Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Location arithmetic wikipedia , lookup
Large numbers wikipedia , lookup
Wiles's proof of Fermat's Last Theorem wikipedia , lookup
Elementary mathematics wikipedia , lookup
Collatz conjecture wikipedia , lookup
List of prime numbers wikipedia , lookup
B. Some Preliminary Mathematical Notation A message to be encrypted or sent will be generally denoted as M. Remember that, to the computer, the string of 1s and 0s that make up M can be treated as a binary number, whether M is “I love you” or “You owe me $500” or “Bank number 437695B.” Encryption may involve raising this number to a power. The notation E(x) will denoted an encryption algorithm or function, while D(x) will denote a decryption algorithm or function. An encrypted message would thus be designated as E(M), while a decryption of this encrypted message would be shown as D(E(M)). Of course this latter term is just the original message, so D(E(M)) = M. If a message is encrypted or decrypted using the symmetric key k, then the notation Ek(x) or Dk(x) will be used. If a public-key system is involved, then the public key will be denoted pk, while the private (secret) key will be denoted sk. In a symmetric encryption system, Dk(Ek(M)) = M, because the same key is used to decrypt the message that was used to encrypt it. In a public-key system, one key must be used to encrypt and the other to decrypt. Hence Dsk(Epk(M)) = M and also Dpk(Esk(M)) = M. In the first case, the message is encrypted with Alice's public key, then decrypted by Alice using her secret key. In the second case, common in digital signatures, Alice encrypts the message with her secret key, and then it is decrypted by someone else using Alice's public key. The sign “^” will be used to mean “raised to the power of”; for example, 2^3 = 8, since 2 raised to the power of 3 equals 8. (Note that in the computer language Fortran, b^y would be written b**y.) A single *, by contrast, denotes multiplication: “three times b equals 12” would be written “3*b = 12”, or perhaps simply as “3b = 12”. The notation log_b (y) will denote the logarithm of y with respect to base b. For example, log_2 (8) = 3, since the logarithm of 8 (to the base 2) is 3. Finally, mod p will denote “arithmetic done modulo p”. By this we will mean "divide by p, and keep the remainder r, 0<= r < p." Modulo 3, for example, will divide any positive whole number by 3, and take the remainder (which will be either 0, 1, or 2). For example, 7 mod 3 = 1, since 3 goes into 7 twice, with 1 left over. The number we divide by (3, in this example) is called the "modulus". Similarly, 62 mod 25 = 12. That is, when 25 is the modulus, 62 = 25*2 + 12 = 12. But if 3 were the modulus, 62 = 3*20 + 2 = 2. In general, we will write a = b mod n, meaning that a mod n = b mod n. For example, 67 = 11 mod 7, because 67 mod 7 = 4 and also 11 mod 7 = 4. Hence a= b mod n means for some integers k1 and k2, a = k1*n + r (0<= r < n) b = k2*n + r . Hence also a - b = (k1-k2)*n, so that n divides into a-b a whole number of times (namely, k1-k2 times). Restated, “n divides a-b”, which may also be written “n|(a-b)” . Thus, in the previous example, 67 = 11 mod 7 means for integers k1 = 9 and k2 = 1, 67 = 9*7 + 4 (0<= 4 < 7) 11 = 1*7 + 4 . Hence also 67-11 = (k1-k2)*7 = (9-1)*7 = 8*7, so that 7 divides into 67- 11 a whole number of times (8 times). We could also write 7|(67-11) or 7|56. If we do calculations this way, using whole numbers, dividing by the modulus, and throwing away everything except the remainder, we are doing modular arithmetic. Most computers are not constructed to do modular arithmetic very well, because they aren't set up to keep track of whole numbers beyond a certain length: they would much rather stick in a decimal point somewhere, and keep track of only a few numbers (floating point arithmetic). Consider, for example, 3.7B3579D4F6821 x 16^73. This is a very large number, but the computer essentially just keeps track of 16 hexadecimal numbers (64 bits): namely 3,7,B,3,5,7,9,D,4,F,6,8,2,1 and the digits in the power: 7 & 3. But public key cryptography may use "keys" whose length is 2048 bits or more. Therefore most computer implementations of public key cryptography involve computer software which works around the hardware limitations, or else use specially constructed cryptographic chips. Remember also that by convention exponentiations take place before multiplications. Hence 3*5^2 = 3*25 = 75. But (3*5)^2 = 15^2 = 225. Note also that (3*5)^2 = 3^2*5^2 = 9*25 = 225. That is, in general, (x*y)^z = x^z*y^z. C. Modular Arithmetic and the Groups Z(p)* and G(q). In most of the calculations involving public key cryptography and digital cash, we will be dealing with the set of integers from 0 to p-1, where p is some large prime. This follows from the fact that we will be doing multiplication mod p. We will also be using a set of integer powers from 1 to q, where q is some large prime number that divides p-1. That is, multiplication and exponentiation (taking powers) will take place within the groups Z(p)* and G(q), which we will define and explain in this section. The two groups Z(p)* and G(q) are very important for public key cryptography and digital cash. They play roles in Diffie-Hellman key exchange, in the Schnorr signature scheme, in the Digital Signature Algorithm, and in the digital cash system of Stefan Brands. That is, the arithmetic is done in Z(p)* or in a group G(q) of powers of prime order q, where q divides p-1. So it is important to understand what these groups are. The set Z(p)* = {1, 2, 3, 4, ..., p-2, p-1}. If we multiply any two numbers in this set together, and reduce the product mod p, the result is a number in the set. So the set is closed under multiplication. In addition, we if take any number k from the set, there exists another number k^-1, such that k*k^-1 = 1 mod p. That is, any number in the set has a multiplicative inverse. These two characteristics mean that Z(p)* is a group under multiplication mod p. Sometimes the term "multiplicative group" is used. Since Z(p)* is a group under multiplication, it is also a group under exponentiation (taking powers), since the n-th power of a number is simply the multiplication of a number by itself n times. (Note that 0 is omitted from Z(p)* because it doesn't have a multiplicative inverse. If we add 0 to the set Z(p)*, we get the set Z(p), which consists of all remainders mod p, including 0.) For example, Z(11)* = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}. If we multiply 5 and 8 from the set, we have 5*8 = 40 = 7 mod 11, and 7 is an element in the set. Also we have 5*9 = 45 = 1 mod 11, so that 9 is the multiplicative inverse of 5. Similarly, 5 is the multiplicative inverse of 9. If k=5, then k^-1 = 9. Similarly, 2 and 6 are multiplicative inverses, as are 3 and 4. What is the multiplicative inverse of 10? (Answer: 10 is its own multiplicative inverse, since 10*10 = 100 = 1 mod 11.) Also, if we exponentiate a number from the set, say 6 to the third power, we have 6^3 = 6*6*6 = 216 = 7 mod 11, we are again left with an element in the set. The set is closed under multiplication and exponentiation mod 11, and each element has an inverse, so Z(11)* is a group. Each element has a multiplicative inverse in Z(p)* because p is a prime number. And since p is prime, the only common divisor of p and each of the numbers in the set Z(p)* = {1, 2, 3, ..., p-1} is 1. Restated, the greatest common divisor (gcd) of p and any number in the set is 1. That is, gcd(1,p) =1, gcd(2,p) = 1, gcd(3,p) = 1, . . . , gcd(p-1,p) = 1. The same is not true if we do modular multiplication with a composite number (i.e. a number which is the product of at least two numbers, each greater than 1). For example, the number 15 = 3*5, so it is composite. Suppose we do mutiplication mod 15, using numbers from the set {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14}. What is the inverse of the number 6 from this set? Answer: there is no inverse for 6, as we can see by multiplying 6 by all numbers less than 15: 6*0 = 6*5 = 6*10 = 0 mod 15 6*1 = 6*6 = 6*11 = 6 mod 15 6*2 = 6*7 = 6*12 = 12 mod 15 6*3 = 6*8 = 6*13 = 3 mod 15 6*4 = 6*9 = 6*14 = 9 mod 15. There is no number which multiplied by 6 equals 1 mod 15. In addition, we obtain 0 as the result of some multiplications, so the set is not closed. (6 and 5 are in the set, but 6*5 mod 15 = 0, which is not in the set.) Hence, this set (the set of whole numbers from 1 to 14) is not a multiplicative group mod 15. Returning to the set Z(p)*, we can define some other operations, in addition to multiplication and exponentiation. We can define division by k as multiplication by the inverse of k, namely k^-1. Thus 8/k = 8*k^-1, by definition. If k = 9 in Z(11)*, then 8/9 = 8*9^-1 = 8*5 = 40 = 7 mod 11. Similarly, 3/10 = 3*10^-1 = 3*10 = 30 = 8 mod 11. Let g be a member of Z(p)*. Then g is said to be a generator mod p if the set of powers of g, namely the set {g^1 mod p, g^2 mod p, . . ., g^(p-1) mod p}, contains, in some order, all the members of Z(p)*: {g, g^2, g^3, ... , g^(p-2), g^(p-1)} mod p = {1, 2, 3, ... , p-2, p-1}, in some order. That is, the set Z(p)* = {1, 2, ... , p-1} represents a rearrangement of {g, g^2, g^3, ... , g^(p-1)}, when all calculations are done mod p. (For convenience we write mod p outside the brackets when it applies to each element in the set, or omit it altogether, if it is understood.) For example, 3 is a generator of Z(7)*, since 3^1 = 3 mod 7 3^2 = 2 mod 7 3^3 = 6 mod 7 3^4 = 4 mod 7 3^5 = 5 mod 7 3^6 = 1 mod 7. Or, restated, {3, 3^2, 3^3, 3^4, 3^5, 3^6} = {1, 2, 3, 4, 5, 6} when calculations are done mod 7. The two sets have the same elements, although not necessarily in the same order. A rearrangement of the order of the elements of a set is called a permutation. The powers of the generator 3 give a permutation of Z(7)*. A generator-tuple mod p is a set of k generators, which are all different. That is, {g1, ... , gk} is a generator-tuple if each gi is an generator mod p, and also gi is not equal to gj , if i is not equal to j. For example, {3, 5} is a generator-tuple of Z(7)*, because both 3 and 5 are generators of Z(7)*. Each element in Z(7)* can be represented both as a power of 3 and a power of 5: 1 = 3^6 mod 7 = 5^6 mod 7 2 = 3^2 mod 7 = 5^4 mod 7 3 = 3^1 mod 7 = 5^5 mod 7 4 = 3^4 mod 7 = 5^2 mod 7 5 = 3^5 mod 7 = 5^1 mod 7 6 = 3^3 mod 7 = 5^3 mod 7. The number 2 is not a generator mod 7, because the powers of 2 only yield 1, 2, or 4, mod 7: {2, 2^2, 2^3} = {1, 2, 4}. Note, however, that the powers of 2 mod 7 yield a subset of Z(7)*. The set {1, 2, 4} is a subset of {1, 2, 3, 4, 5, 6} = Z(7)*. The number 2 is thus said to "generate the subgroup G(3)" mod 7. The designation "G(3)" means there are 3 elements in the group. Alternatively stated, 3 is the lowest power of 2 that yields 1 mod 7. G(3) is a group, because it is closed under multiplication mod 7: 1*1 = 1 mod 7 2*1 = 2 mod 7 4*1 = 4 mod 7 1*2 = 2 mod 7 2*2 = 4 mod 7 4*2 = 1 mod 7 1*4 = 4 mod 7 2*4 = 1 mod 7 4*4 = 2 mod 7 and because each element in G(3) also has an inverse. Note that the number 4 is also a generator of G(3) = {1, 2, 4} mod 7, since {4, 4^2, 4^3} = {4, 2, 1} mod 7 = {1, 2, 4}. A group generated by an element g is said to have order q mod p provided q is the lowest power such that g^q = 1 mod p. The two generators of Z(7)* that we saw previously, namely 3 and 5, are said to have order 6 mod 7, because 6 is the smallest power of 3 or 5 that gives 1 mod 7. That is, 1=3^6=5^6 mod 7, and no smaller power has this property. By contrast, the generators of G(3), namely 2 and 4, have order 3, because 2^3 = 4^3 = 1 mod 7, and no lower power of 2 or 4 equals 1. In general, for q prime, 1< q < p, we define G(q) as the group (or subgroup) of prime order q, mod p, if for some generator g, 1 < g < p, we have that {g, g^2, g^3, ..., g^q} is a subset of Z(p)*. That is, the powers of g yield each of the elements in the subgroup. Note, by definition, q is the lowest power of g that gives 1; hence, g^q = 1 mod p. Thus powers larger than q simply start over and run through the same set of numbers. If g^q =1 mod p, then g^(q+1) = g mod p, g^(q+2) = g^2 mod p, and so on. For example, 2^3 = 1 mod 7. So higher powers of 2 yield the same numbers over and over: 2^4 = 2^1 = 2 mod 7 2^5 = 2^2 = 4 mod 7 2^6 = 2^3 = 1 mod 7 etc. Note that if g is an element of the group Z(p)*, then g is a generator of Z(p)* if g is an element of order p-1. That is, if g^(p-1) = 1, and no lower power equals 1. For then, it would necessarily follow that the powers of g mod p--namely g^1, g^2, ..., g^(p-1)--run through all the numbers 1, 2, ..., p-1. Fermat's theorem says that for any prime p, and number k not divisible by p, we have k^(p-1) = 1 mod p Of course, the integers 1, 2, 3, . . ., p-1 are not divisible by p, so any of these integers raised to the power p-1 equals 1 mod p, by Fermat’s theorem. Hence for k an element of Z(p)*, we have k^(p-1) = 1 mod p. For example, for Z(11)*, we have p-1 = 10, and a check shows that, mod 11, 1^10 = 2^10 = 3^10 = 4^10 = 5^10 = 6^10 = 7^10 = 8^10 = 9^10 = 10^10 = 1. Note that we are not saying that any number k<p has order p-1 mod p. The order of k may be smaller than this. For example, 2 has the order 3 mod 7, as 2^3 =1 mod 7. But it is also true that 2^(7-1) = 2^6 = 1 mod 7, as required by Fermat's theorem. And obviously 2^6 = (2^3)^2 = (1)^2 = 1 mod 7. It is easy to see that, as a consequence of Fermat's theorem, the order q of any element of a multiplicative group mod p must divide p-1. This is known as Lagrange's theorem. For example, in the case p = 7, we have p-1 = 7-1 = 6, so the order of any element must divide into 6 a whole number of times. We saw previously that 3 and 5 have order 6 in Z(7)*, and 6|(7-1). Similarly, we saw that 2 and 4 have order 3 mod 7, and 3|(7-1). The reason it works this way is because if an element g is of order q mod p, then g^q =1 mod p. But it's also true by Fermat's theorem that g^(p-1) = 1 mod p. So if q didn't divide p-1 a whole number of times, then for some number k, p-1 = k*q + r, where 0 <r <q. Thus we would have that 1 = g^(p-1) = g^(k*q+r) = (g^q)^k*g^r = 1*g^r, which implies g^r = 1. Which in turn implies g has order r less than q, a contradiction. Euler's totient function t(n) for a positive integer n is the set of numbers less than n that are relatively prime to n. That is, the number of positive integers k, 0<k<n, with gcd(k,n) =1. If n = p is prime, then all positive numbers less than p are relatively prime to p, so t(p) = p-1. For example, for n = p = 7, the numbers 1, 2, 3, 4, 5, and 6 are all relatively prime to 7, so t(7) = 6. For n = 4, the numbers 1, 3 are relatively prime to 4, so t(4) = 2. For n = 15, the numbers 1, 2, 4, 7, 8, 11, 13, 14 are relatively prime to 15, so t(15) = 8. (The other numbers, namely 3, 5, 6, 9, 10, 12, have divisors in common with 15.) Euler's theorem states that for any number n and any number k relatively prime to n, we have k^t(n) = 1 mod n Note that Euler's theorem applies to composite numbers n, as well as prime numbers. For example let n = 15. The number 2 is relatively prime to 15, so by Euler's theorem we have 2^t(15) = 2^8 = 1 mod 15. We will use Euler's theorem later when we look at the RSA crypto-system. RSA uses large numbers n which are composite (namely the product of two primes), and hence Fermat's theorem does not apply: it is not true, in general, that k^(n-1) = 1 mod n, for n composite, even if k is relatively prime to n. For example, 2^(151) = 2^14 = 4 mod 15. That is, the order of k does not necessarily divide n-1, for n composite. The number 2 is relatively prime to 15, but it has order 4, as 2^4 = 1 mod 15. And 4 does not divide 15-1 = 14. However, the order 4 does divide t(15) = 8. Another result from number theory (the proof of which will not be explored here) is that, for p prime, the number of generators mod p is t(p-1). For example, the number of generators mod 7 is t(7-1) = t(6). Now t(6) is by definition the number of positive integers less than 6 that are relatively prime to 6. There are two such numbers; namely, 1 and 5. So there are a total of two generators mod 7. Both of these generators (namely, 3 and 5) were shown previously. (The significance of the numbers 1 and 5 here is that if we have a generator g, then both g^1 and g^5 will be generators. Thus 3 and 3^5 = 5 mod 7 are generators. Alternatively, since 5 is a generator, both 5 and 5^5 = 3 mod 7 are generators.) Consider now the group G(q) of prime order q mod p (i.e., both p and q are prime). Since the order of any element mod p must divide p-1, it follows that q must divide p-1. How many generators of the subgroup G(q) are there? The answer is that for each m that divides p-1, there are t(m) generators of order m, where t is Euler's totient function. In the case m=q is prime, there are thus t(q) = q-1 generators. That is, there are q-1 generators of the subgroup G(q) of prime order q mod p. This fact assures us that for large q we have plenty of generators to choose from. For example, since 3 divides 7-1 = 6, there are t(3) = 2 generators of order 3 mod 7. That is, there are two generators of the subgroup G(3) = {1, 2, 4}. (Note that both 2 and 4 are generators of G(3).) Similarly, since 2 divides 7-1 = 6, there are t(2) = 1 generator of order 2 mod 7. (Check that 6 is a generator of order 2 mod 7, yielding the subgroup G(2) = {1, 6}.) Notice that since 2, 3, and 6 all divide p-1 = 7-1, the possible subgroups mod 7 are these: Subgroups of Z(7)* Generators gi mod 7 G(2) = {1, 6} 6 G(3) = {1, 2, 4} 2, 4 G(6) = {1, 2, 3, 4, 5, 6} 3, 5 We see that G(6)=Z(7)* has only two generators (and not 6-1 = 5), because 6 is not a prime factor of p-1. Rather, t(6) = 2. For p = 23, and q = 11, there are t(11) = 10 generators of G(11) = {2, 4, 8, 16, 9, 18, 13, 3, 6, 12, 1}. The number 2 is one such generator mod 23. Any member of G(11), except the integer 1, is a generator of the group. Note in this last example that 2 and 22 also divide p-1 = 23-1. There are thus t(2) = 1 generator of G(2), and t(22) = 10 generators of G(22)=Z(23)*. Thus, of the 22 elements in Z(23)*, 10 are of order 22, 10 of order 11, and 1 is of order 2. (Check that G(2) = {1, 22}.) Subgroups of Z(23)* Generators gi mod 23 G(2) = {1, 22} 22 G(11) = {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18} 2, 3, 4, 6, 8, 9, 12, 13, 16, 18 G(22) = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 5, 7, 10, 11, 14, 15, 17, 19, 17, 18, 19, 20, 21, 22} 20, 21 We can define discrete logarithms in either Z(p)* or G(q) by the following mechanism. Let g be a generator of one of these two groups, and let y be the x-th power of g, modulo p: y = g ^ x mod p, or y = gx mod p Then x is the (discrete) logarithm of y to the base g, modulo p: x = log_g (y) mod p, or x = logg (y) mod p For example, 2^5 = 9 mod 23, so 5 = log2(9) mod 23. The integer 5 is the log of 9 (to the base 2) mod 23. Similarly, 3^6 = 1 mod 7, so 6 = log_3 (1) mod 7. The integer 6 is the log of 1 (to the base 3) mod 7. Note for a generator g of G(q) mod p, that since g^q =1, we always have q = log(1) mod p, for any base (generator) g. Hence, for a group of order q, q plays the role of zero, as g^q = g^0 = 1 mod p, and hence q = log(1) = 0 mod q. So for any power x of g in G(q), g^x mod p may be reduced mod q: g^x mod p = g^(x mod q) mod p. For example, we saw 2 had order q = 3 mod 7, since 2^3 mod 7 = 1. Hence for a power larger than 3, say 8: 2^8 mod 7 = 2^(8 mod 3) mod 7 = 2^2 mod 7 = 4. Once we get to the q-th power of g, g^q = 1, so for x = k*q+r, we have g^(k*q+r) = g^(k*q)*g^r = (g^q)^k*g^r = 1^k*g^r = g^r. So we can reduce x by dividing by q, and keeping only the remainder r. For future reference, note the following fact about powers of g. If we have two numbers X = g^x mod p and Y = g^y mod p, then X*Y = g^x*g^y = g^(x+y) mod p. By contrast to this, we have X^y = (g^x)^y = g^(x*y) mod p, while Y^x = (g^y)^x = g^(x*y) mod p. Knowledge of the first result, g^(x+y) mod p, doesn't tell us anything about the latter result, g^(x*y) mod p. Only if we first took logs to the base g, and calculated x = log X mod p or y = log Y mod p, could we calculate g^(x*y). For a simple example using small numbers, suppose g = 2 and p = 25307. Suppose also you observe X = 6113 and Y = 7984. Thus you know that X*Y = 6113*7984 = 2^(x+y) mod 25307. That is, 14296 = 2^(x+y) mod 25307. But what is g^(x*y) = 2^(x*y) mod 25307? To answer this question, you need to know x = log2 6113 mod 25307 or y = log2 7984 mod 25307. The difference between g^(x+y) and g^(x*y) brings us to Diffie-Hellman key agreement.