* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Week 1 - Mathematics and Computer Studies
Survey
Document related concepts
List of important publications in mathematics wikipedia , lookup
History of logarithms wikipedia , lookup
Location arithmetic wikipedia , lookup
Positional notation wikipedia , lookup
Large numbers wikipedia , lookup
Wiles's proof of Fermat's Last Theorem wikipedia , lookup
Approximations of π wikipedia , lookup
Line (geometry) wikipedia , lookup
Fermat's Last Theorem wikipedia , lookup
Mathematics of radio engineering wikipedia , lookup
System of polynomial equations wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Number theory wikipedia , lookup
Transcript
Cryptographic Mathematics (MA6011) Dr. Bernd Kreussler∗ Autumn 2015 1 Motivation Confidential message transmission was known at least 2500 years ago. In Ancient Greece, in particular in Sparta, the following method was used to send secret messages during military campaigns. A leather (or parchment) strip was wound around a wooden cylinder (called scytale). The message was then written across on this strip. The unwound strip did not seem to contain any text that makes sense. The recipient had a scytale of exactly the same size and could read the message after winding the strip around it. More famous is Caesar’s cipher. The Roman statesman, who lived 100–40 BCE, used the following method to encrypt some of his letters to Cicero: plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z ciphertext D E F G H I J K L M N O P Q R S T U V W X Y Z A B C For example, the word help becomes KHOS. This type of encoding is known as an additive cipher, because each letter is replaced by the one which is three places ahead. To describe this more mathematically, we number the letters of the English alphabet from 0 to 25. Then this encryption is obtained by adding 3. Here we understand that any number above 25 is to be replaced by its remainder on division by 26. In modern terms we would speak of addition modulo 26. ∗ These notes are based on lecture notes written by Gordon Lessells and on a book of Silverman. 1 2 MA6011 To decrypt the ciphertext one simply has to subtract 3 modulo 26. The secret key of this encryption scheme is the number 3. Everybody who knows how to encrypt can easily decrypt as well. This is the first known example of a private key cryptosystem. With current knowledge and technology it is very easy to break such a system. Over the centuries such systems were further developed. The encryption schemes became quite clever and increasingly complicated. Their security depends on the safety of the key exchange. In the diplomatic and military sectors keys were traditionally exchanged via direct meeting or with the aid of a trusted courier. In 1976 cryptography was revolutionised when Diffie and Hellman introduced public key cryptography. The main idea is to use ’one-way’ or ’trapdoor’ functions for encryption. These are functions that are easy to calculate, but without extra information (the private key) it is computationally infeasible to invert (i.e. to reconstruct the plaintext from the ciphertext of) such a function within a reasonable time. When such a cryptosystem is used, the public key is known to everybody. It can be used to encrypt messages. However, only the holder of the private key is able to decrypt such a ciphertext. Nowadays, internet data security is based on such cryptographic techniques. Public key cryptography is not only useful for confidential message transfer, but also for key exchange, authentication and coin flipping. Most of this course will consist of the description of the core ideas of such cryptosystems including the mathematical background needed to understand them. All the systems considered will be based on techniques from number theory. Before we can explain them in detail, we will study a few fundamental concepts from number theory. Number theory studies the properties of numbers. Before we start, we ask: What is a number? In some civilizations, they have words for one, two and many. Numbers are used to describe quantity. Symbols were often used to represent numbers, such as notches on a piece of wood or knots on a rope. The Babylonians developed a counting system which is described as base 60 and remains with us in the way we measure time. Roman numerals are still quite familiar and are used in dating some television programmes. However, the number system which we now use is called the Hindu-Arabic system and is described as base 10 or decimal. In this system the significance of a digit depends on its position in the decimal representation. Computers use a binary system with two symbols 0 and 1 or hexadecimal which uses symbols 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F. Many other ways have been developed of representing numbers but the decimal system allows ease of calculation. In early days certain numbers were thought to have a significance e.g. square numbers 1, 4, 9, 16, 25, 36, . . . triangular numbers 1, 3, 6, 10, 15, 21, 28, 36, . . . perfect numbers 6, 28, 496, . . . prime numbers 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, . . . We will see in this course that prime numbers have a significance and usefulness far beyond what was dreamt of in the past. There are lots of mysteries about prime numbers which may never be solved. 3 Week 1 2 Pythagorean Triples The Babylonians discovered what we now call Pythagorean triples i.e. numbers a, b, c satisfying the relation a2 + b2 = c2 . The most common example is (3, 4, 5), but (5, 12, 13), (7, 24, 25), (8, 15, 17) are other less familiar solutions. There are an infinite number of solutions which can be listed. Introducing the rational numbers x = a/c and y = b/c, the equation a2 + b2 = c2 translates into the equation of a circle x2 + y 2 = 1. Therefore, finding all Pythagorean triples is equivalent to finding all points on this circle which have rational coordinates i.e. both coordinates are rational numbers. (The rational numbers denoted Q are numbers of the form m/n where m and n are integers and n 6= 0.) There are four obvious points on the circle x2 + y 2 = 1: (0, 1), (0, −1), (1, 0), (−1, 0). We can use geometrical ideas to find the others. Let P = (−1, 0) and let m be a rational number (a number of the form p/q where p and q are integers and q 6= 0). Consider the line through P with slope m. The equation of this line is y − 0 = m(x + 1). This line will intersect the circle at a second point Q. To find the coordinates of Q, we substitute y = m(x + 1) in the equation x2 + y 2 = 1. x2 + m2 (x + 1)2 = 1 x2 + m2 x2 + 2m2 x + m2 − 1 = 0 (1 + m2 )x2 + 2m2 x + (m2 − 1) = 0 This is a quadratic equation in x which we can solve using the standard formula. However, we know that x = −1 is one solution. We can thus factorise as (x + 1)((1 + m2 )x + m2 − 1) = 0. Thus the x-coordinate of the point Q is x= 1 − m2 . 1 + m2 Using this we obtain the y-coordinate of Q 2m 1 − m2 y = m(x + 1) = m +1 = . 2 1+m 1 + m2 Thus Q= 1 − m2 2m , 1 + m2 1 + m2 . Since m is rational the coordinates of Q are also rational. 4 MA6011 If we start with a point Q on the circle with rational coordinates then the slope of the line P Q will be rational. Hence, we have determined all the points on the circle x2 + y 2 = 1 with rational coordinates. From this we can find all Pythagorean triples by putting m = v/u with u, v integers. This leads us to the equation (u2 − v 2 )2 + (2uv)2 = (u2 + v 2 )2 from which we see that a = u2 − v 2 b = 2uv c = u2 + v 2 is a Pythagorean triple. By substituting for u and v we can find Pythagorean triples, as shown in the table below. u v a b c 2 1 3 4 5 3 4 4 5 5 6 2 1 3 2 4 1 5 15 7 21 9 35 12 8 24 20 40 12 13 17 25 29 41 37 6 7 7 7 8 8 5 2 4 6 1 3 11 45 33 13 63 55 60 28 56 84 16 48 61 53 65 85 65 73 8 5 49 80 89 The triples (a, b, c) shown in the table have in common that a, b, c don’t have a common factor. Of course, if (a, b, c) is a Pythagorean triple and k a positive integer, then (ka, kb, kc) is another Pythagorean triple. What if we consider higher powers? Fermat’s Last Theorem is the statement that an + bn = cn has no solutions in positive integers if n ≥ 3. Fermat made the conjecture in the 17th century but it was only finally proved in 1994 by Andrew Wiles and Richard Taylor. Several books and a musical have been written about the proof of Fermat’s Last Theorem. In his proof, Wiles used the theory of elliptic curves. We will find later that elliptic curves are important in cryptography. 3 Divisibility Let m and n be integers with m 6= 0. We say m divides n if n is a multiple of m i.e. there exists an integer k such that n = km. If m divides n we write m | n. Thus 2 | 60 and 3 | 60 and 5 | 60 and 10 | 60 A number that divides n is called a divisor of n. As all positive divisors of n are less than or equal to |n| an integer has a finite number of divisors. Also 1 is a divisor of every integer n. Thus if we take two integers m and n, the set of integers which are divisors of both m and n is a nonempty finite set and has a largest element which is called the greatest common divisor of m and n abbreviated to gcd(m, n). If gcd(m, n) = 1 we say m and n are coprime. The question then arises: Given m and n how do we calculate gcd(m, n). One way of doing this is to list all the divisors of m and n and take the largest number which is in both lists. This is not an efficient way of calculating the greatest common 5 Week 1 divisor. Instead we use the Euclidean algorithm. It involves doing a sequence of divisions with remainder until the remainder is zero. Let m = 126 and n = 1812. Divide 126 into 1812. 1812 = 14 × 126 + 48 126 = 2 × 48 + 30 48 = 1 × 30 + 18 30 = 1 × 18 + 12 18 = 1 × 12 + 6 12 = 2 × 6 The Euclidean algorithm tells you that when you find a remainder of 0 then the greatest common divisor is the remainder in the previous step. Hence gcd(1812, 126) = 6. Let m = 87654321 and n = 12345678. 87654321 = 7 × 12345678 + 1234575 12345678 = 9 × 1234575 + 1234503 1234575 = 1 × 1234503 + 72 1234503 = 17145 × 72 + 63 72 = 1 × 63 + 9 63 = 7 × 9 Thus gcd(87654321, 12345678) = 9. Note 87654321 = 9×9739369 and 12345678 = 9 × 1371742. In practice, to write m = q × n + r we take the integer part of m/n as q and then calculate r = m − n × q. Why does the Euclidean algorithm work? Assume a > b and let the sequence of steps be as follows: a = q1 × b + r1 b = q2 × r1 + r2 r1 = q3 × r2 + r3 .. . rn−3 = qn−1 × rn−2 + rn−1 rn−2 = qn × rn−1 + rn rn−1 = qn+1 × rn + 0 We have b > r1 > r2 > r3 > · · · ≥ 0. Thus for some n, rn+1 = 0. Now rn | rn−1 and working upwards we find rn | rn−2 and then rn | rn−3 . Eventually, we find that rn | r1 and rn | b. Finally from the first equation we find that rn | a and rn | b i.e. rn is a common divisor of a and b. But working down now we see that any common divisor of a and b is a divisor of successively r1 , r2 , r3 , . . . , rn . Thus rn is the greatest common divisor of a and b. 6 MA6011 We can show that the number of steps in the Euclidean algorithm is at most seven times the number of digits in b. Thus Euclidean algorithm calculations are easily done on a computer with numbers having thousands of digits. There is an improved version of the Euclidean algorithm called the binary GCD algorithm. It is based on the fact that if m and n are both even then gcd(m, n) = 2 gcd(m/2, n/2) while if m is even and n odd, gcd(m, n) = gcd(m/2, n). In binary, division by 2 is a simple shift operation. Using this idea the previous examples become gcd(1812, 126) = 2 gcd(906, 63) = 2 gcd(453, 63) = 2 gcd(7 × 63 + 12, 63) = 2 gcd(63, 12) = 2 gcd(63, 6) = 2 gcd(63, 3) =2×3=6 gcd(87654321, 12345678) = gcd(87654321, 6172839) = gcd(14 × 6172839 + 1234575, 6172839) = gcd(6172839, 1234575) = gcd(4 × 1234575 + 1234539, 1234575) = gcd(1234575, 1234539) = gcd(1235439 + 36, 1234539) = gcd(1234539, 36) = gcd(1234539, 18) = gcd(1234539, 9) = gcd(9 × 137171, 9) = 9 The property of divisibility has nice properties with respect to our usual arithmetic operations. 1. If m | a and m | b then m | a + b and m | a − b. 2. If m | a then m | ka where k is an integer. Combining with 1) we have if m | a and m | b then m | ka ± lb for any integers k and l. 3. If a | b and b | c then a | c. 4. If a | b and c | d then ac | bd. 5. If m 6= 0 then a | b ⇐⇒ ma | mb. 6. If d | a and a 6= 0 then |d| ≤ |a|. 7. a | b and b | a if and only if a = ±b 7 Week 1 4 Solving Linear Equations in Integers Let a and b be integers. One can ask the question: What integers can be written in the form ax + by with x and y integers? Take a = 24 and b = 66. We can draw up a table of values of 24x + 66y for small values of x and y y\x −4 −3 −2 −1 0 1 2 3 4 −4 −360 −294 −228 −162 −96 −30 36 102 168 −3 −336 −270 −204 −138 −72 −6 60 126 192 −2 −1 0 1 2 3 4 −312 −288 −264 −240 −216 −192 −168 −246 −222 −198 −174 −150 −126 −102 −180 −156 −132 −108 −84 −60 −36 −114 −90 −66 −42 −18 6 30 −48 −24 0 24 48 72 96 18 42 66 90 114 138 162 84 108 132 156 180 204 228 150 174 198 222 246 270 294 216 240 264 288 312 336 360 Notice every entry in the table is a multiple of 6 which is gcd(24, 66) and 6 also appears in the table as 6 = 3 × 24 − 1 × 66. Thus the smallest positive value in our table is the gcd(a, b). This is true in general. Such an expression can be obtained from the Euclidean algorithm calculations to find the GCD. 66 = 2 × 24 + 18 24 = 1 × 18 + 6 18 = 3 × 6 66 − 2 × 24 = 18 24 − 1 × 18 = 6 18 − 3 × 6 = 0 On the right we have rewritten the equations to have the remainders alone on the right hand side. Substituting in the second equation for 18 the left hand side of the first equation, we get 6 = 24 − 1 × 18 = 24 − 1 × (66 − 2 × 24) = 3 × 24 − 1 × 66 One can also work forwards. From the first equation 18 = a − 2b where a = 66 and b = 24. The second equation becomes b − (a − 2b) = 6 from which we again obtain 6 = 3b − a = 3 × 24 − 1 × 66. Let us rewrite our calculation for m = 87654321 and n = 12345678 as follows m − 7n = r1 n − 9r1 = r2 r1 − r2 = r3 r2 − 17145r3 = r4 r3 − r4 = 9 = gcd(m, n), where the values r1 = 1234575, r2 = 1234503, r3 = 72 and r4 = 63 are irrelevant for 8 MA6011 the calculations that follow. Working forwards we obtain m − 7n = r1 n − 9(m − 7n) = r2 64n − 9m = r2 (m − 7n) − (64n − 9m) = r3 10m − 71n = r3 (64n − 9m) − 17145(10m − 71n) = r4 1217359n − 171459m = r4 (10m − 71n) − (1217359n − 171459m) = 9 171469m − 1217430n = 9 Working backwards 9 = 72 − 1 × 63 9 = 72 − (1234503 − 17145 × 72) 9 = 17146 × 72 − 1234503 9 = 17146(1234575 − 1 × 1234503) − 1234503 9 = 17146 × 1234575 − 17147 × 1234503 9 = 17146 × 1234575 − 17147(12345678 − 9 × 1234575) 9 = 171469 × 1234575 − 17147 × 12345678 9 = 171469(87654321 − 7 × 12345678) − 17147 × 12345678 9 = 171469 × 87654321 − 1217430 × 12345678 Thus we have seen that the linear equation ax + by = gcd(a, b) has a solution in integers x and y. In particular, if gcd(a, b) = 1 there are integers x1 and y1 satisfying ax1 + by1 = 1. We can create other solutions as follows. ax1 + by1 = 1 ⇒ ax1 + kab + by1 − kab = a(x1 + kb) + b(y1 − ka) = 1 Thus (x1 + kb, y1 − ka) is another solution. In fact all possible solutions can be obtained by this process. Suppose (x2 , y2 ) is another solution i.e. ax2 + by2 = 1. Then x2 − x1 = x2 (ax1 + by1 ) − x1 (ax2 + by2 ) = b(x2 y1 − x1 y2 ) and y2 − y1 = y2 (ax1 + by1 ) − y1 (ax2 + by2 ) = a(x1 y2 − x2 y1 ) = −a(x2 y1 − x1 y2 ) Thus x2 = x1 + kb and y2 = y1 − ka as claimed where k = x2 y1 − x1 y2 . We can now deal with the case ax + by = d = gcd(a, b). As d is a divisor of both a and b we can divide both sides of our equation by d to give a b x+ y =1 d d and apply what we have just proved. As result we obtain the following. 9 Week 1 Theorem 4.1. Let a and b be non-zero integers with gcd(a, b) = d. The equation ax + by = d has a solution (x1 , y1) in integers which can be found by means of the extended Euclidean algorithm. Every solution of this equation can be obtained by substituting integers k into the formula a b . x1 + k , y1 − k d d