Download http://www

B. Some Preliminary Mathematical Notation
A message to be encrypted or sent will be generally denoted as M. Remember
that, to the computer, the string of 1s and 0s that make up M can be treated as a
binary number, whether M is “I love you” or “You owe me $500” or “Bank number
437695B.” Encryption may involve raising this number to a power. The notation
E(x) will denoted an encryption algorithm or function, while D(x) will denote a
decryption algorithm or function. An encrypted message would thus be
designated as E(M), while a decryption of this encrypted message would be
shown as D(E(M)). Of course this latter term is just the original message, so
D(E(M)) = M. If a message is encrypted or decrypted using the symmetric key k,
then the notation Ek(x) or Dk(x) will be used. If a public-key system is involved,
then the public key will be denoted pk, while the private (secret) key will be
denoted sk.
In a symmetric encryption system, Dk(Ek(M)) = M, because the same key is used
to decrypt the message that was used to encrypt it. In a public-key system, one
key must be used to encrypt and the other to decrypt. Hence Dsk(Epk(M)) = M and
also Dpk(Esk(M)) = M. In the first case, the message is encrypted with Alice's
public key, then decrypted by Alice using her secret key. In the second case,
common in digital signatures, Alice encrypts the message with her secret key,
and then it is decrypted by someone else using Alice's public key.
The sign “^” will be used to mean “raised to the power of”; for example, 2^3 = 8,
since 2 raised to the power of 3 equals 8. (Note that in the computer language
Fortran, b^y would be written b**y.) A single *, by contrast, denotes multiplication:
“three times b equals 12” would be written “3*b = 12”, or perhaps simply as “3b =
12”. The notation log_b (y) will denote the logarithm of y with respect to base b.
For example, log_2 (8) = 3, since the logarithm of 8 (to the base 2) is 3.
Finally, mod p will denote “arithmetic done modulo p”. By this we will mean
"divide by p, and keep the remainder r, 0<= r < p."
Modulo 3, for example, will divide any positive whole number by 3, and take the
remainder (which will be either 0, 1, or 2). For example, 7 mod 3 = 1, since 3
goes into 7 twice, with 1 left over. The number we divide by (3, in this example) is
called the "modulus". Similarly, 62 mod 25 = 12. That is, when 25 is the modulus,
62 = 25*2 + 12 = 12. But if 3 were the modulus, 62 = 3*20 + 2 = 2.
In general, we will write a = b mod n, meaning that a mod n = b mod n.
For example, 67 = 11 mod 7, because 67 mod 7 = 4 and also 11 mod 7 = 4.
Hence
a= b mod n
means for some integers k1 and k2,
a = k1*n + r (0<= r < n)
b = k2*n + r .
Hence also
a - b = (k1-k2)*n,
so that n divides into a-b a whole number of times (namely, k1-k2 times).
Restated, “n divides a-b”, which may also be written
“n|(a-b)” .
Thus, in the previous example,
67 = 11 mod 7
means for integers k1 = 9 and k2 = 1,
67 = 9*7 + 4 (0<= 4 < 7)
11 = 1*7 + 4 .
Hence also
67-11 = (k1-k2)*7 = (9-1)*7 = 8*7,
so that 7 divides into 67- 11 a whole number of times (8 times). We could also
write 7|(67-11) or 7|56.
If we do calculations this way, using whole numbers, dividing by the modulus,
and throwing away everything except the remainder, we are doing modular
arithmetic. Most computers are not constructed to do modular arithmetic very
well, because they aren't set up to keep track of whole numbers beyond a certain
length: they would much rather stick in a decimal point somewhere, and keep
track of only a few numbers (floating point arithmetic). Consider, for example,
3.7B3579D4F6821 x 16^73. This is a very large number, but the computer
essentially just keeps track of 16 hexadecimal numbers (64 bits): namely
3,7,B,3,5,7,9,D,4,F,6,8,2,1 and the digits in the power: 7 & 3. But public key
cryptography may use "keys" whose length is 2048 bits or more. Therefore most
computer implementations of public key cryptography involve computer software
which works around the hardware limitations, or else use specially constructed
cryptographic chips.
Remember also that by convention exponentiations take place before
multiplications. Hence 3*5^2 = 3*25 = 75. But (3*5)^2 = 15^2 = 225. Note also
that (3*5)^2 = 3^2*5^2 = 9*25 = 225. That is, in general, (x*y)^z = x^z*y^z.
C. Modular Arithmetic and the Groups Z(p)* and G(q).
In most of the calculations involving public key cryptography and digital cash, we
will be dealing with the set of integers from 0 to p-1, where p is some large prime.
This follows from the fact that we will be doing multiplication mod p. We will also
be using a set of integer powers from 1 to q, where q is some large prime
number that divides p-1. That is, multiplication and exponentiation (taking
powers) will take place within the groups Z(p)* and G(q), which we will define and
explain in this section.
The two groups Z(p)* and G(q) are very important for public key cryptography
and digital cash. They play roles in Diffie-Hellman key exchange, in the Schnorr
signature scheme, in the Digital Signature Algorithm, and in the digital cash
system of Stefan Brands. That is, the arithmetic is done in Z(p)* or in a group
G(q) of powers of prime order q, where q divides p-1. So it is important to
understand what these groups are.
The set Z(p)* = {1, 2, 3, 4, ..., p-2, p-1}. If we multiply any two numbers in this set
together, and reduce the product mod p, the result is a number in the set. So the
set is closed under multiplication. In addition, we if take any number k from the
set, there exists another number k^-1, such that k*k^-1 = 1 mod p. That is, any
number in the set has a multiplicative inverse. These two characteristics mean
that Z(p)* is a group under multiplication mod p. Sometimes the term
"multiplicative group" is used. Since Z(p)* is a group under multiplication, it is also
a group under exponentiation (taking powers), since the n-th power of a number
is simply the multiplication of a number by itself n times. (Note that 0 is omitted
from Z(p)* because it doesn't have a multiplicative inverse. If we add 0 to the set
Z(p)*, we get the set Z(p), which consists of all remainders mod p, including 0.)
For example, Z(11)* = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}. If we multiply 5 and 8 from the
set, we have 5*8 = 40 = 7 mod 11, and 7 is an element in the set. Also we have
5*9 = 45 = 1 mod 11, so that 9 is the multiplicative inverse of 5. Similarly, 5 is the
multiplicative inverse of 9. If k=5, then k^-1 = 9. Similarly, 2 and 6 are
multiplicative inverses, as are 3 and 4. What is the multiplicative inverse of 10?
(Answer: 10 is its own multiplicative inverse, since 10*10 = 100 = 1 mod 11.)
Also, if we exponentiate a number from the set, say 6 to the third power, we have
6^3 = 6*6*6 = 216 = 7 mod 11, we are again left with an element in the set. The
set is closed under multiplication and exponentiation mod 11, and each element
has an inverse, so Z(11)* is a group.
Each element has a multiplicative inverse in Z(p)* because p is a prime number.
And since p is prime, the only common divisor of p and each of the numbers in
the set Z(p)* = {1, 2, 3, ..., p-1} is 1. Restated, the greatest common divisor (gcd)
of p and any number in the set is 1. That is, gcd(1,p) =1, gcd(2,p) = 1, gcd(3,p) =
1, . . . , gcd(p-1,p) = 1.
The same is not true if we do modular multiplication with a composite number
(i.e. a number which is the product of at least two numbers, each greater than 1).
For example, the number 15 = 3*5, so it is composite. Suppose we do
mutiplication mod 15, using numbers from the set {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
12, 13, 14}. What is the inverse of the number 6 from this set? Answer: there is
no inverse for 6, as we can see by multiplying 6 by all numbers less than 15:
6*0 = 6*5 = 6*10 = 0 mod 15
6*1 = 6*6 = 6*11 = 6 mod 15
6*2 = 6*7 = 6*12 = 12 mod 15
6*3 = 6*8 = 6*13 = 3 mod 15
6*4 = 6*9 = 6*14 = 9 mod 15.
There is no number which multiplied by 6 equals 1 mod 15. In addition, we obtain
0 as the result of some multiplications, so the set is not closed. (6 and 5 are in
the set, but 6*5 mod 15 = 0, which is not in the set.) Hence, this set (the set of
whole numbers from 1 to 14) is not a multiplicative group mod 15.
Returning to the set Z(p)*, we can define some other operations, in addition to
multiplication and exponentiation. We can define division by k as multiplication by
the inverse of k, namely k^-1. Thus 8/k = 8*k^-1, by definition. If k = 9 in Z(11)*,
then 8/9 = 8*9^-1 = 8*5 = 40 = 7 mod 11. Similarly, 3/10 = 3*10^-1 = 3*10 = 30 =
8 mod 11.
Let g be a member of Z(p)*. Then g is said to be a generator mod p if the set of
powers of g, namely the set {g^1 mod p, g^2 mod p, . . ., g^(p-1) mod p},
contains, in some order, all the members of Z(p)*:
{g, g^2, g^3, ... , g^(p-2), g^(p-1)} mod p
= {1, 2, 3, ... , p-2, p-1}, in some order.
That is, the set Z(p)* = {1, 2, ... , p-1} represents a rearrangement of {g, g^2, g^3,
... , g^(p-1)}, when all calculations are done mod p. (For convenience we write
mod p outside the brackets when it applies to each element in the set, or omit it
altogether, if it is understood.)
For example, 3 is a generator of Z(7)*, since
3^1 = 3 mod 7
3^2 = 2 mod 7
3^3 = 6 mod 7
3^4 = 4 mod 7
3^5 = 5 mod 7
3^6 = 1 mod 7.
Or, restated,
{3, 3^2, 3^3, 3^4, 3^5, 3^6} = {1, 2, 3, 4, 5, 6}
when calculations are done mod 7. The two sets have the same elements,
although not necessarily in the same order. A rearrangement of the order of the
elements of a set is called a permutation. The powers of the generator 3 give a
permutation of Z(7)*.
A generator-tuple mod p is a set of k generators, which are all different. That is,
{g1, ... , gk} is a generator-tuple if each gi is an generator mod p, and also gi is not
equal to gj , if i is not equal to j.
For example, {3, 5} is a generator-tuple of Z(7)*, because both 3 and 5 are
generators of Z(7)*. Each element in Z(7)* can be represented both as a power
of 3 and a power of 5:
1 = 3^6 mod 7 = 5^6 mod 7
2 = 3^2 mod 7 = 5^4 mod 7
3 = 3^1 mod 7 = 5^5 mod 7
4 = 3^4 mod 7 = 5^2 mod 7
5 = 3^5 mod 7 = 5^1 mod 7
6 = 3^3 mod 7 = 5^3 mod 7.
The number 2 is not a generator mod 7, because the powers of 2 only yield 1, 2,
or 4, mod 7:
{2, 2^2, 2^3} = {1, 2, 4}.
Note, however, that the powers of 2 mod 7 yield a subset of Z(7)*. The set {1, 2,
4} is a subset of {1, 2, 3, 4, 5, 6} = Z(7)*. The number 2 is thus said to "generate
the subgroup G(3)" mod 7. The designation "G(3)" means there are 3 elements in
the group. Alternatively stated, 3 is the lowest power of 2 that yields 1 mod 7.
G(3) is a group, because it is closed under multiplication mod 7:
1*1 = 1 mod 7
2*1 = 2 mod 7
4*1 = 4 mod 7
1*2 = 2 mod 7
2*2 = 4 mod 7
4*2 = 1 mod 7
1*4 = 4 mod 7
2*4 = 1 mod 7
4*4 = 2 mod 7
and because each element in G(3) also has an inverse.
Note that the number 4 is also a generator of G(3) = {1, 2, 4} mod 7, since
{4, 4^2, 4^3} = {4, 2, 1} mod 7 = {1, 2, 4}.
A group generated by an element g is said to have order q mod p provided q is
the lowest power such that g^q = 1 mod p.
The two generators of Z(7)* that we saw previously, namely 3 and 5, are said to
have order 6 mod 7, because 6 is the smallest power of 3 or 5 that gives 1 mod
7. That is, 1=3^6=5^6 mod 7, and no smaller power has this property. By
contrast, the generators of G(3), namely 2 and 4, have order 3, because 2^3 =
4^3 = 1 mod 7, and no lower power of 2 or 4 equals 1.
In general, for q prime, 1< q < p, we define G(q) as the group (or subgroup) of
prime order q, mod p, if for some generator g, 1 < g < p, we have that {g, g^2,
g^3, ..., g^q} is a subset of Z(p)*. That is, the powers of g yield each of the
elements in the subgroup. Note, by definition, q is the lowest power of g that
gives 1; hence, g^q = 1 mod p. Thus powers larger than q simply start over and
run through the same set of numbers. If g^q =1 mod p, then g^(q+1) = g mod p,
g^(q+2) = g^2 mod p, and so on.
For example, 2^3 = 1 mod 7. So higher powers of 2 yield the same numbers over
and over:
2^4 = 2^1 = 2 mod 7
2^5 = 2^2 = 4 mod 7
2^6 = 2^3 = 1 mod 7
etc.
Note that if g is an element of the group Z(p)*, then g is a generator of Z(p)* if g is
an element of order p-1. That is, if g^(p-1) = 1, and no lower power equals 1. For
then, it would necessarily follow that the powers of g mod p--namely g^1, g^2, ...,
g^(p-1)--run through all the numbers 1, 2, ..., p-1.
Fermat's theorem says that for any prime p, and number k not divisible by p, we have
k^(p-1) = 1 mod p
Of course, the integers 1, 2, 3, . . ., p-1 are not divisible by p, so any of these
integers raised to the power p-1 equals 1 mod p, by Fermat’s theorem.
Hence for k an element of Z(p)*, we have k^(p-1) = 1 mod p.
For example, for Z(11)*, we have p-1 = 10, and a check shows that, mod 11,
1^10 = 2^10 = 3^10 = 4^10 = 5^10 = 6^10 = 7^10 = 8^10 = 9^10 = 10^10 = 1.
Note that we are not saying that any number k<p has order p-1 mod p. The order
of k may be smaller than this. For example, 2 has the order 3 mod 7, as 2^3 =1
mod 7. But it is also true that 2^(7-1) = 2^6 = 1 mod 7, as required by Fermat's
theorem. And obviously 2^6 = (2^3)^2 = (1)^2 = 1 mod 7.
It is easy to see that, as a consequence of Fermat's theorem, the order q of any element of
a multiplicative group mod p must divide p-1. This is known as Lagrange's theorem.
For example, in the case p = 7, we have p-1 = 7-1 = 6, so the order of any
element must divide into 6 a whole number of times. We saw previously that 3
and 5 have order 6 in Z(7)*, and 6|(7-1). Similarly, we saw that 2 and 4 have
order 3 mod 7, and 3|(7-1).
The reason it works this way is because if an element g is of order q mod p, then
g^q =1 mod p. But it's also true by Fermat's theorem that g^(p-1) = 1 mod p. So if
q didn't divide p-1 a whole number of times, then for some number k, p-1 = k*q +
r, where 0 <r <q. Thus we would have that 1 = g^(p-1) = g^(k*q+r) = (g^q)^k*g^r =
1*g^r, which implies g^r = 1. Which in turn implies g has order r less than q, a
contradiction.
Euler's totient function t(n) for a positive integer n is the set of numbers less than n that
are relatively prime to n. That is, the number of positive integers k, 0<k<n, with gcd(k,n)
=1.
If n = p is prime, then all positive numbers less than p are relatively prime to p, so
t(p) = p-1.
For example, for n = p = 7, the numbers 1, 2, 3, 4, 5, and 6 are all relatively prime
to 7, so t(7) = 6. For n = 4, the numbers 1, 3 are relatively prime to 4, so t(4) = 2.
For n = 15, the numbers 1, 2, 4, 7, 8, 11, 13, 14 are relatively prime to 15, so
t(15) = 8. (The other numbers, namely 3, 5, 6, 9, 10, 12, have divisors in common
with 15.)
Euler's theorem states that for any number n and any number k relatively prime to n, we
have
k^t(n) = 1 mod n
Note that Euler's theorem applies to composite numbers n, as well as prime
numbers. For example let n = 15. The number 2 is relatively prime to 15, so by
Euler's theorem we have
2^t(15) = 2^8 = 1 mod 15.
We will use Euler's theorem later when we look at the RSA crypto-system. RSA
uses large numbers n which are composite (namely the product of two primes),
and hence Fermat's theorem does not apply: it is not true, in general, that k^(n-1)
= 1 mod n, for n composite, even if k is relatively prime to n. For example, 2^(151) = 2^14 = 4 mod 15. That is, the order of k does not necessarily divide n-1, for
n composite. The number 2 is relatively prime to 15, but it has order 4, as 2^4 = 1
mod 15. And 4 does not divide 15-1 = 14. However, the order 4 does divide t(15)
= 8.
Another result from number theory (the proof of which will not be explored here) is that,
for p prime, the number of generators mod p is t(p-1).
For example, the number of generators mod 7 is t(7-1) = t(6). Now t(6) is by
definition the number of positive integers less than 6 that are relatively prime to 6.
There are two such numbers; namely, 1 and 5. So there are a total of two
generators mod 7. Both of these generators (namely, 3 and 5) were shown
previously. (The significance of the numbers 1 and 5 here is that if we have a
generator g, then both g^1 and g^5 will be generators. Thus 3 and 3^5 = 5 mod 7
are generators. Alternatively, since 5 is a generator, both 5 and 5^5 = 3 mod 7
are generators.)
Consider now the group G(q) of prime order q mod p (i.e., both p and q are
prime). Since the order of any element mod p must divide p-1, it follows that q
must divide p-1. How many generators of the subgroup G(q) are there? The
answer is that for each m that divides p-1, there are t(m) generators of order m,
where t is Euler's totient function. In the case m=q is prime, there are thus t(q) =
q-1 generators. That is, there are q-1 generators of the subgroup G(q) of prime
order q mod p. This fact assures us that for large q we have plenty of generators
to choose from.
For example, since 3 divides 7-1 = 6, there are t(3) = 2 generators of order 3 mod
7. That is, there are two generators of the subgroup G(3) = {1, 2, 4}. (Note that
both 2 and 4 are generators of G(3).) Similarly, since 2 divides 7-1 = 6, there are
t(2) = 1 generator of order 2 mod 7. (Check that 6 is a generator of order 2 mod
7, yielding the subgroup G(2) = {1, 6}.)
Notice that since 2, 3, and 6 all divide p-1 = 7-1, the possible subgroups mod 7
are these:
Subgroups of Z(7)*
Generators gi mod 7
G(2) = {1, 6}
6
G(3) = {1, 2, 4}
2, 4
G(6) = {1, 2, 3, 4, 5, 6} 3, 5
We see that G(6)=Z(7)* has only two generators (and not 6-1 = 5), because 6 is not a
prime factor of p-1. Rather, t(6) = 2.
For p = 23, and q = 11, there are t(11) = 10 generators of G(11) = {2, 4, 8, 16, 9,
18, 13, 3, 6, 12, 1}. The number 2 is one such generator mod 23. Any member of
G(11), except the integer 1, is a generator of the group.
Note in this last example that 2 and 22 also divide p-1 = 23-1. There are thus t(2)
= 1 generator of G(2), and t(22) = 10 generators of G(22)=Z(23)*. Thus, of the 22
elements in Z(23)*, 10 are of order 22, 10 of order 11, and 1 is of order 2. (Check
that G(2) = {1, 22}.)
Subgroups of Z(23)*
Generators gi mod 23
G(2) = {1, 22}
22
G(11) = {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
2, 3, 4, 6, 8, 9, 12, 13, 16,
18
G(22) = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
5, 7, 10, 11, 14, 15, 17, 19,
17, 18, 19, 20, 21, 22}
20, 21
We can define discrete logarithms in either Z(p)* or G(q) by the following mechanism.
Let g be a generator of one of these two groups, and let y be the x-th power of g, modulo
p:
y = g ^ x mod p, or y = gx mod p
Then x is the (discrete) logarithm of y to the base g, modulo p:
x = log_g (y) mod p, or x = logg (y) mod p
For example, 2^5 = 9 mod 23, so 5 = log2(9) mod 23. The integer 5 is the log of 9 (to the
base 2) mod 23. Similarly, 3^6 = 1 mod 7, so 6 = log_3 (1) mod 7. The integer 6 is the
log of 1 (to the base 3) mod 7.
Note for a generator g of G(q) mod p, that since g^q =1, we always have q =
log(1) mod p, for any base (generator) g. Hence, for a group of order q, q plays
the role of zero, as g^q = g^0 = 1 mod p, and hence q = log(1) = 0 mod q.
So for any power x of g in G(q), g^x mod p may be reduced mod q:
g^x mod p = g^(x mod q) mod p.
For example, we saw 2 had order q = 3 mod 7, since 2^3 mod 7 = 1. Hence for a power
larger than 3, say 8: 2^8 mod 7 = 2^(8 mod 3) mod 7 = 2^2 mod 7 = 4. Once we get to
the q-th power of g, g^q = 1, so for x = k*q+r, we have g^(k*q+r) = g^(k*q)*g^r =
(g^q)^k*g^r = 1^k*g^r = g^r. So we can reduce x by dividing by q, and keeping only
the remainder r.
For future reference, note the following fact about powers of g. If we have two
numbers X = g^x mod p and Y = g^y mod p, then
X*Y = g^x*g^y = g^(x+y) mod p.
By contrast to this, we have
X^y = (g^x)^y = g^(x*y) mod p,
while
Y^x = (g^y)^x = g^(x*y) mod p.
Knowledge of the first result, g^(x+y) mod p, doesn't tell us anything about the
latter result, g^(x*y) mod p. Only if we first took logs to the base g, and calculated
x = log X mod p or y = log Y mod p, could we calculate g^(x*y).
For a simple example using small numbers, suppose g = 2 and p = 25307.
Suppose also you observe X = 6113 and Y = 7984. Thus you know that
X*Y = 6113*7984 = 2^(x+y) mod 25307.
That is,
14296 = 2^(x+y) mod 25307.
But what is g^(x*y) = 2^(x*y) mod 25307?
To answer this question, you need to know x = log2 6113 mod
25307 or y = log2 7984 mod 25307. The difference between g^(x+y)
and g^(x*y) brings us to Diffie-Hellman key agreement.