Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Polynomial ring wikipedia , lookup
Complexification (Lie group) wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Fundamental theorem of algebra wikipedia , lookup
Group theory wikipedia , lookup
Homological algebra wikipedia , lookup
Field (mathematics) wikipedia , lookup
Birkhoff's representation theorem wikipedia , lookup
Sharif University of Technology Department of Computer Engineering Data and Network Security Lab Algebra & Cryptography Author & Instructor: Mohammad Sadeq Dousti Sharif University Introduction to Modern Cryptography Spring 2015 1 / 42 Copyright Notice These set of slides are licensed under Creative Commons Attribution-NonCommercialShareAlike (CC BY-NC-SA) 4.0. Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: 1. 2. 3. They credit the original author(s); Their work is used non-commercially; They license their work under CC BY-NC-SA 4.0. For further information, please consult: o o https://creativecommons.org/licenses/by-nc-sa/4.0 https://creativecommons.org/licenses/by-ncsa/4.0/legalcode Sharif University Introduction to Modern Cryptography Spring 2015 2 / 42 Outline What is algebra? Group-like structures o Groups Ring-like structures o o Rings Fields - Sharif University Finite Fields Introduction to Modern Cryptography Spring 2015 3 / 42 What is Algebra? Sharif University Introduction to Modern Cryptography Spring 2015 4 / 42 What is algebra? Algebra is the study of mathematical symbols and the rules for manipulating these symbols. Example: 𝑋 2 − 3𝑋 + 2 = 0 The symbols can stand for any mathematical object: o Numbers, Vectors, Matrices, Polynomials, … For instance, the following matrices satisfy the above identity: 1 0 1 0 2 0 2 0 , , , 0 1 0 2 0 1 0 2 Example for manipulation rules: You can add any constant to both sides of any identity. Sharif University Introduction to Modern Cryptography Spring 2015 5 / 42 From solving equations to abstract algebra Methods for solving linear (ax + b = 0) and quadratic (ax2 + bx + c = 0) equations were known for centuries. General cubic and quartic equations were solved in the 16th century CE. o The solutions were expressed in terms of basic arithmetic operations (+, , , ), as well as radicals. No such method was known for general equations of degree 5 or higher. o o Working independently, Abel and Galois proved that giving such method is impossible. Along the way, they laid the foundation of abstract algebra. Sharif University Introduction to Modern Cryptography Spring 2015 6 / 42 Founders of abstract algebra Niels Henrik Abel (1802 – 1829) o o o o Norwegian mathematician Lived in poverty Contracted tuberculosis Died at the age of 26 in Paris Évariste Galois (1811 – 1832) French mathematician o Lived a wealthy life o Got involved in army & politics o Died in a duel at the age of 20 in Paris o Sharif University Introduction to Modern Cryptography Spring 2015 7 / 42 Group-like Structures Sharif University Introduction to Modern Cryptography Spring 2015 8 / 42 Algebraic structures A set S endowed with one or more finitary operations is called an algebraic structure. Let S be a set, and : SSS be a binary operation. The pair (S, ) is called a group-like structure. Depending on the properties that satisfies on S, the structure is called by various names (semicategory, category, groupoid, magma, quasigroup, loop, semigroup, monoid, group, Abelian group, …). If behaves like multiplication, it is denoted by , and the structure is called multiplicative. If behaves like addition, it is denoted by +, and the structure is called additive. Sharif University Introduction to Modern Cryptography Spring 2015 9 / 42 Closure (Totality) (S, ) satisfies the closure (totality) property if for all x, y S, we have x y S. Equivalently: o o S is closed under . is closed over S. Examples: (ℕ, +) o (ℤ, ) o (ℚ {0}, ) o Non-examples: (ℕ, ) o (ℤ {0}, ) o (ℚ, ) o Sharif University Introduction to Modern Cryptography Spring 2015 10 / 42 Associativity (S, ) satisfies the associative property if for all x, y, z S, we have (x y) z = x (y z). Associativity implies that parenthesization is unnecessary. Examples: o o o (2 + 3) + 4 = 2 + (3 + 4) GCD(GCD(x, y), z) = GCD(x, GCD(y, z)) (A B) C = A (B C) Non-examples: o o (2 3) 4 ≠ 2 (3 4) (100 20) 5 ≠ 100 (20 5) o (52 )3 Sharif University ≠ 3) (2 5 Introduction to Modern Cryptography Spring 2015 11 / 42 Identity (S, ) has an identity element e S if for all x S, we have e x = x e = x. The identity element is often denoted by: o o 1 in multiplicative structures. 0 in additive structures. Examples: 25 + 0 = 0 + 25 = 25 o A= A=A o Non-examples: (ℤ, ) o (ℚ {0}, ) o Sharif University Introduction to Modern Cryptography Spring 2015 12 / 42 Uniqueness of identity element THEOREM: If (S, ) has an identity element, it is unique. PROOF: Assume that e1 and e2 are identity elements of (S, ). Then: o o o 𝑒1 × 𝑒2 = 𝑒2 (since e1 is an identity element) 𝑒1 × 𝑒2 = 𝑒1 (since e2 is an identity element) Therefore, e1 = e2. Notice that we proved the theorem regardless of whether we are working with numbers, matrices, functions, vectors, etc. This is why this area of mathematics is abstract. Sharif University Introduction to Modern Cryptography Spring 2015 13 / 42 Invertibility (Divisibility) (S, ) with identity element e satisfies the invertibility (divisibility) property if for every element x S there exists an element y S, such that x y = y x = e. The inverse of x is often denoted by: o o Examples: o o x1 or 1/x in multiplicative structures. x in additive structures. 25 + (25) = (25) + 25 = 0 x x = 0 (XOR) Non-examples: o The matrix M = Sharif University 4 6 has no multiplicative inverse. 2 3 Introduction to Modern Cryptography Spring 2015 14 / 42 Commutativity (S, ) is commutative (Abelian) if for every elements x, y S, we have x y = y x. Examples: o o 2+9=9+2 f (x) + g(x) = g(x) + f (x) Non-examples: o 𝑥 𝐴 = 𝑦 and 𝐵 = 𝑧 Sharif University - 𝑥𝑧 𝐴 × 𝐵 = 𝑦𝑧 - 𝐵 × 𝐴 = 𝑥𝑧 + 𝑤𝑦 𝑤. 𝑥𝑤 𝑦𝑧 Introduction to Modern Cryptography Spring 2015 15 / 42 Group-like structures at a glance No identity. How is divisibility possible?! Sharif University Introduction to Modern Cryptography Spring 2015 16 / 42 Groups Sharif University Introduction to Modern Cryptography Spring 2015 17 / 42 Groups Group: An algebraic structure G = (S, ) satisfying four properties: Closure (totality) Associativity Identity Divisibility (invertibility) 1. 2. 3. 4. Abelian group: A group satisfying commutativity. Group membership: x G if and only if x S. Group order: The number of elements in the group. o Denoted |G| = |S|. Finite group: A group with finite order. Sharif University Introduction to Modern Cryptography Spring 2015 18 / 42 Notational conventions Let x G and m ℤ. Additive group G: o o o o o x is the inverse of x, and 0 is the identity element. If m = 0, then mx = 0. If m > 0, then 𝑚𝑥 = 𝑥 + ⋯ + 𝑥 (m times). If m < 0, then 𝑚𝑥 = (−𝑥) + ⋯ + (−𝑥) (m times). mG = {mx | x G} Multiplicative group G: x1 is the inverse of x, and 1 is the identity element. o If m = 0, then 𝑥 𝑚 = 1. o If m > 0, then 𝑥 𝑚 = 𝑥 × ⋯ × 𝑥 (m times). o If m < 0, then 𝑥 𝑚 = (𝑥 −1 ) × ⋯ × (𝑥 −1 ) (m times). o Gm = {xm | x G} o Sharif University Introduction to Modern Cryptography Spring 2015 19 / 42 Order and exponent The order of an element x of a group is the smallest positive integer m such that: o o mx = e (additive groups) xm = e (multiplicative groups) If no such m exists, x is said to have infinite order. Periodic group: A group in which every element has finite order. Exponent of a periodic group: The LCM of all group elements, if it exists. THEOREM: Any finite group has an exponent. It is a divisor of |G|. (See Lagrange’s theorem a few slides ahead) Sharif University Introduction to Modern Cryptography Spring 2015 20 / 42 Examples of finite groups Additive group of integers modulo n, denoted ℤn: o o o Elements: {0, 1, …, n 1}. Group operator: Addition modulo n. |ℤn| = n Multiplicative group of integers modulo n, denoted ℤ𝑛∗ : o Elements: {i | 1 i < n and GCD(i, n) = 1}. - o o GCD(i, n) = 1 ensures invertibility. Group operator: Multiplication modulo n. |ℤ∗𝑛 | = (n) Both groups are Abelian. Sharif University Introduction to Modern Cryptography Spring 2015 21 / 42 Cayley tables Describes the structure of a finite group by arranging all the possible products of all the group’s elements in a square table. Example: ℤ2 and ℤ∗3 0 1 (mod 3) 1 2 0 0 1 1 1 2 1 1 0 2 2 1 Notice that ℤ3∗ is a “relabeling” of ℤ2, and vice versa. o + (mod 2) 0 is relabeled as 1, and 1 is relabeled as 2. This is called “isomorphism” (more on this later). Sharif University Introduction to Modern Cryptography Spring 2015 22 / 42 Subgroups and cosets H = (T, ) is called a subgroup of G = (S, ), denoted H G, if: 1. 2. Let H G and a G. o o H is a group. T S. a H = {a h : h H} is the left coset of H containing a. H a = {h a : h H} is the right coset of H containing a. The number of left cosets of H is called the index of H in G and is denoted by [G : H]. Lagrange’s theorem: For any finite group G, the order of every subgroup H of G divides the order of G. Furthermore: |𝐺| 𝐺: 𝐻 = |𝐻| Sharif University Introduction to Modern Cryptography Spring 2015 23 / 42 Examples Let denote addition modulo 18. o o o o o o o o o G = ℤ18. H = 3G = {0, 3, 6, 9, 12, 15}. H is a group under . [H : G] = |G| / |H| = 18 / 6 = 3. 7 H = H 7 = {7, 10, 13, 16, 1, 4} is a coset of H. K = 2H = {0, 6, 12}. K is a group under . [K : G] = |G| / |K| = 18 / 3 = 6. 7 K = K 7 = {7, 13, 1} is a coset of K. Sharif University Introduction to Modern Cryptography Spring 2015 24 / 42 Generators and cyclic groups Let G = (S, ) be a group, and T S. The generating set of T, denoted <T>, is a subgroup of G whose members can be expressed as the combination (under ) of finitely many elements of T and their inverses. If T = {x}, we may write <x> instead of <T>. o <x> is called a cyclic group. If G = <T>, then we say T generates G; and the elements in T are called generators or group generators. Sharif University Introduction to Modern Cryptography Spring 2015 25 / 42 Examples Let G = ℤ18. o o ∗ Let 𝐺 = ℤ11 . o The group is cyclic: G = <2>. ∗ Let 𝐺 = ℤ12 . o o The group is cyclic: G = <1>. <{6, 9}> = {6a 9b | a, b ℤ} = {0, 3, 6, 9, 12, 15}. The group is NOT cyclic. <2> = {1, 2, 4, 8}, <3> = {1, 3, 9}, <5> = {1, 5}, … THEOREM: ℤ𝑛∗ is cyclic if and only if n is 2, 4, pk, or 2pk for odd prime p. Sharif University Introduction to Modern Cryptography Spring 2015 26 / 42 Fermat–Euler theorem from Lagrange’s theorem Fermat–Euler theorem: If n is a positive integer and 𝑎 ∈ ℤ𝑛∗ , then 𝑎𝜑(𝑛) ≡ 1 (mod 𝑛). Let <a> be a subgroup of ℤ𝑛∗ with order k. Then: < a >= 𝑎, 𝑎2, … , 𝑎𝑘 = 1 . Lagrange’s theorem states that |<a>|=k divides |ℤ𝑛∗ | = 𝜑 𝑛 . Let M be an integer such that 𝜑 𝑛 = 𝑘𝑀. Consequently: 𝑎𝜑(𝑛) Sharif University = 𝑎𝑘𝑀 = Introduction to Modern Cryptography 𝑀 𝑘 𝑎 = 1𝑀 = 1. Spring 2015 27 / 42 Groups of prime order Let G = (S, ) be a group of prime order p. THEOREM: Every non-identity element of G is a generator of G. PROOF: Easy using Lagrange’s theorem. The order of any cyclic subgroup of G is either 1 or p (since it must divide p). o The only cyclic subgroup of order 1 is <e>. o For non-identity group element g, we have |<g>| = p. o Therefore, <g> = G. o Sharif University Introduction to Modern Cryptography Spring 2015 28 / 42 Groups of prime order (Cont’d) Groups of prime order are important in cryptography. Recall from the midterm exam that we constructed an efficient algorithm D which distinguished DDH triplets in ℤ∗𝑝 (of order p – 1): (𝑔𝑎 , 𝑔𝑏 , 𝑔𝑎𝑏 ) and (𝑔𝑎 , 𝑔𝑏 , 𝑔𝑐 ) The idea was to use Legendre symbol. o o The Legendre symbol of the generator g is 1. The Legendre symbol of gx is 1 is x is odd, and +1 otherwise. Assignment: In subgroup <h> ⊆ ℤ∗𝑝 of odd prime order q, the Legendre symbol of any element is +1. Sharif University Introduction to Modern Cryptography Spring 2015 29 / 42 Constructing a subgroup of prime order from ℤ𝑝∗ Cauchy’s theorem: Let G be a finite group and q be a prime number. If q divides |G|, then G contains an element of order q. Let q be a prime divisor of p 1. o o By Cauchy’s theorem, ℤ∗𝑝 contains an element g of order q. <g> is a subgroup of ℤ∗𝑝 of prime order. ∗ Example: Let G = ℤ23 , and q = 11. There are 10 elements of order q: 2, 3, 4, 6, 8, 9, 12, 13, 16, 18. They all generate the following subgroup of G: {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}. Sharif University Introduction to Modern Cryptography Spring 2015 30 / 42 Permutations and symmetric groups Cauchy’s two-line notation for permutation: 1 2 3 4 5 𝜋= 5 3 4 1 2 The above notation is interpreted as: o o permutes 1 to 5, 2 to 3, … Equivalently, (1) = 5, (2) = 3, … Let Sn be the set of all permutations on {1,…, n}, endowed with function composition as operator. THEOREM: Sn is a group, called the symmetric group. Furthermore, |Sn| = n!. 1 2 1 2 Example: 𝑆2 = , . 1 2 2 1 Sharif University Introduction to Modern Cryptography Spring 2015 31 / 42 (External) Direct product of groups Let G = (S, ) and H = (T, ) be two groups. The (external) direct product of G and H is group, denoted by GH, and is defined as follows: o o The elements of GH are the elements of ST (Cartesian product). The operation on GH is defined component-wise: (g1, h1) × (g2, h2) = (g1 g2, h1 h2) Example: ℤ∗2 × ℤ3∗ o o Elements: {(0,0), (0,1), (0,2), (1,0), (1,1), (1,2)} Sample operation: (0,2) (1,2) = (0,1) Sharif University Introduction to Modern Cryptography Spring 2015 32 / 42 Group homomorphism Let G = (S, ) and H = (T, ) be two groups. A group homomorphism is function h : G H, such that for all u, v G: ℎ 𝑢𝑣 =ℎ 𝑢 ℎ 𝑣 . Intuition: A group homomorphism preserves the algebraic structure: The group H in some sense has a similar algebraic structure as G, and the homomorphism h preserves that. Example: h(x) = x mod 2 is a homomorphism from ℤ11 to ℤ2. Types of homomorphism: Endomorphism, Automorphism, Isomorphism. Sharif University Introduction to Modern Cryptography Spring 2015 33 / 42 Group isomorphism A bijective (one-to-one and onto) group homomorphism is called a group isomorphism. If G is isomorphic to H, we write 𝐺 ≅ 𝐻. Isomorphism is a relabeling of group elements. Example: 𝑓 𝑥 = 𝑔 𝑥 mod 𝑝 is an isomorphism from ℤ𝑝−1 to ℤ∗𝑝 . o 𝑢, 𝑣 ∈ ℤ𝑝−1 . o 𝑔𝑢+𝑣 mod 𝑝−1 mod 𝑝 = 𝑔𝑢 mod 𝑝 × 𝑔𝑢 mod 𝑝 mod 𝑝 Assignment: If m and n are coprime, CRT implies: ∗ × ℤ∗ ≅ ℤ∗ . ℤ𝑚 𝑛 𝑚𝑛 Sharif University Introduction to Modern Cryptography Spring 2015 34 / 42 Ring-like Structures Sharif University Introduction to Modern Cryptography Spring 2015 35 / 42 Ring-like structures A set S endowed with two operations: o o An “addition-like” operator + A “multiplication-like” operator is called a ring-like structure. Depending on properties that + and satisfy on S, various structures are defined: Rng, Semiring, Nearring, Near-semiring, Ring, Commutative ring, Domain, Integral domain, Field, etc. We only study rings and fields. Sharif University Introduction to Modern Cryptography Spring 2015 36 / 42 Rings An algebraic structure R = (S, +, ) is called a ring if: 1. 2. 3. (S, +) is an Abelian group; (S, ) is a monoid (closure, associativity, identity element) distributes over +. For all a, b, c in S: 𝑎 × 𝑏 + 𝑐 = 𝑎 × 𝑏 + 𝑎 × 𝑐 (left distributivity) 𝑏 + 𝑐 × 𝑎 = 𝑏 × 𝑎 + 𝑐 × 𝑎 (right distributivity) Examples: (ℤ, +, ) o (ℤn, + (mod n), (mod n)) o 2-by-2 matrices over ℝ with + and . (Noncommutative ring) o Non-examples: (2ℤ, +, ): No multiplicative identity (Ring with no “i”: Rng). o (ℤ, +, ) o Sharif University Introduction to Modern Cryptography Spring 2015 37 / 42 Characteristic Characteristic of a ring R, denoted char(R), is the smallest positive integer n such that: 𝑛1 = 0 where 1 is the ring’s multiplicative identity element, and 0 is the ring’s additive identity element. If such a number n does not exist, char(R) = 0. Examples: o o char(ℤ) = 0 char(ℤn) = n Sharif University Introduction to Modern Cryptography Spring 2015 38 / 42 Ring homomorphism Let R = (S, +, ) and 𝑅′ = (T, , ) be two rings. A ring homomorphism is function h : R 𝑅′ , such that for all u, v R: ℎ 𝑢+𝑣 =ℎ 𝑢 ℎ 𝑣 ℎ 𝑢×𝑣 =ℎ 𝑢 ℎ 𝑣 ℎ 1𝑅 = ℎ 1𝑅′ where 1𝑅 and 1𝑅′ are the additive identities of 𝑅 and 𝑅′ , respectively. Example: ℎ 𝑥 = 𝑥 mod 𝑛 is a homomorphism from (ℤ, +, ) to (ℤn, + (mod n), (mod n)) . Isomorphism: A bijective homomorphism. Sharif University Introduction to Modern Cryptography Spring 2015 39 / 42 Fields A field is a special kind of ring. o Concepts such as ring homomorphism, isomorphism, and characteristics carry over to the case of fields. An algebraic structure F = (S, +, ) is called a field if: (S, +) is an Abelian group. 2. (S – {0}, ) is an Abelian group. (0 is the additive identity) 3. distributes over +. 1. Examples: (ℚ, +, ) o (ℝ, +, ) o (ℤ∗𝑝 , + (mod p), (mod p)) o Sharif University Introduction to Modern Cryptography (p is a prime number) Spring 2015 40 / 42 Finite fields Finite field: A field whose order (number of elements) is finite. Also called Galois Fields (GF). THEOREM 1: The order of a finite field is equal to pk for some k (p is a prime). A finite field of order pk is denoted GF(pk). THEOREM 2: All finite fields of the same order are isomorphic. COROLLARY: GF 𝑝 ≅ ℤ∗𝑝 . Assignment: Write down the Cayley tables for GF(4). Sharif University Introduction to Modern Cryptography Spring 2015 41 / 42 References Wikipedia. Sharif University Introduction to Modern Cryptography Spring 2015 42 / 42