Download Teaching Cryptologic Mathematics

Contents
International Conference on Computer Systems and Technologies - CompSysTech’2003
Teaching Cryptologic Mathematics
P. Caballero-Gil, C. Bruno-Castañeda, C. Hernández-Goya
Abstract: This work addresses the topic of Mathematics Education in Computing Curricula through the
stimulating subject of Cryptology. It deals with the simple and complex mathematical concepts involved in
several aspects of cryptology, including basic information relating to several algorithmic ciphers and
applications. Different mathematical objects such as functions, matrices, modular arithmetic, counting,
elementary number theory, equations, descriptive statistics, graphs, probability and boolean logic constitute
the theoretical and practical basis of cryptology, so their teaching should be previous to advanced cryptologic
courses students. So, a core course on Cryptologic Mathematics is here proposed in order to incorporate
such mathematical concepts in a captivating and practical way through basic cryptographic and cryptanalytic
activities.
Key words: Cryptology, Mathematics, Education
INTRODUCTION
From its foundation just half a century ago, computing has become a really alive field
that characterizes the technology of our times. The rapid evolution that has experienced
the discipline has had a profound effect on computer science education, affecting both
content and pedagogy. Among the most recent technical advances, information security
should be remarked as being more and more important in our information society. So,
new curricular courses are required in order to meet the increasing needs of skills and
competences in Cryptology and Security subjects. This is the main reason of the 2001’s
communication of the European Commission entitled “Network Security: a European
Policy Approach”, that addressed the needs for educational systems to give more
emphasis on courses focused on security.
Until the last years there were few curricula in Cryptology and Security subjects along
Europe. Recently several new specialized elective programs dealing with these subjects
have been set up, however, in general higher education in computer science do not
address such issues as it should according to their practical importance. Maybe one of the
reasons is the lack of qualified teachers having enough knowledge on both the
mathematical aspects and their applications.
One of the start-point ideas of this work is that certain mathematical abilities are
necessary for this increasingly computerized world. In fact, mathematics are usually
recognized as one of the three primary foundations of computer science because
mathematical techniques and formal reasoning are viewed as essential to most areas of
computer science. For example, functional programming and problem solving draw directly
upon the mathematical concepts of functions; algorithmic analysis depends heavily on the
mathematical topics of counting and probability; discussion of concurrency is closely
related to graph theory; and both program verification and computability build upon logic.
Thus, it is critical for computer science programs to include, early and often, enough
adequate mathematics so that students understand the theoretical foundations of the
discipline.
The main objective of this work is the enrichment of Computing Curricula through the
adaptation of the mathematics that students receive to the mathematics they really need.
The proposed way to integrate this idea into the curriculum is based on the design of new
courses combining Mathematics together with current topics that depend on it and require
more space in programs. Cryptology may be seen as a common branch of Mathematics
and Computing, so it may be used as an excellent vehicle for presenting many
fundamental mathematical concepts while explaining practical cryptologic applications.
According to our proposal, it is essential to emphasize the use of mathematical techniques
throughout the program. So, as an example, here several subjacent mathematical
-
-
International Conference on Computer Systems and Technologies - CompSysTech’2003
concepts are remarked in a quick trip through Cryptology. In this way students get
cryptology basis and at the same time they learn the necessary mathematical tools to
afford other curricular courses.
When preparing Cryptologic Mathematics lessons two major questions should be
answered: what to teach and how to teach it. In order to answer the first question, one of
the factors the teacher has to take into account is the preliminary mathematical knowledge
of the students. On the other hand, since infinity does not exist in computers because the
range of numbers that can be computationally handled is finite, the most suitable
mathematics to teach in computing curricula is discrete mathematics, and so it is in
Cryptologic Mathematics. After establishing the contents of the course, another serious
problem arises: how to present the selected topics. A fine solution may be to orient the
course from the introduction of cryptologic concepts to the mathematics behind.
On the other hand, it might be convenient to adopt this course inside an
interdisciplinary approach because cryptology requires a variety of highly specialised skills,
including other scientific aspects such as historical, legal, commercial and management,
so these facets might be dealt in other parallel courses.
The proposed course sketched in this work should be longer than 60 hours because
it should provide students not only the necessary discrete mathematics but also a
description of the essential ciphers and their use in secure communication protocols, and a
basic knowledge on several new applications with an expectable relevance in a near
future. In order to implement the course, the most convenient approach is algorithmic
because by introducing the methods using pseudocode instead of executable language,
students are required to reason about the algorithms, without having to deal with the
peculiarities that programming languages inevitably introduce.
FUNCTIONS, MATRICES AND BOOLEAN ALGEBRA THROUGH SECRET-KEY
A cipher is a wonderful illustration of a function because in its intuitive definition it is
easy to see that for each plain letter (element of the domain), there can be only one
ciphered letter (element of the range). Furthermore, for the decipher process it is
necessary that the cipher function will be injective in order to be invertible.
Cryptology has a long and rich history with many interesting basic cipher schemes
that make possible to deepen into different mathematical topics. The idea of using
arithmetic operations to construct such a cipher function goes back at least to the Romans.
So, from the introduction of an easy cipher like Caesar substitution, not only several basic
analytical definitions of function, domain and range, and properties such as being injective,
surjective, invertible or linear come up naturally, but also a basic knowledge on modular
arithmetic and finite fields is fundamental.
A substitution is a simple cipher whose key is based on shifts of the alphabet. Those
substitutions that use only the shift of one alphabet of n letters (like Caesar cipher and any
system based on a permutation of single letter message units) are called monoalphabetic
and are vulnerable to frequency analysis through letter counting, whereas polyalphabetic
substitutions (like Vigenere cipher) are safer because they use more than one shift.
Vigenere cipher shifts each block of k letters by a key word of length k; in other words, it is
a translation of Znk by a fixed vector. The cryptanalysis of polyalphabetic substitutions is
also possible through discovering the key's period, coding the alphabet with decimal
numbers, and solving simple linear equations. So, at this point it is natural to jump to the
asymptotic version of the polyalphabetic cipher, the so-called one-time pad, where the key
is a totally random and potentially infinite sequence. It is interesting to remark that
although one-time pad is the unique theoretically perfect cipher, it is not practical due to its
key's length. Perhaps the proof of such perfect secret is the most sophisticated
mathematical result in cryptography before the 1970’s.
-
-
International Conference on Computer Systems and Technologies - CompSysTech’2003
Consequently, the topic of substitution may be used to teach and consolidate
statistical notions such as percentages, histograms, testing and randomness. Also, the
number of keys available in a monoalphabetic substitution cipher (resulting from all the
possible shifts of the alphabet) is a nice way to bring in factorials.
On the other hand, it is also possible to introduce matrix manipulation through
substitution ciphers. For instance, basic arithmetic matrix operations such as addition,
subtraction and inversion may be used to define Hill cipher and its natural generalization to
polygram substitutions. Finally, substitutions are part of composed ciphers extensively
used in commercial cryptography such as block ciphers DES and Rijndael, which may be
used to define the composition of functions.
Regarding modern secret-key cryptography, a stream cipher is a cryptographic
system such that a plain message binary sequence and a key binary sequence are bitwise
added modulo 2. The deciphering process is exactly the same on the ciphered message
and the key binary sequences. So, binary sequences generated by non-linear functions
applied to the stages of one or more linear feedback shift registers have important
applications as keys in such additive stream ciphers. Since most non-linear generators are
based on simple boolean operations, this kind of ciphers are convenient for practicing with
boolean algebra.
In order to close the theme of secret-key cryptography, it is advisable to remark that
its major disadvantage is key management because the number of shared secret keys
increases with the number of users. So, this subject may be introduced to practice with
counting and to mention the issue of communications complexity.
PRIMES, VECTORS AND CURVES THROUGH PUBLIC-KEY
Only rather elementary algebra and number theory were used in cryptography until
the late 1970’s, when a new type of cryptography, called public-key, was proposed. At the
heart of this concept is the idea of using one-way function for cipher. So, the concept of
public-key ciphers may be introduced in a mathematics lesson by means of a real-life
analogy on one-way streets where it is easy to go from a point P to another point Q,
whereas it is practically impossible to go from Q to P. According to this equivalence, the
public-key cipher may be viewed as the direction from P to Q because although you are
able to go in this direction, this does not enable you to go in the opposite direction, i.e. to
decipher. To do it possible, in any public-key infrastructure each user Alice should have a
public cipher key cA and the corresponding private decipher key dA, interrelated through a
one-way function. So, the invention of public-key cryptography led to a dramatic expansion
of the role of algebra and number theory in cryptography because this type of mathematics
seems to provide the best source of one-way functions.
After explaining that no good algorithm exists for solving a concrete difficult problem
like factorisation, one can show that there is, however, a simple algorithm for "going
backwards", i.e., starting with a solution and constructing a difficult instance of the problem
around it. Such a one-way function constitutes the foundation of the best-known public-key
cipher, the so-called RSA. This cipher can be easily introduced after having taught the
basis of modular arithmetic in substitution lessons. RSA may be described as follows.
Each user Alice has a public key cA=(nA,eA) consisting of a composite number nA=pAqA
(where pA and qA are primes) and an encryption exponent eA. The security of the system is
based on the secret factorisation of nA. The corresponding decipher key dA should satisfy
the modular equation eAdA=1 (mod (pA-1)(qA-1)), which is easily computed with the
Euclidean algorithm. To cipher a message M, a user Bob should raise it to the power eA,
reduce modulo nA, and send the result to A, who should decipher it through raising it to the
power dA and reducing modulo nA. So, RSA cipher is an excellent opportunity for students
to practice with several basic number theoretic algorithms including greatest common
divisor, multiplicative inverse modulo nA, raising to powers modulo nA and factorability,
-
-
International Conference on Computer Systems and Technologies - CompSysTech’2003
and to discover the usefulness and properties of prime numbers. Also the subject of
standard computational complexity classes may be introduced.
As a side excursion, it is possible to explain digital signatures based on RSA cipher.
Digital signatures also allow the introduction of a specific kind of one-way function called
hash. A hash function is a map h from a long input x to a much shorter output y such that it
is not feasible to find two different inputs x and x' such that h(x)=h(x'). Having introduced
hash functions, RSA digital signature may be described as follows. After sending to Bob
the message x, Alice signs it in the following way: first she hashes it using the public hash
function h; then she raises y=h(x) to the power dA, reduces modulo nA and sends the result
y' to Bob. After receiving the message x, Bob computes y=h(x), raises y' to the power eA
and reduces modulo nA. If the result agrees with y, then he knows that Alice must in fact
have sent him the message x.
A simple public-key cipher based on the knapsack problem may be used with
students to practice with vector multiplications. Intuitively the knapsack problem consists in
filling completely a knapsack of a concrete volume with some items from a set with
different volumes. Such a problem is another fine example of a one-way function because
it is very easy to choose several concrete items to define a knapsack, and then to state a
difficult instance of the problem. In spite of its general difficulty, there exists a very easy
knapsack problem instance, the so-called superincreasing knapsack, consisting in a vector
of items such that each volume exceeds the sum of the preceding volumes. Such a
knapsack may be easily solved by the principle of "the biggest item first". In the knapsack
cipher Alice should choose as her private key dA=(vA,W’A) where vA is an integer and W’A is
a superincreasing knapsack vector. Another integer uA with no common factors with vA
should be then chosen by Alice, who states her public key WA by means of the difficult
knapsack vector resulting from the reduction modulo uA of the multiplication vAW’A. In order
to cipher a message Bob should first encode it into bits, and divide the result into binary
vectors M whose lengths coincide with WA length. Once done this, the cipher of every
vector M is the vector multiplication WAM, and its decipher is only possible for Alice who
can obtain vA-1 modulo uA and consequently solve the superincreasing knapsack resulting
from the multiplication vA-1WAM. Anyway, although knapsack ciphers are a didactical
opportunity to practice with vector multiplications, note that they have been already broken
so they have no usefulness in real-life cryptography.
More reliable public-key ciphers are those based on elliptic curves over finite fields.
The simplest elliptic curve E:y2=x3-x, whose graph is easily represented, can be used to
introduce the basic notions of elliptic ciphers. So, after having taught curves
representation, a brief definition of the addition of two points is necessary to introduce an
elliptic cipher whose description is as follows. Alice's public key is the point dAS, where S is
a public point of the curve E and dA is a secret random integer, and each message is
encoded into a point M of E. In order to cipher M, Bob should choose a random integer kB
and send to Alice the points (kBS, M+kB(dAS)). So, in the decipher Alice should multiply the
first coordinate by her private key dA and subtract the result to the second coordinate. Note
that in this case the teaching procedure is inverse to the other proposals because the
educator should begin by the mathematical subject of curves representation to introduce
through the previous simple example one of the most promising ciphers.
PROBABILITIES, GRAPHS, AND EQUATIONS THROUGH PROTOCOLS
As mentioned before, a major problem in secret-key cryptography is key
management. In order to solve it, two users may exchange public information to agree
upon a random binary sequence so it can be used as shared secret key. As a way to carry
it out, simple coin flipping and bit commitment protocols based on the idea of the "evensor-odds" game may be introduced, which furthermore gives the opportunity to deepen in
topics like randomness. Coin flipping protocols are used by two users to generate a
-
-
International Conference on Computer Systems and Technologies - CompSysTech’2003
common random binary sequence where “A wins” may be interpreted as "0", and “B wins”
as "1". On the other hand, a bit commitment protocol is a procedure that allows a user
Alice to put a secret inside an envelope, in such a way that she cannot modify the secret
after closing it, and nobody can read the secret until she opens it.
It is possible to define a coin flipping scheme based on one-way functions through
little examples that allow to experience with modular arithmetic and parity of numbers. In a
general proposal it is supposed that previously the users Alice and Bob agree on a oneway function f from X to Y, where X is a finite set of integers that contains the same
quantity of odd and even numbers. So, the algorithm is defined as follows. First Alice
chooses a random element x in X, and sends y=f(x) to Bob. Then Bob bets publicly that x
is even or odd, and Alice tells him whether his bet is correct or not, proving it to him by
discovering x. Finally Bob checks that f(x)=y. Note that if f is not adequately chosen, then it
is possible that Alice cheats and knows two values x and x' of different parity, such that
f(x)=f(x'). In a concrete version of this protocol f might be a quadratic residual, so Bob
should have to decide whether its square root is even or odd.
Another proposal of coin flipping based on the use of any commutative public-key
cipher may be described as follows. Bob commits to a bet on the coin flipping and
communicates the commitment to Alice, who generates two messages corresponding to
"head" and "tail", ciphers both messages with her public key, and sends both results to
Bob. Then he chooses one of the two received messages at random, ciphers it with his
public key and returns the result to Alice. In the two final steps Alice deciphers the
received message with her secret key and returns the result to Bob, and he deciphers the
obtained message with his secret key, recovering the result of his bet, which sends to
Alice.
Various other cryptographic applications such as oblivious transfer and some
multiparty protocols can be used to practice with properties such as randomness,
uniqueness and indistinguishability. In an oblivious transfer Alice wants to transfer a secret
to Bob in such a way that it is transferred with a probability 1/2, and in the end Bob knows
whether he got the secret, but Alice does not. An example of this esoteric protocol where
the information to transfer is the factoring of a product of two primes may be used to
practice with the Euclidean algorithm. In such a protocol first Alice chooses at random two
primes pA and qA, and sends to Bob the product nA=pAqA. After that, Bob chooses a
random number x with no common factors with nA, reduces x2 modulo nA, and sends the
result to Alice, who can compute its four different square roots that are {x,nA-x,y,nA -y},
thanks to her knowledge of pA and qA and the Chinese Remainder Theorem. So, Alice
chooses one of them at random and sends it to Bob. If he receives y or N-y, then he can
compute pA and qA thanks to the greater common divisor of x+y and nA, that is pA or qA. If,
on the contrary, he receives x or nA-x, then he cannot calculate them. In the end Alice
does not know whether Bob received her primes or not, which usually results very
intriguing for students.
The last two-party protocol mentioned in this work is specially important to handle
with the mathematical concept of proof. There have been recently several interesting
developments in mathematical practice in the area of proof and verification that have
provoked an active reconsideration of those basic issues. So, a new type of proof that has
little in common with its traditional form, the so-called zero-knowledge proof, is an
interactive cryptographic protocol involving two parties, a prover A and a verifier B, which
enables A to provide B a convincing evidence that a traditional proof of a theorem exists
without disclosing any information about the proof itself. As a result of such an interaction,
B is convinced that the theorem in question is true, but he has zero knowledge of the proof
and thus cannot convince others.
This kind of protocols have practical applications in strong identification and access
control when A tries to convince B of her identity by means of an on-line communication. In
-
-
International Conference on Computer Systems and Technologies - CompSysTech’2003
order to do it, usually she has an identification information which everybody knows (and so
B does), and a corresponding secret information associated to her public identification,
which only she can compute. So, to demonstrate her identity, A proves to B that she
knows the secret information associated to her public identification through a zeroknowledge proof. In general, the public information is an instance of a difficult problem and
the secret identification is a solution to such an instance. So, there are several
mathematical problems such the factoring one or several graph problems that may be
used to introduce the concept. On the other hand, a common problem of all these
schemes is the high communication complexity due to the number of iterations required in
the algorithms in order to reduce the probability of fraud at each iteration. This aspect of
zero-knowledge proofs also gives a wonderful opportunity to introduce several concepts of
discrete probability such as independent events or the expected value.
A very practical protocol that allows teaching linear equations and determinants is
secret sharing. It consists in splitting a secret into w pieces that are distributed among
users so when some of them meet, the secret may be reconstructed. An interesting
version of secret sharing, the so-called threshold schemes may be used to practice the
resolution of systems of linear equations. In this case the secret may be recovered from
any t of the w pieces, and cannot be determined through any subset of t-1 or less pieces.
Two of th e most curious practical applications of threshold schemes are the nuclear
launch code, which is a threshold scheme where any two of the president, the minister of
foreign affairs or the minister of defence can combine their pieces to recover the secret
code, and visual cryptography, consisting on reconstructing an image by means of the
overlapping of a number of parts of it.
Polynomials have two properties that are very useful for defining threshold schemes.
The first one is that always it is possible to find the coefficients of f(x) if t points (xi,yi) with
yi=f(xi) are given. On the other hand, it is not feasible to figure out anything about f(x) if
only t-1 points on the polynomial are given. Both properties may be easily introduced to
students through straight lines and planes. A threshold scheme based on polynomial
interpolation to reconstruct a curve of degree t-1 from t points may be described as
follows. The w pieces yi are derived from a random t-1 degree polynomial, f(x)=(at-1xt-1+
...+a1x1+a0) whose constant coefficient is the secret, by evaluating f(x) on w different
values x1,...,xw,yi= f(xi), i=1,...,w. In this way f(x), and from it, the secret can be easily
reconstructed from any t pieces by solving the linear equation system thanks to
Vandermonde determinant.
It deserves to remark that protocols described in this section are usually employed as
ingredients of more practical and complex applications such as electronic elections,
contract signing in networks and digital cash.
CONCLUSIONS
Since it is important for computer science students to study discrete mathematics
early in their academic program, and usually the restrictions of most programs make it
difficult to add new topics without taking others away, here we propose to integrate most
necessary material on discrete mathematics directly into an introductory cryptology course.
So, students can more easily appreciate how mathematical tools apply in practical
contexts, while they have an incentive to learn the underlying theoretical concepts of
computing.
Consequently, the primary aim of this work has been to propose several possible
mathematical subjects to compose a basic discrete mathematics course as core and
previous for those students of Advanced Cryptology courses. A trip through some of the
most relevant concepts of Cryptology has been made while remarking various
mathematical subjects related to them. In this way such relations are proposed to be used
-
-
International Conference on Computer Systems and Technologies - CompSysTech’2003
as invaluable sources of tools for teaching jointly Discrete Mathematics and Cryptology in
Computer Science curricula.
Finally, the proposal described in this work might be well combined with the use of
the idea of information as a unifying theme to investigate a range of issues in computer
science, including database systems, artificial intelligence, and data communication.
REFERENCES
[1] Caballero-Gil, P.: Introducción a la Criptografía, 2nd edn. RA-MA Madrid (2002)
[2] Clairet G.: Cybersecurity Curricula in European Universities. Final Report (2003)
[3] IEEE Computer Society & Association for Computing Machinery.: Computing
Curricula. Final Report (2001)
[4] Koblitz, N.: Algebraic Aspects of Cryptography, Springer-Verlag, Berlin Heidelberg
New York (1999)
[5] Salomaa, A.: Public-Key Cryptography, 2nd edn. Springer-Verlag, Berlin
Heidelberg New York (1996)
[6] Schneier, B.: Applied Cryptography, John Wiley and Sons (1994)
[8] Singh, S.: The Code Book, Ed. Reviews(1999)
ABOUT THE AUTHORS
Prof. Pino Caballero-Gil, Ph.D.
Carlos Bruno-Castañeda, MSc
Candelaria Hernández-Goya, MSc
Department of Statistics, Operations Research and Computing
Faculties of Mathematics and Informatics, University of La Laguna.
Tenerife. SPAIN
Phone: +34 922 318176
E-mail: [email protected]
Contents
-