Download cs413encryptmath

1
CS 413, Computer and Data Security
Math for Encryption
I.
Thinking Concretely about Division and Remainders. The Euclidean
Algorithm for Finding the Greatest Common Divisor.
The material in this section has some independent utility, but its main purpose in the
presentation right now is to give some concrete practice in thinking about integer division
and remainders, which will be useful preparation for understanding sections II and III.
Definition: Prime number: Any integer greater than 1 that has only 1 and itself as factors
is prime. Historically, the number 1 has occasionally been treated as a prime number. It
is certainly true that it only has 1 and itself as factors. It is generally not included in the
definition of primes, not because it fails in some way, but because it has so many other
unique characteristics, that classifying simply as prime does not do it justice.
Definition: Composite number: A number which is not 1 and not prime is composite. In
other words, an integer greater than 1 which has factors other than 1 and itself is
composite.
Definition: Greatest common divisor: This is the largest integer which is a factor of two
other integers. The notation is usually given as follows: Given a and b, positive integers,
gcd(a, b) = x is the largest integral factor of a and b. Note that x <= a and x <= b.
Definition: Relatively prime: Given 2 positive integers, a and b, if the gcd(a, b) = 1, then
a and b are relatively prime. Both a and b may be composite. If you did a prime
factorization of a and b you would find that they have no prime factors in common.
One approach to finding the greatest common divisor of 2 positive integers: Find the
prime factorization of each. The product of the prime factors they have in common forms
the greatest common factor or greatest common divisor.
For example:
72 = 2 * 2 * 3 * 3
30 = 2 * 3 * 5
The common prime factors of the two numbers are 2 and 3. 2 * 3 = 6 is their greatest
common divisor.
The Euclidean algorithm: This is an iterative algorithm, suitable for implementation in a
computer program, that will find the greatest common divisor of two integers without
having to find their prime factorization.
2
Let integers a and b be given.
Let x = gcd(a, b)
Without loss of generality, assume that a > b. Then it is possible to write the following:
a=m•b+r
Since x = gcd(a, b), then there must be some values a1 and b1 such that:
a = a1x, and b = b1x
Now substitute these expressions for a and b in the expression relating a and b:
a1x = mb1x + r
Now solve the expression for r:
r = mb1x – a1x
r = x(mb1 – a1)
Conclusion: the gcd(a, b) is also a factor of r.
The next thing you want to show is that gcd(b, r) = gcd(a, b) = x. There are two possible
cases to eliminate:
Suppose that gcd(b, r) = y < x = gcd(a, b).
By definition, gcd(a, b) is a factor of b. The preceding sequence of steps showed that
gcd(a, b) is a factor of r. Thus, the gcd(b, r) is at least gcd(a, b).
Now consider the alternative case, gcd(b, r) = y > x = gcd(a, b).
Starting with:
a = mb + r
Since y = gcd(b, r), then there must be some values b2 and r2 such that:
b = b2y and r = r2y
Now substitute these expressions for b and r in the expression relating a, b and r:
a = mb2y + r2y
3
And factoring gives:
a = y(mb2 + r2)
In other words, y is a factor of a. y is also a factor of b. This means that y is a common
factor of a and b. However, it was assumed that y > x. This contradicts the fact that
gcd(a, b) = x. This is a given that gcd(a, b) = x and y is a factor of b, gcd(a, b) = x, and
the supposition was made that y > x.
Therefore y can be neither less than or greater than x. In other words,
gcd(a, b) = gcd(b, r)
It is this result which leads to the iterative algorithm for finding the greatest common
divisor of two integers. Given a and b, it is possible using integer division and modulus
to find b and r. The process can then be repeated on b and r. Observe:
a = mb + r0
b = m1r0 + r1
r0 = m2r1 + r2
…
gcd(a, b) = gcd(b, r0)
gcd(b, r0) = gcd(r0, r1)
gcd(r0, r1) = gcd(r1, r2)
Consider the following points:
1. At every step, rj < ri.
2. All ri >= 0.
3. All ri are integers.
The conclusion you can reach from this is that in a finite number of steps the algorithm
will converge to the point where r equals 0. In other words, the sequence of steps will
result in the following:
gcd(a, b) = … = gcd(ru, 0)
And:
gcd(ru, 0) = ru
This is true because 0 is evenly divisible by anything. Anything will go into 0 zero times.
In other words, for any a:
gcd(a, 0) = a
Thus, you know that the algorithm has converged when the remainder is 0, and the
greatest common divisor was the non-zero remainder that preceded the remainder of 0.
4
Here is an illustration of the algorithm using the values 72 and 30.
72 = 2 * 30 + 12
a = 72, m =2, b = 30, r0 = 12
30 = 2 * 12 + 6
b = 30, m1 = 2, r0 = 12, r1 = 6
12 = 2 * 6 + 0
r0 = 12, m2 = 2, r1 = 6, r2 = 0
The final remainder is 0 and the remainder before that was 6. According to the
algorithm, gcd(72, 30) = gcd(30, 12) = gcd(12, 6) = gcd(6, 0) = 6, which agrees with the
result obtained using prime factorizations above.
II.
Algebraic Background
Algebras in general are defined in terms of one or more operators and a set of values
which the operators can be applied to. For the purposes of the exposition below, let a
single operator be represented by • and the set of interest be S. Within an algebraic
system, certain properties can be defined. Here are the definitions of some of those
properties:
Closure: Given a, b ε S, a • b ε S.
Identity: Given some arbitrary a ε S, there is an i ε S such that a • i = i • a = a.
For the familiar operations + and * the identities are 0 and 1, respectively.
Inverse: For some a ε S, its inverse is a-1 ε S such that a • a-1 = i.
We are accustomed to the inverses in the real numbers where this holds: a • a-1 = a-1 • a =
i . If the commutative property does not hold, then this is not necessarily the case. For
the familiar operations + and *, inverses are also readily apparent. The additive inverse
of 1 is -1, for example, and the multiplicative inverse of 7 is 1/7. Note that depending on
the set of values and the operation in question, some values may not have inverses. 0
doesn’t have a multiplicative inverse in the set of real numbers. If you restrict yourself to
the set of integers, no values except 1 and -1 have multiplicative inverses. If you restrict
yourself to the set of positive integers, there are no additive inverses.
The Associative Property: For a, b, c ε S, (a • b) • c = a • (b • c).
The Commutative Property: For a, b ε S, a • b = b • a.
The Distributive Property: Given two operations on the set, + and *, * distributes over
+ if the following holds: For a, b, c ε S, a * (b + c) = (a * b) + (a * c).
5
An Algebraic Group: This is a set S with one operation, say •, and the following 4
properties:
1.
2.
3.
4.
Closure under •.
Identity under •.
An inverse for all elements of the set under •.
Associativity under •.
Notice that commutativity is NOT one of the properties of a group. There are groups
which are commutative and it is generally easier to think of an example of a commutative
group than a plain group. For instance, consider the positive and negative integers under
addition. This satisfies all four of the requirements for a group and in addition the
commutative property holds. In honor of the great Norwegian mathematician Niels
Henrik Abel, who proved the general insolubility of the quintic equation, commutative
groups are usually called Abelian groups.
What follows is not a full exposition of the questions of commutativity and inverses—
simply an illustration of the fact that you have encountered mathematical constructs
where not all of the familiar rules of algebra in the integers or reals apply.
Let A be an m x n matrix. Let B be an n x p matrix. Let the • represent standard matrix
multiplication. Then A • B is a well defined operation because A has the same number of
columns as B has rows. On the other hand, A • B ≠ B • A because B • A is not even a
valid product, assuming that p ≠ m. Thus, in general, matrix multiplication is NOT
commutative. It is commutative only in the special case of square matrices.
The zero matrix of any size has no inverse, but a non-zero matrix might also have no
inverse. A given non-zero matrix might also have an inverse on one side but not the
other. Examples will be given.
First of all, consider any zero matrix such as the following:
 0 0


 0 0
There is no 2 x 2 matrix that it can be multiplied by to arrive at the identity:
 1 0


0
1


Now consider a matrix where the rows and columns are linear combinations of each
other:
 1 2


 2 4
6
An inverse would be of this form:
a b


c d
For the inverse to work, these equations, among others, would have to be satisfied:
a + 2c = 1
2a + 4c = 0
This system is inconsistent, so no inverse of the matrix can exist.
Keep in mind that a right hand inverse matrix of A, say A1-1, has to be n x m, and the
product A • A1-1 would give Im, the square identity matrix with dimensions m x m. A left
hand inverse matrix of A, A2-1, has to be n x m, and the product A2-1 • A would give In,
the square identity matrix with dimensions n x n.
Now consider this matrix:
1 1


 1 2
 2 1


You can verify that it has this unique left hand inverse:
1 
1  2

3
3
1 1
2 
3
3

You can also verify that this is not the right hand inverse, and in fact show that the
equations for a right hand inverse are inconsistent, meaning that one doesn’t exist.
To repeat, this tangent is not intrinsically important. It was pursued merely to remind
you that you have encountered algebraic systems where the behavior is not the same as
with standard arithmetic in the real numbers. In particular, commutativity and inverses
may be an issue.
An Algebraic Ring: This is a set S with two operations, addition (+) and multiplication
(*) and the following properties:
1. Under addition, S is an Abelian group.
2. S is closed under multiplication.
7
3. Multiplication is associative.
4. Multiplication distributes over addition.
For our purposes the ring is an intermediate structure. We are more interested in the
structure that follows, which has a definition which relies on knowing both what a group
and a ring are.
An Algebraic Field: This is a set S with two operations, addition (+) and multiplication
(*) and the following properties:
1. S is a ring.
2. With the exception of the 0 element (the additive identity), which does not have a
multiplicative inverse, S satisfies the requirements for an Abelian group under
multiplication.
You may have heard the expression “the field of real numbers”. This means that the real
numbers form an algebraic field. The properties given above correspond to the everyday
characteristics of arithmetic with real numbers that we are used to.
The concept of an algebraic field is important because a lot of advanced cryptography is
based on it. In the next section modular arithmetic will be discussed and the claim will
be asserted that modular arithmetic leads to an algebraic field. RSA encryption is based
on the problem of finding multiplicative inverses and algebraic such as this is needed in
order to know whether inverses exist and what the algorithms might be for finding them.
III.
Modular Arithmetic and Modular Fields
Modular arithmetic means finding the remainder when one integer is divided by another.
The following statements are equivalent in describing the operation of modulus for
integers a, b, c, and n:
a mod n = b
a%n=b
a=c*n+b
You have already encountered modular arithmetic applied to cryptography in a very
simple way. If the letters from a to z are represented by the integers from 0 to 25,
Caesar’s cipher can be expressed using modular arithmetic:
c = (p + 3) mod 26
It is also possible to devise ciphers of this form:
8
c = (p * 3) mod 26
I assert without proof that the cipher above works OK. However, consider the following
cipher:
c = (p * 2) mod 26
The integer 0 stands for a and the integer 13 stands for n. Under this scheme they both
encode to 0, or a. This is a collision. These kinds of collisions happen all the way
through the scheme. 1 stands for b and 14 stands for o. Both would encode to 2, or c,
another collision. This observation provides an entry point to asking algebraic questions
about modular arithmetic. I observe that 3 and 26 are relatively prime and that 2 and 26
are not. Could this be the basis for the success of one of the schemes and the failure of
the other? This question won’t be answered right now. Instead, continuing with the
exploration of modulus, consider again:
a mod n = b
By definition b is the remainder upon integer division by n. This means that 0 <= b < n.
Given some finite n, the number of different values that b can take on is finite.
If a can be taken from among the integers without restriction, then there is an infinite set
of values a for which the modulus n is b. Another way of saying this is that the operation
modulus n divides the set of integers into n – 1 equivalence classes, each of which is
infinite.
The idea of equivalence of integers under modulus is defined. “x and y are equivalent
modulus n” can be expressed using this notation:
x ≡n y
This means:
(x mod n) = (y mod n)
In other words, x and y are in the same one of the n – 1 equivalence classes defined by
modulus n.
The following is also true:
x ≡n y ↔
(x – y) = kn for some integer k
That is, the difference between any two elements of a modular equivalence class is an
integer multiple of n. In case this isn’t clear, consider the following:
9
x = cn + b and y = dn + b for some c and d
Then:
x – y = (c – d)n
In other words, k = c – d, and the difference between x and y is indeed a multiple of n.
What does any of this have to do with the presentation of the algebraic structures in the
previous section?
1.
2.
3.
4.
Given some prime integer n.
Given the set S = {0, 1, 2, …, n – 1}.
Given an operation denoted “+” defined as normal integer addition modulus n.
And given an operation denoted “*” defined as normal integer multiplication
modulus n.
5. This set of components forms an algebraic field known as a modular field.
This fact will not be demonstrated in general at this point. Even without proof, the
implications need to be noted because they are relevant to cryptographic uses of modulus.
What follows is a particular example of a modular field which is designed to illustrate the
idea.
Suppose you choose n = 5, as your prime number. The set S = {0, 1, 2, 3, 4}. If addition
is defined as addition mod 5, you can write a simple addition table for the set:
+
0
1
2
3
4
0
0
1
2
3
4
1
1
2
3
4
0
2
2
3
4
0
1
3
3
4
0
1
2
4
4
0
1
2
3
You can verify all of the entries in the table, but just a few should illustrate the general
idea:
(3 + 4) mod 5 = (7) mod 5 = 2
It is true that in doing the arithmetic in this way, we make use of the value 7. 7 is not an
element of the set, but this is not a problem because 7 is not the final answer. Speaking
algebraically, the key property illustrated by this is closure, a property needed for the
structure.
You might also ask, if this is the table for the addition operation, is it clear that every
element in S has an additive inverse? Take this for example:
10
(2 + 3) mod 5 = (5) mod 5 = 0
This looks a little strange because the additive inverses are not negative. There are no
negative elements in the field in the sense that the integers or the reals have negatives.
However, by definition 2 and 3 are additive inverses of each other. You can quickly
confirm that every element has an additive inverse by observing that each row and each
column in the addition table contains one (and only one) zero element.
A more complete review of the algebraic properties of modular fields will come shortly,
but first, it’s useful to take a look at a multiplication table. For n = 5 you get:
*
0
1
2
3
4
0
0
0
0
0
0
1
0
1
2
3
4
2
0
2
4
1
3
3
0
3
1
4
2
4
0
4
3
2
1
Again, taking a few example illustrates the idea:
(3 * 4) mod 5 = (12) mod 5 = 2
(2 * 3) mod 5 = (6) mod 5 = 1
Observe that the value 1 is the multiplicative identity, and the second example illustrates
the fact that 2 and 3 are multiplicative inverses of each other. It is a coincidence the same
values are both additive and multiplicative inverses in this example. You can also
observe that 0 does not have a multiplicative inverse and that 1 appears in every other
row and column, indicating that all other elements of the field have multiplicative
inverses.
In passing it’s possible to notice two things about the multiplication table: It’s symmetric
and every row and every column contains exactly one occurrence of each of the values of
S. You could also state this by observing that each row and each column is a permutation
of S. This is a momentary detour, but hopefully it will also give some insight into what is
going on. Consider the multiplication table mod 4. Keep in mind that the claim was
made that if n is prime, you get a field. The implication was that if n is composite you
don’t.
*
0
1
2
3
0
0
0
0
0
1
0
1
2
3
2
0
2
0
2
3
0
3
2
1
11
Notice that the row and column for element 2 do not contain a 1. In other words, 2 does
not have a multiplicative inverse in this structure. Many other little discoveries might be
lurking here, but that alone is enough to confirm that the structure is not an algebraic
field.
Although the statement was made that if n is prime what you get is a modular field, and
although the little example illustrated the idea, it might be helpful to run through the
properties this gives you:
1. Associativity:
(a + (b + c)) mod n = ((a + b) + c) mod n
(a * (b * c)) mod n = ((a * b) * c) mod n
2. Commutativity:
(a + b) mod n = (b + a) mod n
(a * b) mod n = (b * a) mod n
3. Distributivity:
(a * (b + c)) mod n = ((a * b) + (a * c)) mod n
4. Identities:
(a + 0) mod n = (0 + a) mod n = a
(a * 1) mod n = (1 * a) mod n = a
5. Inverses:
This is purely notation: An additive inverse, -a, such that (a + (-a)) mod n = 0 exists
for all a. We know in fact that the arithmetic value of the inverse “-a” is not negative
a in the reals, a value that does not exist in S, but is n – a.
This is also notation: A multiplicative inverse, a-1, such that (a * (a-1)) mod n = 1
exists for all a except 0. We know in fact that the arithmetic value of the inverse “a-1”
is not 1/a in the reals, a value that does not exist in S. It is not clear at this point how
to find the inverse. Its algebraic properties will be of interest.
Modular arithmetic also has an additional property. This is not a field property, simply a
computational property that might be useful when doing modular arithmetic. The
property is called reducibility, and what it basically means is that taking the modulus of
some expression “distributes” over its parts. In other words, you can apply modulus to
subparts of expressions in order to simplify them and then find the modulus of the
combined the results rather than having to evaluate the whole expression and then find
the modulus.
In order to show that this is true for the addition operation, consider the following:
a mod n = ra
↔
a = cn + ra
b mod n = rb
↔
b = dn + rb
12
Consider what happens when you evaluate the whole expression first:
(a + b) mod n
= ((cn + ra) + (dn + rb)) mod n
= (n(c + d) + (ra + rb)) mod n
= (ra + rb) mod n
However, this expression matches what you would get if you applied modulus to the
parts of the expression first:
= ((a mod n) + (b mod n)) mod n
By the way, if (ra + rb) < n, then the final result would simply be (ra + rb).
A general statement of reducibility under addition is the following:
(a + b) mod n = ((a mod n) + (b mod n)) mod n
Reducibility also applies under multiplication. You can show that it works by evaluating
the expression and simplifying the result.
(ab) mod n
= ((cn + ra)(dn + rb)) mod n
= (cndn + cnrb + radn + rarb) mod n
= (n(cdn + crb + rad) + rarb) mod n
= (rarb) mod n
However, this expression matches what you would get if you applied modulus to the
parts of the expression first:
= ((a mod n)(b mod n)) mod n
A general statement of reducibility under multiplication is the following:
(ab) mod n = ((a mod n)(b mod n)) mod n