* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Teaching Cryptologic Mathematics
Knapsack problem wikipedia , lookup
Mathematical economics wikipedia , lookup
Cryptographic hash function wikipedia , lookup
Mathematical physics wikipedia , lookup
Natural computing wikipedia , lookup
Lateral computing wikipedia , lookup
Secret sharing wikipedia , lookup
Secure multi-party computation wikipedia , lookup
Quantum key distribution wikipedia , lookup
One-time pad wikipedia , lookup
Block cipher wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Commitment scheme wikipedia , lookup
Theoretical computer science wikipedia , lookup
Index of cryptography articles wikipedia , lookup
Diffie–Hellman key exchange wikipedia , lookup
Cryptography wikipedia , lookup
Contents International Conference on Computer Systems and Technologies - CompSysTech’2003 Teaching Cryptologic Mathematics P. Caballero-Gil, C. Bruno-Castañeda, C. Hernández-Goya Abstract: This work addresses the topic of Mathematics Education in Computing Curricula through the stimulating subject of Cryptology. It deals with the simple and complex mathematical concepts involved in several aspects of cryptology, including basic information relating to several algorithmic ciphers and applications. Different mathematical objects such as functions, matrices, modular arithmetic, counting, elementary number theory, equations, descriptive statistics, graphs, probability and boolean logic constitute the theoretical and practical basis of cryptology, so their teaching should be previous to advanced cryptologic courses students. So, a core course on Cryptologic Mathematics is here proposed in order to incorporate such mathematical concepts in a captivating and practical way through basic cryptographic and cryptanalytic activities. Key words: Cryptology, Mathematics, Education INTRODUCTION From its foundation just half a century ago, computing has become a really alive field that characterizes the technology of our times. The rapid evolution that has experienced the discipline has had a profound effect on computer science education, affecting both content and pedagogy. Among the most recent technical advances, information security should be remarked as being more and more important in our information society. So, new curricular courses are required in order to meet the increasing needs of skills and competences in Cryptology and Security subjects. This is the main reason of the 2001’s communication of the European Commission entitled “Network Security: a European Policy Approach”, that addressed the needs for educational systems to give more emphasis on courses focused on security. Until the last years there were few curricula in Cryptology and Security subjects along Europe. Recently several new specialized elective programs dealing with these subjects have been set up, however, in general higher education in computer science do not address such issues as it should according to their practical importance. Maybe one of the reasons is the lack of qualified teachers having enough knowledge on both the mathematical aspects and their applications. One of the start-point ideas of this work is that certain mathematical abilities are necessary for this increasingly computerized world. In fact, mathematics are usually recognized as one of the three primary foundations of computer science because mathematical techniques and formal reasoning are viewed as essential to most areas of computer science. For example, functional programming and problem solving draw directly upon the mathematical concepts of functions; algorithmic analysis depends heavily on the mathematical topics of counting and probability; discussion of concurrency is closely related to graph theory; and both program verification and computability build upon logic. Thus, it is critical for computer science programs to include, early and often, enough adequate mathematics so that students understand the theoretical foundations of the discipline. The main objective of this work is the enrichment of Computing Curricula through the adaptation of the mathematics that students receive to the mathematics they really need. The proposed way to integrate this idea into the curriculum is based on the design of new courses combining Mathematics together with current topics that depend on it and require more space in programs. Cryptology may be seen as a common branch of Mathematics and Computing, so it may be used as an excellent vehicle for presenting many fundamental mathematical concepts while explaining practical cryptologic applications. According to our proposal, it is essential to emphasize the use of mathematical techniques throughout the program. So, as an example, here several subjacent mathematical - - International Conference on Computer Systems and Technologies - CompSysTech’2003 concepts are remarked in a quick trip through Cryptology. In this way students get cryptology basis and at the same time they learn the necessary mathematical tools to afford other curricular courses. When preparing Cryptologic Mathematics lessons two major questions should be answered: what to teach and how to teach it. In order to answer the first question, one of the factors the teacher has to take into account is the preliminary mathematical knowledge of the students. On the other hand, since infinity does not exist in computers because the range of numbers that can be computationally handled is finite, the most suitable mathematics to teach in computing curricula is discrete mathematics, and so it is in Cryptologic Mathematics. After establishing the contents of the course, another serious problem arises: how to present the selected topics. A fine solution may be to orient the course from the introduction of cryptologic concepts to the mathematics behind. On the other hand, it might be convenient to adopt this course inside an interdisciplinary approach because cryptology requires a variety of highly specialised skills, including other scientific aspects such as historical, legal, commercial and management, so these facets might be dealt in other parallel courses. The proposed course sketched in this work should be longer than 60 hours because it should provide students not only the necessary discrete mathematics but also a description of the essential ciphers and their use in secure communication protocols, and a basic knowledge on several new applications with an expectable relevance in a near future. In order to implement the course, the most convenient approach is algorithmic because by introducing the methods using pseudocode instead of executable language, students are required to reason about the algorithms, without having to deal with the peculiarities that programming languages inevitably introduce. FUNCTIONS, MATRICES AND BOOLEAN ALGEBRA THROUGH SECRET-KEY A cipher is a wonderful illustration of a function because in its intuitive definition it is easy to see that for each plain letter (element of the domain), there can be only one ciphered letter (element of the range). Furthermore, for the decipher process it is necessary that the cipher function will be injective in order to be invertible. Cryptology has a long and rich history with many interesting basic cipher schemes that make possible to deepen into different mathematical topics. The idea of using arithmetic operations to construct such a cipher function goes back at least to the Romans. So, from the introduction of an easy cipher like Caesar substitution, not only several basic analytical definitions of function, domain and range, and properties such as being injective, surjective, invertible or linear come up naturally, but also a basic knowledge on modular arithmetic and finite fields is fundamental. A substitution is a simple cipher whose key is based on shifts of the alphabet. Those substitutions that use only the shift of one alphabet of n letters (like Caesar cipher and any system based on a permutation of single letter message units) are called monoalphabetic and are vulnerable to frequency analysis through letter counting, whereas polyalphabetic substitutions (like Vigenere cipher) are safer because they use more than one shift. Vigenere cipher shifts each block of k letters by a key word of length k; in other words, it is a translation of Znk by a fixed vector. The cryptanalysis of polyalphabetic substitutions is also possible through discovering the key's period, coding the alphabet with decimal numbers, and solving simple linear equations. So, at this point it is natural to jump to the asymptotic version of the polyalphabetic cipher, the so-called one-time pad, where the key is a totally random and potentially infinite sequence. It is interesting to remark that although one-time pad is the unique theoretically perfect cipher, it is not practical due to its key's length. Perhaps the proof of such perfect secret is the most sophisticated mathematical result in cryptography before the 1970’s. - - International Conference on Computer Systems and Technologies - CompSysTech’2003 Consequently, the topic of substitution may be used to teach and consolidate statistical notions such as percentages, histograms, testing and randomness. Also, the number of keys available in a monoalphabetic substitution cipher (resulting from all the possible shifts of the alphabet) is a nice way to bring in factorials. On the other hand, it is also possible to introduce matrix manipulation through substitution ciphers. For instance, basic arithmetic matrix operations such as addition, subtraction and inversion may be used to define Hill cipher and its natural generalization to polygram substitutions. Finally, substitutions are part of composed ciphers extensively used in commercial cryptography such as block ciphers DES and Rijndael, which may be used to define the composition of functions. Regarding modern secret-key cryptography, a stream cipher is a cryptographic system such that a plain message binary sequence and a key binary sequence are bitwise added modulo 2. The deciphering process is exactly the same on the ciphered message and the key binary sequences. So, binary sequences generated by non-linear functions applied to the stages of one or more linear feedback shift registers have important applications as keys in such additive stream ciphers. Since most non-linear generators are based on simple boolean operations, this kind of ciphers are convenient for practicing with boolean algebra. In order to close the theme of secret-key cryptography, it is advisable to remark that its major disadvantage is key management because the number of shared secret keys increases with the number of users. So, this subject may be introduced to practice with counting and to mention the issue of communications complexity. PRIMES, VECTORS AND CURVES THROUGH PUBLIC-KEY Only rather elementary algebra and number theory were used in cryptography until the late 1970’s, when a new type of cryptography, called public-key, was proposed. At the heart of this concept is the idea of using one-way function for cipher. So, the concept of public-key ciphers may be introduced in a mathematics lesson by means of a real-life analogy on one-way streets where it is easy to go from a point P to another point Q, whereas it is practically impossible to go from Q to P. According to this equivalence, the public-key cipher may be viewed as the direction from P to Q because although you are able to go in this direction, this does not enable you to go in the opposite direction, i.e. to decipher. To do it possible, in any public-key infrastructure each user Alice should have a public cipher key cA and the corresponding private decipher key dA, interrelated through a one-way function. So, the invention of public-key cryptography led to a dramatic expansion of the role of algebra and number theory in cryptography because this type of mathematics seems to provide the best source of one-way functions. After explaining that no good algorithm exists for solving a concrete difficult problem like factorisation, one can show that there is, however, a simple algorithm for "going backwards", i.e., starting with a solution and constructing a difficult instance of the problem around it. Such a one-way function constitutes the foundation of the best-known public-key cipher, the so-called RSA. This cipher can be easily introduced after having taught the basis of modular arithmetic in substitution lessons. RSA may be described as follows. Each user Alice has a public key cA=(nA,eA) consisting of a composite number nA=pAqA (where pA and qA are primes) and an encryption exponent eA. The security of the system is based on the secret factorisation of nA. The corresponding decipher key dA should satisfy the modular equation eAdA=1 (mod (pA-1)(qA-1)), which is easily computed with the Euclidean algorithm. To cipher a message M, a user Bob should raise it to the power eA, reduce modulo nA, and send the result to A, who should decipher it through raising it to the power dA and reducing modulo nA. So, RSA cipher is an excellent opportunity for students to practice with several basic number theoretic algorithms including greatest common divisor, multiplicative inverse modulo nA, raising to powers modulo nA and factorability, - - International Conference on Computer Systems and Technologies - CompSysTech’2003 and to discover the usefulness and properties of prime numbers. Also the subject of standard computational complexity classes may be introduced. As a side excursion, it is possible to explain digital signatures based on RSA cipher. Digital signatures also allow the introduction of a specific kind of one-way function called hash. A hash function is a map h from a long input x to a much shorter output y such that it is not feasible to find two different inputs x and x' such that h(x)=h(x'). Having introduced hash functions, RSA digital signature may be described as follows. After sending to Bob the message x, Alice signs it in the following way: first she hashes it using the public hash function h; then she raises y=h(x) to the power dA, reduces modulo nA and sends the result y' to Bob. After receiving the message x, Bob computes y=h(x), raises y' to the power eA and reduces modulo nA. If the result agrees with y, then he knows that Alice must in fact have sent him the message x. A simple public-key cipher based on the knapsack problem may be used with students to practice with vector multiplications. Intuitively the knapsack problem consists in filling completely a knapsack of a concrete volume with some items from a set with different volumes. Such a problem is another fine example of a one-way function because it is very easy to choose several concrete items to define a knapsack, and then to state a difficult instance of the problem. In spite of its general difficulty, there exists a very easy knapsack problem instance, the so-called superincreasing knapsack, consisting in a vector of items such that each volume exceeds the sum of the preceding volumes. Such a knapsack may be easily solved by the principle of "the biggest item first". In the knapsack cipher Alice should choose as her private key dA=(vA,W’A) where vA is an integer and W’A is a superincreasing knapsack vector. Another integer uA with no common factors with vA should be then chosen by Alice, who states her public key WA by means of the difficult knapsack vector resulting from the reduction modulo uA of the multiplication vAW’A. In order to cipher a message Bob should first encode it into bits, and divide the result into binary vectors M whose lengths coincide with WA length. Once done this, the cipher of every vector M is the vector multiplication WAM, and its decipher is only possible for Alice who can obtain vA-1 modulo uA and consequently solve the superincreasing knapsack resulting from the multiplication vA-1WAM. Anyway, although knapsack ciphers are a didactical opportunity to practice with vector multiplications, note that they have been already broken so they have no usefulness in real-life cryptography. More reliable public-key ciphers are those based on elliptic curves over finite fields. The simplest elliptic curve E:y2=x3-x, whose graph is easily represented, can be used to introduce the basic notions of elliptic ciphers. So, after having taught curves representation, a brief definition of the addition of two points is necessary to introduce an elliptic cipher whose description is as follows. Alice's public key is the point dAS, where S is a public point of the curve E and dA is a secret random integer, and each message is encoded into a point M of E. In order to cipher M, Bob should choose a random integer kB and send to Alice the points (kBS, M+kB(dAS)). So, in the decipher Alice should multiply the first coordinate by her private key dA and subtract the result to the second coordinate. Note that in this case the teaching procedure is inverse to the other proposals because the educator should begin by the mathematical subject of curves representation to introduce through the previous simple example one of the most promising ciphers. PROBABILITIES, GRAPHS, AND EQUATIONS THROUGH PROTOCOLS As mentioned before, a major problem in secret-key cryptography is key management. In order to solve it, two users may exchange public information to agree upon a random binary sequence so it can be used as shared secret key. As a way to carry it out, simple coin flipping and bit commitment protocols based on the idea of the "evensor-odds" game may be introduced, which furthermore gives the opportunity to deepen in topics like randomness. Coin flipping protocols are used by two users to generate a - - International Conference on Computer Systems and Technologies - CompSysTech’2003 common random binary sequence where “A wins” may be interpreted as "0", and “B wins” as "1". On the other hand, a bit commitment protocol is a procedure that allows a user Alice to put a secret inside an envelope, in such a way that she cannot modify the secret after closing it, and nobody can read the secret until she opens it. It is possible to define a coin flipping scheme based on one-way functions through little examples that allow to experience with modular arithmetic and parity of numbers. In a general proposal it is supposed that previously the users Alice and Bob agree on a oneway function f from X to Y, where X is a finite set of integers that contains the same quantity of odd and even numbers. So, the algorithm is defined as follows. First Alice chooses a random element x in X, and sends y=f(x) to Bob. Then Bob bets publicly that x is even or odd, and Alice tells him whether his bet is correct or not, proving it to him by discovering x. Finally Bob checks that f(x)=y. Note that if f is not adequately chosen, then it is possible that Alice cheats and knows two values x and x' of different parity, such that f(x)=f(x'). In a concrete version of this protocol f might be a quadratic residual, so Bob should have to decide whether its square root is even or odd. Another proposal of coin flipping based on the use of any commutative public-key cipher may be described as follows. Bob commits to a bet on the coin flipping and communicates the commitment to Alice, who generates two messages corresponding to "head" and "tail", ciphers both messages with her public key, and sends both results to Bob. Then he chooses one of the two received messages at random, ciphers it with his public key and returns the result to Alice. In the two final steps Alice deciphers the received message with her secret key and returns the result to Bob, and he deciphers the obtained message with his secret key, recovering the result of his bet, which sends to Alice. Various other cryptographic applications such as oblivious transfer and some multiparty protocols can be used to practice with properties such as randomness, uniqueness and indistinguishability. In an oblivious transfer Alice wants to transfer a secret to Bob in such a way that it is transferred with a probability 1/2, and in the end Bob knows whether he got the secret, but Alice does not. An example of this esoteric protocol where the information to transfer is the factoring of a product of two primes may be used to practice with the Euclidean algorithm. In such a protocol first Alice chooses at random two primes pA and qA, and sends to Bob the product nA=pAqA. After that, Bob chooses a random number x with no common factors with nA, reduces x2 modulo nA, and sends the result to Alice, who can compute its four different square roots that are {x,nA-x,y,nA -y}, thanks to her knowledge of pA and qA and the Chinese Remainder Theorem. So, Alice chooses one of them at random and sends it to Bob. If he receives y or N-y, then he can compute pA and qA thanks to the greater common divisor of x+y and nA, that is pA or qA. If, on the contrary, he receives x or nA-x, then he cannot calculate them. In the end Alice does not know whether Bob received her primes or not, which usually results very intriguing for students. The last two-party protocol mentioned in this work is specially important to handle with the mathematical concept of proof. There have been recently several interesting developments in mathematical practice in the area of proof and verification that have provoked an active reconsideration of those basic issues. So, a new type of proof that has little in common with its traditional form, the so-called zero-knowledge proof, is an interactive cryptographic protocol involving two parties, a prover A and a verifier B, which enables A to provide B a convincing evidence that a traditional proof of a theorem exists without disclosing any information about the proof itself. As a result of such an interaction, B is convinced that the theorem in question is true, but he has zero knowledge of the proof and thus cannot convince others. This kind of protocols have practical applications in strong identification and access control when A tries to convince B of her identity by means of an on-line communication. In - - International Conference on Computer Systems and Technologies - CompSysTech’2003 order to do it, usually she has an identification information which everybody knows (and so B does), and a corresponding secret information associated to her public identification, which only she can compute. So, to demonstrate her identity, A proves to B that she knows the secret information associated to her public identification through a zeroknowledge proof. In general, the public information is an instance of a difficult problem and the secret identification is a solution to such an instance. So, there are several mathematical problems such the factoring one or several graph problems that may be used to introduce the concept. On the other hand, a common problem of all these schemes is the high communication complexity due to the number of iterations required in the algorithms in order to reduce the probability of fraud at each iteration. This aspect of zero-knowledge proofs also gives a wonderful opportunity to introduce several concepts of discrete probability such as independent events or the expected value. A very practical protocol that allows teaching linear equations and determinants is secret sharing. It consists in splitting a secret into w pieces that are distributed among users so when some of them meet, the secret may be reconstructed. An interesting version of secret sharing, the so-called threshold schemes may be used to practice the resolution of systems of linear equations. In this case the secret may be recovered from any t of the w pieces, and cannot be determined through any subset of t-1 or less pieces. Two of th e most curious practical applications of threshold schemes are the nuclear launch code, which is a threshold scheme where any two of the president, the minister of foreign affairs or the minister of defence can combine their pieces to recover the secret code, and visual cryptography, consisting on reconstructing an image by means of the overlapping of a number of parts of it. Polynomials have two properties that are very useful for defining threshold schemes. The first one is that always it is possible to find the coefficients of f(x) if t points (xi,yi) with yi=f(xi) are given. On the other hand, it is not feasible to figure out anything about f(x) if only t-1 points on the polynomial are given. Both properties may be easily introduced to students through straight lines and planes. A threshold scheme based on polynomial interpolation to reconstruct a curve of degree t-1 from t points may be described as follows. The w pieces yi are derived from a random t-1 degree polynomial, f(x)=(at-1xt-1+ ...+a1x1+a0) whose constant coefficient is the secret, by evaluating f(x) on w different values x1,...,xw,yi= f(xi), i=1,...,w. In this way f(x), and from it, the secret can be easily reconstructed from any t pieces by solving the linear equation system thanks to Vandermonde determinant. It deserves to remark that protocols described in this section are usually employed as ingredients of more practical and complex applications such as electronic elections, contract signing in networks and digital cash. CONCLUSIONS Since it is important for computer science students to study discrete mathematics early in their academic program, and usually the restrictions of most programs make it difficult to add new topics without taking others away, here we propose to integrate most necessary material on discrete mathematics directly into an introductory cryptology course. So, students can more easily appreciate how mathematical tools apply in practical contexts, while they have an incentive to learn the underlying theoretical concepts of computing. Consequently, the primary aim of this work has been to propose several possible mathematical subjects to compose a basic discrete mathematics course as core and previous for those students of Advanced Cryptology courses. A trip through some of the most relevant concepts of Cryptology has been made while remarking various mathematical subjects related to them. In this way such relations are proposed to be used - - International Conference on Computer Systems and Technologies - CompSysTech’2003 as invaluable sources of tools for teaching jointly Discrete Mathematics and Cryptology in Computer Science curricula. Finally, the proposal described in this work might be well combined with the use of the idea of information as a unifying theme to investigate a range of issues in computer science, including database systems, artificial intelligence, and data communication. REFERENCES [1] Caballero-Gil, P.: Introducción a la Criptografía, 2nd edn. RA-MA Madrid (2002) [2] Clairet G.: Cybersecurity Curricula in European Universities. Final Report (2003) [3] IEEE Computer Society & Association for Computing Machinery.: Computing Curricula. Final Report (2001) [4] Koblitz, N.: Algebraic Aspects of Cryptography, Springer-Verlag, Berlin Heidelberg New York (1999) [5] Salomaa, A.: Public-Key Cryptography, 2nd edn. Springer-Verlag, Berlin Heidelberg New York (1996) [6] Schneier, B.: Applied Cryptography, John Wiley and Sons (1994) [8] Singh, S.: The Code Book, Ed. Reviews(1999) ABOUT THE AUTHORS Prof. Pino Caballero-Gil, Ph.D. Carlos Bruno-Castañeda, MSc Candelaria Hernández-Goya, MSc Department of Statistics, Operations Research and Computing Faculties of Mathematics and Informatics, University of La Laguna. Tenerife. SPAIN Phone: +34 922 318176 E-mail: [email protected] Contents -