modular arithmeticModular reduction can be done efficientlyUse division-with-remainderModular addition / subtraction / multiplication can all be done efficientlyWe will return to division later

15. ExponentiationCompute ab ?ǁabǁ = O(b · ǁaǁ)Just writing down the answer takes exponential time!Instead, look at modular exponentiationI.e., compute [ab mod N]Size of the answer < ǁNǁHow to do it?Computing ab and then reducing modulo N will not work…

16. Efficient exponentiationConsider the following algorithm: exp(a, b, N) { // assume b  0 ans = 1; for (i=1, i ≤ b; i++) ans = [ans * a mod N]; return ans; }This is an exponential-time algorithm!

17. Efficient exponentiationAssume b = 2k for simplicityThe preceding algorithm roughly corresponds to computing a*a*a*…*aBetter: compute (((a2)2)2…)22k multiplications vs. k squaringsNote k = O(ǁbǁ)

18. Efficient exponentiationConsider the following algorithm: exp(a, b, N) { // assume b  0 x=a, t=1; while (b>0) { if (b odd) t = [t * x mod N], b = b-1; x = [x2 mod N], b = b/2; } return t; }Why does this work?Invariant: answer is [t xb mod N]Running time is polynomial in ǁaǁ, ǁbǁ, ǁNǁ

19. Primes and divisibilityAssume you have encountered this before…Notation a | bIf a | b then a is a divisor of bp>1 is prime if its only divisors are 1 and pp is composite otherwised = gcd(a, b) if both:d | a and d | bd is the largest integer with that property

20. Computing gcd?Can compute gcd(a, b) by factoring a and b and looking for common prime factors…This is not (known to be) efficient!Can use the Euclidean algorithm to compute gcd(a, b)One of the earliest nontrivial algorithms!See book for details

21. PropositionGiven a, b > 0, there exist integers X, Y such that Xa + Yb = gcd(a, b)See book for proofCan use the extended Euclidean algorithm to compute X, Y

22. Modular inversesb is invertible modulo N if there exists an integer a such that ab = 1 mod NLet [b-1 mod N] denote the unique such b that lies in the range {0, …, N-1}Division by b modulo N only defined when b is invertible modulo NIn that case, [a/b mod N] defined as [a b-1 mod N]

23. Cancellation“Expected” cancellation rule applies for invertible elementsI.e., if ab = cb mod N and b is invertible modulo N, then a = c mod NProof: multiply both sides by b-1Note: this is not true if b is not invertibleE.g., 3*2 = 15*2 mod 8 but 3  15 mod 8

24. InvertibilityHow to determine whether b is invertible modulo N?Thm: b invertible modulo N iff gcd(b, N)=1To find the inverse, use extended Euclidean algorithm to find X, Y with Xb + YN = 1Then [X mod N] is b-1 mod NConclusion: can efficiently test invertibility and compute inverses!