Download ModernCrypto2015-Session12-v2

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
Document related concepts

Polynomial ring wikipedia , lookup

Complexification (Lie group) wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Fundamental theorem of algebra wikipedia , lookup

Group theory wikipedia , lookup

Homological algebra wikipedia , lookup

Field (mathematics) wikipedia , lookup

Birkhoff's representation theorem wikipedia , lookup

Commutative ring wikipedia , lookup

Algebraic number field wikipedia , lookup

Transcript 
Sharif University of Technology
Department of Computer Engineering
Data and Network Security Lab
Algebra & Cryptography
Author & Instructor:
Mohammad Sadeq Dousti
Sharif University
Introduction to Modern Cryptography
Spring 2015
1 / 42
Copyright Notice


These set of slides are licensed under Creative
Commons Attribution-NonCommercialShareAlike (CC BY-NC-SA) 4.0.
Basically, this license allows others to use the
slides verbatim, and even modify and incorporate
them into their own work, as long as:
1.
2.
3.

They credit the original author(s);
Their work is used non-commercially;
They license their work under CC BY-NC-SA 4.0.
For further information, please consult:
o
o
https://creativecommons.org/licenses/by-nc-sa/4.0
https://creativecommons.org/licenses/by-ncsa/4.0/legalcode
Sharif University
Introduction to Modern Cryptography
Spring 2015
2 / 42
Outline


What is algebra?
Group-like structures
o

Groups
Ring-like structures
o
o
Rings
Fields
-
Sharif University
Finite Fields
Introduction to Modern Cryptography
Spring 2015
3 / 42
What is Algebra?
Sharif University
Introduction to Modern Cryptography
Spring 2015
4 / 42
What is algebra?



Algebra is the study of mathematical symbols and
the rules for manipulating these symbols.
Example:
𝑋 2 − 3𝑋 + 2 = 0
The symbols can stand for any mathematical object:
o


Numbers, Vectors, Matrices, Polynomials, …
For instance, the following matrices satisfy the above
identity:
1 0 1 0 2 0 2 0
,
,
,
0 1 0 2 0 1 0 2
Example for manipulation rules: You can add any
constant to both sides of any identity.
Sharif University
Introduction to Modern Cryptography
Spring 2015
5 / 42
From solving equations to abstract algebra


Methods for solving linear (ax + b = 0) and quadratic
(ax2 + bx + c = 0) equations were known for
centuries.
General cubic and quartic equations were solved in
the 16th century CE.
o

The solutions were expressed in terms of basic arithmetic
operations (+, , , ), as well as radicals.
No such method was known for general equations of
degree 5 or higher.
o
o
Working independently, Abel and Galois proved that giving
such method is impossible.
Along the way, they laid the foundation of abstract algebra.
Sharif University
Introduction to Modern Cryptography
Spring 2015
6 / 42
Founders of abstract algebra

Niels Henrik Abel (1802 – 1829)
o
o
o
o

Norwegian mathematician
Lived in poverty
Contracted tuberculosis
Died at the age of 26 in Paris
Évariste Galois (1811 – 1832)
French mathematician
o Lived a wealthy life
o Got involved in army & politics
o Died in a duel at the age of 20 in Paris
o
Sharif University
Introduction to Modern Cryptography
Spring 2015
7 / 42
Group-like Structures
Sharif University
Introduction to Modern Cryptography
Spring 2015
8 / 42
Algebraic structures






A set S endowed with one or more finitary operations
is called an algebraic structure.
Let S be a set, and  : SSS be a binary operation.
The pair (S, ) is called a group-like structure.
Depending on the properties that  satisfies on S, the
structure is called by various names (semicategory,
category, groupoid, magma, quasigroup, loop,
semigroup, monoid, group, Abelian group, …).
If  behaves like multiplication, it is denoted by ,
and the structure is called multiplicative.
If  behaves like addition, it is denoted by +, and the
structure is called additive.
Sharif University
Introduction to Modern Cryptography
Spring 2015
9 / 42
Closure (Totality)

(S, ) satisfies the closure (totality) property if for all
x, y  S, we have x  y  S. Equivalently:
o
o

S is closed under .
 is closed over S.
Examples:
(ℕ, +)
o (ℤ, )
o (ℚ  {0}, )
o

Non-examples:
(ℕ, )
o (ℤ  {0}, )
o (ℚ, )
o
Sharif University
Introduction to Modern Cryptography
Spring 2015
10 / 42
Associativity



(S, ) satisfies the associative property if for all x, y, z
 S, we have (x  y)  z = x  (y  z).
Associativity implies that parenthesization is
unnecessary.
Examples:
o
o
o

(2 + 3) + 4 = 2 + (3 + 4)
GCD(GCD(x, y), z) = GCD(x, GCD(y, z))
(A  B)  C = A  (B  C)
Non-examples:
o
o
(2  3)  4 ≠ 2  (3  4)
(100  20)  5 ≠ 100  (20  5)
o (52 )3
Sharif University
≠
3)
(2
5
Introduction to Modern Cryptography
Spring 2015
11 / 42
Identity

(S, ) has an identity element e  S if for all x  S, we
have e  x = x  e = x. The identity element is often
denoted by:
o
o

1 in multiplicative structures.
0 in additive structures.
Examples:
25 + 0 = 0 + 25 = 25
o A=  A=A
o

Non-examples:
(ℤ, )
o (ℚ  {0}, )
o
Sharif University
Introduction to Modern Cryptography
Spring 2015
12 / 42
Uniqueness of identity element


THEOREM: If (S, ) has an identity element, it is
unique.
PROOF: Assume that e1 and e2 are identity elements
of (S, ). Then:
o
o
o


𝑒1 × 𝑒2 = 𝑒2 (since e1 is an identity element)
𝑒1 × 𝑒2 = 𝑒1 (since e2 is an identity element)
Therefore, e1 = e2.
Notice that we proved the theorem regardless of
whether we are working with numbers, matrices,
functions, vectors, etc.
This is why this area of mathematics is abstract.
Sharif University
Introduction to Modern Cryptography
Spring 2015
13 / 42
Invertibility (Divisibility)


(S, ) with identity element e satisfies the invertibility
(divisibility) property if for every element x  S there
exists an element y  S, such that x  y = y  x = e.
The inverse of x is often denoted by:
o
o

Examples:
o
o

x1 or 1/x in multiplicative structures.
x in additive structures.
25 + (25) = (25) + 25 = 0
x  x = 0 (XOR)
Non-examples:
o
The matrix M =
Sharif University
4 6
has no multiplicative inverse.
2 3
Introduction to Modern Cryptography
Spring 2015
14 / 42
Commutativity


(S, ) is commutative (Abelian) if for every elements
x, y  S, we have x  y = y  x.
Examples:
o
o

2+9=9+2
f (x) + g(x) = g(x) + f (x)
Non-examples:
o
𝑥
𝐴 = 𝑦 and 𝐵 = 𝑧
Sharif University
-
𝑥𝑧
𝐴 × 𝐵 = 𝑦𝑧
-
𝐵 × 𝐴 = 𝑥𝑧 + 𝑤𝑦
𝑤.
𝑥𝑤
𝑦𝑧
Introduction to Modern Cryptography
Spring 2015
15 / 42
Group-like structures at a glance
No identity.
How is divisibility possible?!
Sharif University
Introduction to Modern Cryptography
Spring 2015
16 / 42
Groups
Sharif University
Introduction to Modern Cryptography
Spring 2015
17 / 42
Groups

Group: An algebraic structure G = (S, ) satisfying
four properties:
Closure (totality)
Associativity
Identity
Divisibility (invertibility)
1.
2.
3.
4.



Abelian group: A group satisfying commutativity.
Group membership: x  G if and only if x  S.
Group order: The number of elements in the group.
o

Denoted |G| = |S|.
Finite group: A group with finite order.
Sharif University
Introduction to Modern Cryptography
Spring 2015
18 / 42
Notational conventions


Let x  G and m  ℤ.
Additive group G:
o
o
o
o
o

 x is the inverse of x, and 0 is the identity element.
If m = 0, then mx = 0.
If m > 0, then 𝑚𝑥 = 𝑥 + ⋯ + 𝑥 (m times).
If m < 0, then 𝑚𝑥 = (−𝑥) + ⋯ + (−𝑥) (m times).
mG = {mx | x  G}
Multiplicative group G:
x1 is the inverse of x, and 1 is the identity element.
o If m = 0, then 𝑥 𝑚 = 1.
o If m > 0, then 𝑥 𝑚 = 𝑥 × ⋯ × 𝑥 (m times).
o If m < 0, then 𝑥 𝑚 = (𝑥 −1 ) × ⋯ × (𝑥 −1 ) (m times).
o Gm = {xm | x  G}
o
Sharif University
Introduction to Modern Cryptography
Spring 2015
19 / 42
Order and exponent

The order of an element x of a group is the smallest
positive integer m such that:
o
o




mx = e (additive groups)
xm = e (multiplicative groups)
If no such m exists, x is said to have infinite order.
Periodic group: A group in which every element has
finite order.
Exponent of a periodic group: The LCM of all
group elements, if it exists.
THEOREM: Any finite group has an exponent. It is
a divisor of |G|. (See Lagrange’s theorem a few
slides ahead)
Sharif University
Introduction to Modern Cryptography
Spring 2015
20 / 42
Examples of finite groups

Additive group of integers modulo n, denoted ℤn:
o
o
o

Elements: {0, 1, …, n  1}.
Group operator: Addition modulo n.
|ℤn| = n
Multiplicative group of integers modulo n, denoted
ℤ𝑛∗ :
o
Elements: {i | 1  i < n and GCD(i, n) = 1}.
-
o
o

GCD(i, n) = 1 ensures invertibility.
Group operator: Multiplication modulo n.
|ℤ∗𝑛 | =  (n)
Both groups are Abelian.
Sharif University
Introduction to Modern Cryptography
Spring 2015
21 / 42
Cayley tables



Describes the structure of a finite group by arranging
all the possible products of all the group’s elements in
a square table.
Example: ℤ2 and ℤ∗3
0
1
 (mod 3) 1
2
0
0
1
1
1
2
1
1
0
2
2
1
Notice that ℤ3∗ is a “relabeling” of ℤ2, and vice versa.
o

+ (mod 2)
0 is relabeled as 1, and 1 is relabeled as 2.
This is called “isomorphism” (more on this later).
Sharif University
Introduction to Modern Cryptography
Spring 2015
22 / 42
Subgroups and cosets

H = (T, ) is called a subgroup of G = (S, ), denoted H  G,
if:
1.
2.

Let H  G and a  G.
o
o


H is a group.
T  S.
a  H = {a  h : h  H} is the left coset of H containing a.
H  a = {h  a : h  H} is the right coset of H containing a.
The number of left cosets of H is called the index of H in G
and is denoted by [G : H].
Lagrange’s theorem: For any finite group G, the order of
every subgroup H of G divides the order of G. Furthermore:
|𝐺|
𝐺: 𝐻 =
|𝐻|
Sharif University
Introduction to Modern Cryptography
Spring 2015
23 / 42
Examples

Let  denote addition modulo 18.
o
o
o
o
o
o
o
o
o
G = ℤ18.
H = 3G = {0, 3, 6, 9, 12, 15}.
H is a group under .
[H : G] = |G| / |H| = 18 / 6 = 3.
7  H = H  7 = {7, 10, 13, 16, 1, 4} is a coset of H.
K = 2H = {0, 6, 12}.
K is a group under .
[K : G] = |G| / |K| = 18 / 3 = 6.
7  K = K  7 = {7, 13, 1} is a coset of K.
Sharif University
Introduction to Modern Cryptography
Spring 2015
24 / 42
Generators and cyclic groups



Let G = (S, ) be a group, and T  S.
The generating set of T, denoted <T>, is a subgroup
of G whose members can be expressed as the
combination (under ) of finitely many elements of T
and their inverses.
If T = {x}, we may write <x> instead of <T>.
o

<x> is called a cyclic group.
If G = <T>, then we say T generates G; and the
elements in T are called generators or group
generators.
Sharif University
Introduction to Modern Cryptography
Spring 2015
25 / 42
Examples

Let G = ℤ18.
o
o

∗
Let 𝐺 = ℤ11
.
o

The group is cyclic: G = <2>.
∗
Let 𝐺 = ℤ12
.
o
o

The group is cyclic: G = <1>.
<{6, 9}> = {6a  9b | a, b  ℤ} = {0, 3, 6, 9, 12, 15}.
The group is NOT cyclic.
<2> = {1, 2, 4, 8}, <3> = {1, 3, 9}, <5> = {1, 5}, …
THEOREM: ℤ𝑛∗ is cyclic if and only if n is 2, 4, pk,
or 2pk for odd prime p.
Sharif University
Introduction to Modern Cryptography
Spring 2015
26 / 42
Fermat–Euler theorem from Lagrange’s theorem

Fermat–Euler theorem: If n is a positive integer and
𝑎 ∈ ℤ𝑛∗ , then 𝑎𝜑(𝑛) ≡ 1 (mod 𝑛).

Let <a> be a subgroup of ℤ𝑛∗ with order k. Then:
< a >= 𝑎, 𝑎2, … , 𝑎𝑘 = 1 .
Lagrange’s theorem states that |<a>|=k divides |ℤ𝑛∗ | =
𝜑 𝑛 .
Let M be an integer such that 𝜑 𝑛 = 𝑘𝑀.
Consequently:


𝑎𝜑(𝑛)
Sharif University
=
𝑎𝑘𝑀
=
Introduction to Modern Cryptography
𝑀
𝑘
𝑎
= 1𝑀 = 1.
Spring 2015
27 / 42
Groups of prime order



Let G = (S, ) be a group of prime order p.
THEOREM: Every non-identity element of G is a
generator of G.
PROOF: Easy using Lagrange’s theorem.
The order of any cyclic subgroup of G is either 1 or p
(since it must divide p).
o The only cyclic subgroup of order 1 is <e>.
o For non-identity group element g, we have |<g>| = p.
o Therefore, <g> = G.
o
Sharif University
Introduction to Modern Cryptography
Spring 2015
28 / 42
Groups of prime order (Cont’d)



Groups of prime order are important in cryptography.
Recall from the midterm exam that we constructed an
efficient algorithm D which distinguished DDH
triplets in ℤ∗𝑝 (of order p – 1):
(𝑔𝑎 , 𝑔𝑏 , 𝑔𝑎𝑏 ) and (𝑔𝑎 , 𝑔𝑏 , 𝑔𝑐 )
The idea was to use Legendre symbol.
o
o

The Legendre symbol of the generator g is 1.
The Legendre symbol of gx is 1 is x is odd, and +1
otherwise.
Assignment: In subgroup <h> ⊆ ℤ∗𝑝 of odd prime
order q, the Legendre symbol of any element is +1.
Sharif University
Introduction to Modern Cryptography
Spring 2015
29 / 42
Constructing a subgroup of prime order from ℤ𝑝∗


Cauchy’s theorem: Let G be a finite group and q be
a prime number. If q divides |G|, then G contains an
element of order q.
Let q be a prime divisor of p  1.
o
o

By Cauchy’s theorem, ℤ∗𝑝 contains an element g of order q.
<g> is a subgroup of ℤ∗𝑝 of prime order.
∗
Example: Let G = ℤ23
, and q = 11. There are 10
elements of order q:
2, 3, 4, 6, 8, 9, 12, 13, 16, 18.
They all generate the following subgroup of G:
{1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}.
Sharif University
Introduction to Modern Cryptography
Spring 2015
30 / 42
Permutations and symmetric groups


Cauchy’s two-line notation for permutation:
1 2 3 4 5
𝜋=
5 3 4 1 2
The above notation is interpreted as:
o
o



 permutes 1 to 5, 2 to 3, …
Equivalently, (1) = 5, (2) = 3, …
Let Sn be the set of all permutations on {1,…, n},
endowed with function composition as operator.
THEOREM: Sn is a group, called the symmetric
group. Furthermore, |Sn| = n!.
1 2
1 2
Example: 𝑆2 =
,
.
1 2
2 1
Sharif University
Introduction to Modern Cryptography
Spring 2015
31 / 42
(External) Direct product of groups

Let G = (S, ) and H = (T, ) be two groups. The
(external) direct product of G and H is group,
denoted by GH, and is defined as follows:
o
o

The elements of GH are the elements of ST (Cartesian
product).
The operation on GH is defined component-wise:
(g1, h1) × (g2, h2) = (g1  g2, h1  h2)
Example: ℤ∗2 × ℤ3∗
o
o
Elements: {(0,0), (0,1), (0,2), (1,0), (1,1), (1,2)}
Sample operation: (0,2)  (1,2) = (0,1)
Sharif University
Introduction to Modern Cryptography
Spring 2015
32 / 42
Group homomorphism




Let G = (S, ) and H = (T, ) be two groups. A group
homomorphism is function h : G  H, such that for
all u, v  G:
ℎ 𝑢𝑣 =ℎ 𝑢 ℎ 𝑣 .
Intuition: A group homomorphism preserves the
algebraic structure: The group H in some sense has a
similar algebraic structure as G, and the
homomorphism h preserves that.
Example: h(x) = x mod 2 is a homomorphism from
ℤ11 to ℤ2.
Types of homomorphism: Endomorphism,
Automorphism, Isomorphism.
Sharif University
Introduction to Modern Cryptography
Spring 2015
33 / 42
Group isomorphism





A bijective (one-to-one and onto) group
homomorphism is called a group isomorphism.
If G is isomorphic to H, we write 𝐺 ≅ 𝐻.
Isomorphism is a relabeling of group elements.
Example: 𝑓 𝑥 = 𝑔 𝑥 mod 𝑝 is an isomorphism from
ℤ𝑝−1 to ℤ∗𝑝 .
o
𝑢, 𝑣 ∈ ℤ𝑝−1 .
o
𝑔𝑢+𝑣 mod
𝑝−1
mod 𝑝 = 𝑔𝑢 mod 𝑝 × 𝑔𝑢 mod 𝑝 mod 𝑝
Assignment: If m and n are coprime, CRT implies:
∗ × ℤ∗ ≅ ℤ∗ .
ℤ𝑚
𝑛
𝑚𝑛
Sharif University
Introduction to Modern Cryptography
Spring 2015
34 / 42
Ring-like Structures
Sharif University
Introduction to Modern Cryptography
Spring 2015
35 / 42
Ring-like structures

A set S endowed with two operations:
o
o


An “addition-like” operator +
A “multiplication-like” operator 
is called a ring-like structure.
Depending on properties that + and  satisfy on S,
various structures are defined: Rng, Semiring, Nearring, Near-semiring, Ring, Commutative ring,
Domain, Integral domain, Field, etc.
We only study rings and fields.
Sharif University
Introduction to Modern Cryptography
Spring 2015
36 / 42
Rings

An algebraic structure R = (S, +, ) is called a ring if:
1.
2.
3.

(S, +) is an Abelian group;
(S, ) is a monoid (closure, associativity, identity element)
 distributes over +. For all a, b, c in S:
𝑎 × 𝑏 + 𝑐 = 𝑎 × 𝑏 + 𝑎 × 𝑐 (left distributivity)
𝑏 + 𝑐 × 𝑎 = 𝑏 × 𝑎 + 𝑐 × 𝑎 (right distributivity)
Examples:
(ℤ, +, )
o (ℤn, + (mod n),  (mod n))
o 2-by-2 matrices over ℝ with + and . (Noncommutative ring)
o

Non-examples:
(2ℤ, +, ): No multiplicative identity (Ring with no “i”: Rng).
o (ℤ, +, )
o
Sharif University
Introduction to Modern Cryptography
Spring 2015
37 / 42
Characteristic

Characteristic of a ring R, denoted char(R), is the
smallest positive integer n such that:
𝑛1 = 0
where 1 is the ring’s multiplicative identity element, and 0 is
the ring’s additive identity element.

If such a number n does not exist, char(R) = 0.

Examples:
o
o
char(ℤ) = 0
char(ℤn) = n
Sharif University
Introduction to Modern Cryptography
Spring 2015
38 / 42
Ring homomorphism

Let R = (S, +, ) and 𝑅′ = (T, , ) be two rings. A
ring homomorphism is function h : R  𝑅′ , such
that for all u, v  R:
ℎ 𝑢+𝑣 =ℎ 𝑢 ℎ 𝑣
ℎ 𝑢×𝑣 =ℎ 𝑢 ℎ 𝑣
ℎ 1𝑅 = ℎ 1𝑅′
where 1𝑅 and 1𝑅′ are the additive identities of 𝑅 and 𝑅′ ,
respectively.


Example: ℎ 𝑥 = 𝑥 mod 𝑛 is a homomorphism from
(ℤ, +, ) to (ℤn, + (mod n),  (mod n)) .
Isomorphism: A bijective homomorphism.
Sharif University
Introduction to Modern Cryptography
Spring 2015
39 / 42
Fields

A field is a special kind of ring.
o

Concepts such as ring homomorphism, isomorphism, and
characteristics carry over to the case of fields.
An algebraic structure F = (S, +, ) is called a field if:
(S, +) is an Abelian group.
2. (S – {0}, ) is an Abelian group. (0 is the additive
identity)
3.  distributes over +.
1.

Examples:
(ℚ, +, )
o (ℝ, +, )
o (ℤ∗𝑝 , + (mod p),  (mod p))
o
Sharif University
Introduction to Modern Cryptography
(p is a prime number)
Spring 2015
40 / 42
Finite fields






Finite field: A field whose order (number of
elements) is finite. Also called Galois Fields (GF).
THEOREM 1: The order of a finite field is equal to
pk for some k (p is a prime).
A finite field of order pk is denoted GF(pk).
THEOREM 2: All finite fields of the same order are
isomorphic.
COROLLARY: GF 𝑝 ≅ ℤ∗𝑝 .
Assignment: Write down the Cayley tables for
GF(4).
Sharif University
Introduction to Modern Cryptography
Spring 2015
41 / 42
References
Wikipedia.
Sharif University
Introduction to Modern Cryptography
Spring 2015
42 / 42
Related documents
Simple Blue Template
Simple Blue Template
Session5-Group4-Networking
Session5-Group4-Networking
Introductory Presentation
Introductory Presentation
Information Security and Cryptography
Information Security and Cryptography
Discrete Mathematics
Discrete Mathematics
Advanced Programming in Java
Advanced Programming in Java
Cryptography Overview PPT - University of Hertfordshire
Cryptography Overview PPT - University of Hertfordshire
World War I
World War I
Abstract Algebra
Abstract Algebra
15_IO - CE Sharif
15_IO - CE Sharif
Introduction to Discrete Mathematics
Introduction to Discrete Mathematics
CSE(III
CSE(III