Download cs413encryptmathoverheads

1
CS 413, Computer and Data Security
Math for Encryption Overheads
I. Thinking Concretely about Division and Remainders. The Euclidean
Algorithm for Finding the Greatest Common Divisor.
Some Definitions:
The material in this section has some independent utility, but its main
purpose in the presentation right now is to give some concrete practice in
thinking about integer division and remainders, which will be useful
preparation for understanding sections II and III.
Definition: Prime number: Any integer greater than 1 that has only 1 and
itself as factors is prime. Historically, the number 1 has occasionally been
treated as a prime number. It is certainly true that it only has 1 and itself as
factors. It is generally not included in the definition of primes, not because
it fails in some way, but because it has so many other unique characteristics,
that classifying simply as prime does not do it justice.
Definition: Composite number: A number which is not 1 and not prime is
composite. In other words, an integer greater than 1 which has factors other
than 1 and itself is composite.
Definition: Greatest common divisor: This is the largest integer which is a
factor of two other integers. The notation is usually given as follows: Given
a and b, positive integers, gcd(a, b) = x is the largest integral factor of a and
b. Note that x <= a and x <= b.
Definition: Relatively prime: Given 2 positive integers, a and b, if the
gcd(a, b) = 1, then a and b are relatively prime. Both a and b may be
composite. If you did a prime factorization of a and b you would find that
they have no prime factors in common.
2
Finding the gcd:
One approach to finding the greatest common divisor of 2 positive integers:
Find the prime factorization of each. The product of the prime factors they
have in common forms the greatest common factor or greatest common
divisor.
For example:
72 = 2 * 2 * 3 * 3
30 = 2 * 3 * 5
The common prime factors of the two numbers are 2 and 3. 2 * 3 = 6 is their
greatest common divisor.
The Euclidean algorithm: This is an iterative algorithm, suitable for
implementation in a computer program, that will find the greatest common
divisor of two integers without having to find their prime factorization. Here
is an illustration of the algorithm using the values 72 and 30, followed by a
brief description of how it works:
72 = 2 * 30 + 12
a = 72, m0 =2, b = 30, r0 = 12
30 = 2 * 12 + 6
b = 30, m1 = 2, r0 = 12, r1 = 6
12 = 2 * 6 + 0
r0 = 12, m2 = 2, r1 = 6, r2 = 0
The last non-zero remainder, r1 = 6, is the gcd(72, 30).
Description: Given 2 numbers, find the remainder when you divide the
larger by the smaller. The claim is that the gcd of the smaller and the
resulting remainder is the same as the gcd of the original pair. You repeat
the process of dividing and finding the remainder until the remainder is 0.
The last remainder before that is the gcd for the whole sequence of pairs of
numbers.
3
Demonstrating that Euclid’s Algorithm Works
Givens:
Let integers a and b be given.
Let x = gcd(a, b)
Without loss of generality, assume that a > b. Then it is possible to write the
following:
a = mb + r
To show:
Show that x = gcd(a, b) = gcd(b, r)
Step 1:
Since x = gcd(a, b), then there must be some values a1 and b1 such that:
a = a1x and b = b1x
Now substitute these expressions for a and b in the expression relating a and
b:
a1x = mb1x + r
Now solve the expression for r:
r = a1x – mb1x
r = x(a1 – mb1)
Conclusion: x, the gcd(a, b), is also a factor of r.
4
Step 2:
Given that x = gcd(a, b), x is a factor of b. From step 1, x is also a factor of
r. You want to show that gcd(b, r) = gcd(a, b) = x. You can do this by
ruling out two possible cases:
Case 1: gcd(b, r) = y < x = gcd(a, b)
Case 2: gcd(b, r) = y > x = gcd(a, b)
Case 1:
This is the simpler case.
If x = gcd(a, b), then x is a factor of b.
As shown in step 1, x is a factor of r.
If x is a factor of both b and r, the gcd(b, r) can be no less than x.
Case 2:
This case is slightly more complex.
Suppose that gcd(b, r) = y.
Express a in this way: a = mb + r
If y = gcd(b, r), by definition, y is a factor of b.
If y = gcd(b, r), then there also exist values b2 and r2 such that:
b = b2y and r = r2y
Now substitute these expressions for b and r in the expression relating a, b
and r:
a = mb2y + r2y
5
Factoring a = mb2y + r2y gives this expression:
a = y(mb2 + r2)
This shows that y is a factor of a.
Conclusion of Case 2:
y is a factor of both b and a.
x = gcd(a, b), so y <= x.
y = gcd(b, r), so gcd(b, r) <= x.
Overall Conclusion:
y = gcd(b, r) is not less than x = gcd(a, b).
y = gcd(b, r) is not greater than x = gcd(a, b).
Therefore, y = gcd(b, r) = x = gcd(a, b).
General Statement of Algorithm:
The result says:
Given: a, b, x = gcd(a, b), a = mb + r, gcd(a, b) = gcd(b, r)
a and b are the knowns. x is the unknown. Given a and b, using integer
division and modulus, it is easy to find b and r. Then the same result can be
applied to b and r. The steps would go as follows:
a = mb + r0
gcd(a, b) = gcd(b, r0)
b = m1r0 + r1
gcd(b, r0) = gcd(r0, r1)
r0 = m2r1 + r2
gcd(r0, r1) = gcd(r1, r2)
…
The algorithm terminates when you reach rn = 0.
6
Consider the following points:
1. All ri are integers.
2. All ri >= 0.
3. At every step, rj < ri. (Note that this critical point is not proven.)
The conclusion you can reach from this is that in a finite number of steps the
algorithm will converge to the point where r equals 0. In other words, after
n + 1 steps you reach the following result:
gcd(a, b) = … = gcd(rn, 0)
And:
gcd(rn, 0) = rn
This is true because 0 is evenly divisible by anything. Anything will go into
0 zero times. In other words, for any a, gcd(a, 0) = a.
Thus, you know that the algorithm has converged when the remainder is 0,
and the greatest common divisor was rn, the non-zero remainder that
preceded the remainder of 0.
The example using the values 72 and 30 is repeated here in order to
summarize:
72 = 2 * 30 + 12
a = 72, m =2, b = 30, r0 = 12
30 = 2 * 12 + 6
b = 30, m1 = 2, r0 = 12, r1 = 6
12 = 2 * 6 + 0
r0 = 12, m2 = 2, r1 = 6, r2 = 0
The final remainder is 0 and the remainder before that was 6. According to
the algorithm, gcd(72, 30) = gcd(30, 12) = gcd(12, 6) = gcd(6, 0) = 6, which
agrees with the result obtained using prime factorizations at the beginning of
this section.
7
II. Algebraic Background
Algebras in general are defined in terms of one or more operators and a set
of values which the operators can be applied to. For the purposes of the
exposition below, let a single operator be represented by • and the set of
interest be S. Within an algebraic system, certain properties can be defined.
Here are the definitions of some of those properties:
Closure: Given a, b ε S, a • b ε S.
Identity: Given some arbitrary a ε S, there is an i ε S such that a • i = i • a =
a.
For the familiar operations + and * in the reals, the identities are 0 and 1,
respectively.
Inverse: For some a ε S, its inverse is a-1 ε S such that a • a-1 = i.
For the familiar operations + and *, inverses are readily apparent. The
additive inverse of 1 is -1, for example, and the multiplicative inverse of 7 is
1/7. Note that, depending on the set of values and the operation in question,
some values may not have inverses. 0 doesn’t have a multiplicative inverse
in the set of real numbers. If you restrict yourself to the set of integers, no
values except 1 and -1 have multiplicative inverses. If you restrict yourself
to the set of positive integers, there are no additive inverses.
The Associative Property: For a, b, c ε S, (a • b) • c = a • (b • c).
The Commutative Property: For a, b ε S, a • b = b • a.
The Distributive Property: Given two operations on the set, + and *, *
distributes over + if the following holds: For a, b, c ε S, a * (b + c) = (a * b)
+ (a * c).
8
An Algebraic Group:
This is a set S with one operation, say •, and the following 4 properties:
1.
2.
3.
4.
Closure under •.
Identity under •.
An inverse for all elements of the set under •.
Associativity under •.
Notice that commutativity is NOT one of the properties of a group. There
are groups which are commutative and it is generally easier to think of an
example of a commutative group than a non-commutative group. For
instance, consider the positive and negative integers under addition. This
satisfies all four of the requirements for a group and in addition the
commutative property holds. In honor of the great Norwegian
mathematician Niels Henrik Abel, who proved the general insolubility of the
quintic equation, commutative groups are usually called Abelian groups.
Algebraic Structures Lacking Some Properties:
Some of the algebraic definitions may seem somewhat odd on the surface.
Using addition and subtraction in the reals as a reference point, it may not be
clear how an element of an algebraic structure may not have an inverse, or
how an operation may not be commutative. This section looks at some
questions about inverses and commutativity. You have encountered
mathematical constructs where not all of the familiar rules of algebra in the
integers or reals apply. This section starts with some verbal discussion, and
then follows with some concrete examples.
Non-Commutativity:
Let A be an m x n matrix. Let B be an n x p matrix. Let the • represent
standard matrix multiplication. Then A • B is a well defined operation
because A has the same number of columns as B has rows. On the other
hand, A • B ≠ B • A because B • A is not even a valid product, assuming that
p ≠ m. Thus, in general, matrix multiplication is NOT commutative. It is
commutative only in the special case of square matrices.
9
Inequality of Left and Right Inverses:
Notice that this observation about commutativity also affects the nature of
inverses. We are accustomed to the inverses in the real numbers where this
holds: a • a-1 = a-1 • a = i. In a system where the commutative property
doesn’t hold, even though inverses might exist, the left inverse and the right
inverse of an element might not be the same.
Non-Existence of Inverses:
The zero matrix of any size has no multiplicative inverse. The number 0 in
the reals also has no multiplicative inverse. However, a non-zero matrix
might also have no inverse. A given non-zero matrix might also have an
inverse on one side but not the other.
Examples:
First of all, consider any zero matrix such as the following:
 0 0

 0 0
O = 
There is no 2 x 2 matrix that it can be multiplied by to arrive at the identity:
 1 0

 0 1
I = 
Now consider a matrix where the rows and columns are linear combinations
of each other:
 1 2

 2 4
A = 
An inverse would be of this form:
a b

c
d


A-1 = 
10
For A-1 to work as a right inverse, these equations, among others, would
have to be satisfied:
a + 2c = 1
2a + 4c = 0
This system is inconsistent, so there is no right inverse of this matrix. It can
be shown by similar means that no left inverse exists either.
Keep in mind that a right hand inverse matrix of A m x n, say Ar-1, has to be
n x m, and the product A • Ar-1 would give Im, the square identity matrix
with dimensions m x m. A left hand inverse matrix of A, Al-1, has to be n x
m, and the product Al-1 • A would give In, the square identity matrix with
dimensions n x n.
Now consider this matrix:
1 1


A =  1 2
 2 1


You can verify that it has this unique left hand inverse:
Al
-1
1 
1  2

3
3
=

1

2
1
3
3

You can also verify that this is not the right hand inverse, and in fact show
that the equations for a right hand inverse are inconsistent, meaning that one
doesn’t exist.
These examples were presented to remind you that you have encountered
algebraic systems where the behavior is not the same as with standard
arithmetic in the real numbers. In particular, commutativity and inverses
may be an issue.
11
An Algebraic Ring:
This is a set S with two operations, addition (+) and multiplication (*) and
the following properties:
1.
2.
3.
4.
Under addition, S is an Abelian (commutative) group.
S is closed under multiplication.
Multiplication is associative.
Multiplication distributes over addition.
For our purposes the ring is an intermediate structure. We are more
interested in the structure that follows, which has a definition which relies on
knowing both what a group and a ring are.
An Algebraic Field:
This is a set S with two operations, addition (+) and multiplication (*) and
the following properties:
1. S is a ring.
2. With the exception of the 0 element (the additive identity), which
does not have a multiplicative inverse, S satisfies the requirements for
an Abelian group under multiplication.
You may have heard the expression “the field of real numbers”. This means
that the real numbers form an algebraic field. The properties given above
correspond to the everyday characteristics of arithmetic with real numbers
that we are used to.
The concept of an algebraic field is important because a lot of advanced
cryptography is based on it. In the next section, modular arithmetic will be
discussed, and the claim will be made that modular arithmetic leads to an
algebraic field. RSA encryption is based on the problem of finding
multiplicative inverses, and algebra such as this is needed in order to know
whether inverses exist and what the algorithms might be for finding them.
12
III. Modular Arithmetic and Modular Fields
Definition of Modulus:
Modular arithmetic means finding the remainder when one integer is divided
by another. The following statements are equivalent in describing the
operation of modulus for integers a, b, c, and n:
a mod n = b
a%n=b
a=c*n+b
Simple Examples that Work:
You have already encountered modular arithmetic applied to cryptography
in a very simple way. If the letters from a to z are represented by the
integers from 0 to 25, Caesar’s cipher can be expressed using modular
arithmetic:
c = (p + 3) mod 26
It is also possible to devise ciphers of this form:
c = (p * 3) mod 26
It is possible to show that this cipher works. This can be done by running
through all of the values for p from 0 to 25 and noting that each maps to a
different value of c.
13
A Simple Example that Doesn’t Work:
Consider this cipher:
c = (p * 2) mod 26
Observe:
The numeric representation for the plaintext letter a is 0.
The numeric representation for the plaintext letter n is 13.
The ciphertext of a = (0 * 2) mod 26 = 0.
The ciphertext of n = (13 * 2) mod 26 = 0.
This is a collision.
This pattern repeats for every pair of letters in the lower and upper halves of
the alphabet. The example provides an entry point for asking algebraic
questions about modular encryption schemes. Observe the following facts
about the choice of the factors in the earlier multiplicative scheme that
worked and this one that doesn’t:
26 itself is not prime.
3 and 26 are relatively prime.
2 is a factor of 26. 2 and 26 are not relatively prime.
No further explanation will be given here. However, the property of relative
primeness turns out to be the basis for the difference in the schemes.
Relative primeness also turns out to be a significant property in other more
advanced encryption schemes.
14
Equivalence Classes:
Modulus divides the integers into subsets, or classes. In order to begin the
discussion, here is the expression for modulus again:
a mod n = b
Given some finite n, b can take on the values 0 through n – 1.
If a can be taken from among the integers without restriction, then for each b
there is an infinite set of values a for which the modulus n is b. Each of
these sets of values of a which map to the same b is an equivalence class.
The n equivalence classes, Ci, indexed from 0 through n – 1, that can be
defined in this way:
Ci = {a | a mod n = i}
Any two numbers that have the same remainder upon division by n are in
the same equivalence class. Their relationship can be shown in this way:
(x mod n) = (y mod n)
If these conditions are met, the two numbers, x and y, are simply said to be
equivalent mod n, and the following notation is used to express this:
x ≡n y
15
It can be stated informally that successive elements of an equivalence class
are separated by n units. More generally, the statement can be made that
any two elements are separated by a multiple of n units. This can be
expressed as follows:
x ≡n y ↔
(x – y) = kn for some integer k
That is, the difference between any two elements of a modular equivalence
class is an integer multiple of n.
In case this isn’t clear, consider the following. If x and y are in the same
equivalence class with remainder b:
x = cn + b for some c
y = dn + b for some d
Then subtracting the second equation from the first gives:
x – y = (c – d)n
x – y = kn
In other words, k = c – d, and the difference between x and y is indeed a
multiple of n.
16
Modular Fields:
What does any of this have to do with the presentation of the algebraic
structures in the previous section?
1. Given some integer n which is prime,
2. Given the set S = {0, 1, 2, …, n – 1},
3. Given an operation denoted “+”, defined as normal integer addition
modulus n,
4. And given an operation denoted “*”, defined as normal integer
multiplication modulus n,
5. This set of elements and these two operations form an
algebraic field known as a modular field.
Some of the previous material dwelled on the idea that there are algebraic
structures that don’t have all of the properties of addition and multiplication
in the reals.
This was intended as preparation for the converse idea, given here: There
are unfamiliar algebraic systems which do have all of the properties of
arithmetic in the reals.
Note that the first requirement for this to hold is that n be prime. The fact
that this modular structure is a field will not be proven here. What follows
below is a discussion of its characteristics in more pragmatic terms.
17
Modular Addition:
Suppose you choose n = 5, as your prime number. The set S = {0, 1, 2, 3,
4}. If addition is defined as addition mod 5, you can write a simple addition
table for the set:
+
0
1
2
3
4
0
0
1
2
3
4
1
1
2
3
4
0
2
2
3
4
0
1
3
3
4
0
1
2
4
4
0
1
2
3
You can verify all of the entries in the table, but just one should illustrate the
general idea:
(3 + 4) mod 5 = (7) mod 5 = 2
It is true that in doing the arithmetic in this way, we make use of the value 7.
7 is not an element of the set, but this is not a problem because 7 is not the
final answer. Speaking algebraically, the key property illustrated by this is
closure, a property needed for the structure.
You might also ask, if this is the table for the addition operation, is it clear
that every element in S has an additive inverse? Take this for example:
(2 + 3) mod 5 = (5) mod 5 = 0
This looks a little strange because the additive inverses are not negatives of
each other. There are no negative elements in the field in the sense that the
integers or the reals have negatives. However, since the sum of 2 and 3 is
the additive identity, 0, they are additive inverses by definition.
You can confirm that 0 is the additive identity by looking at the row for 0 in
the table. 0 plus anything gives the same thing back. You can also confirm
that every element of the set has a (unique) additive inverse by observing
that each row and each column in the addition table contains one (and only
one) zero element.
18
Modular Multiplication:
This is the multiplication table for the modular field with n = 5:
*
0
1
2
3
4
0
0
0
0
0
0
1
0
1
2
3
4
2
0
2
4
1
3
3
0
3
1
4
2
4
0
4
3
2
1
This example shows the derivation of an entry in the table:
(3 * 4) mod 5 = (12) mod 5 = 2
Looking at the row for 1 in the table, it is clear that 1 is the multiplicative
identity in the field. Every element times 1 gives the same element back.
You can also observe that 0 does not have a multiplicative inverse and that 1
appears in every other row and column, indicating that all other elements of
the field do have multiplicative inverses.
As a matter of fact, the table is symmetric, and every row and every column
contains exactly one occurrence of each of the values of S. Each row and
each column is a permutation of S.
This example shows multiplicative inverses:
(2 * 3) mod 5 = (6) mod 5 = 1
The product of 2 and 3 is 1, the multiplicative identity, so 2 and 3 are
multiplicative inverses by definition.
2 and 3 are both the additive and the multiplicative inverses of each other.
This seems unusual because nothing like this can happen in the integers or
the reals. However, it is an interesting coincidence, not a property. From
the point of view of algebraic properties, the modular field works just like
the integers and the reals.
19
The Difference Between n Prime and n Not Prime:
The previous section showed a multiplication table with n = 5, prime. One
of the conditions for having a modular field is that n be prime. By way of
contrast, consider the modular multiplication table for n = 4, composite:
*
0
1
2
3
0
0
0
0
0
1
0
1
2
3
2
0
2
0
2
3
0
3
2
1
Notice that the row and column for element 2 do not contain a 1. In other
words, 2 does not have a multiplicative inverse in this structure. This fact
alone shows that you’re not dealing with a field.
Other interesting characteristics can be found in a structure like this. The
row and column for element 2 also don’t contain 3, but they contain two
occurrences of 0 and 2.
n = 4 is composite. The elements 1 and 3 are relatively prime to 4. Their
rows in the table also look like rows in the table for n prime. They are
permutations of the elements of the set S.
2 is a factor of 4. It is not relatively prime to 4. Its row in the table is not
like a row in a table for n prime because it contains repetitions. You may
recall the example of a cipher given earlier that didn’t work:
c = (2 * p) mod 26
It didn’t work because there were collisions. If you formed the row for 2 in
the modular multiplication table for n = 26, you would get this:
0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24
Without trying to prove anything at this point, the observation can be made
that the collisions in the cipher occur where there are repetitions in the
multiplication table. Such a cipher works if the factor is relatively prime to
n, because there are no repetitions. It does not work if the factor is not
relatively prime to n, because there are repetitions.
20
Modular Field Properties:
Here is a listing of the properties of a field as they hold for a modular field
base n, where n is prime:
1. Associativity:
(a + (b + c)) mod n = ((a + b) + c) mod n
(a * (b * c)) mod n = ((a * b) * c) mod n
2. Commutativity:
(a + b) mod n = (b + a) mod n
(a * b) mod n = (b * a) mod n
3. Distributivity:
(a * (b + c)) mod n = ((a * b) + (a * c)) mod n
4. Identities:
(a + 0) mod n = (0 + a) mod n = a
(a * 1) mod n = (1 * a) mod n = a
It is not hard to show that these properties hold for a modular field. The
arithmetic operations for the modular field were defined to be like integer
operations, with modulus applied to the result. Each of these properties is
expressed as an equality. Because the integers are a field, each equality
holds in the integers before the application of modulus. Therefore, the
results after applying modulus are also the same.
21
5. Inverses:
There exists an additive inverse, -a, such that the sum of a and -a mod
n is 0 for all a. Without quantifiers, the notation for this is:
(a + (-a)) mod n = 0
“-a” is used to signify the additive inverse. It should not be confused
with the meaning of a negative number in the reals.
There exists a multiplicative inverse, a-1, such that the product of a
and a-1 mod n is 1 for all a except 0. Without quantifiers, the notation
for this is:
(a * (a-1)) mod n = 1
“a-1” is used to signify the multiplicative inverse. It should not be
confused with meaning of a-1 = 1/a in the reals.
Showing that additive inverses exist is not hard. For any a, -a = n – a.
Showing that multiplicative inverses exist is not so straightforward. It
is necessary to show that for any a there exists some b in S and some
integer constant k such that:
a * b = kn + 1
No proof of the existence of multiplicative inverses for n prime will
be given here. Their existence, their properties, and an algorithm for
finding them are all of great interest for cryptography and will be
pursued in greater depth later.
22
Reducibility Under Addition:
Modular arithmetic also has a computational property, reducibility, which is
not a field property. This is a statement of reducibility under addition:
(a + b) mod n = ((a mod n) + (b mod n)) mod n
Loosely speaking, this means that taking the modulus of some expression
“distributes” over its parts. You can apply modulus to subparts of
expressions first, combine these results, and then find the modulus. This can
be simpler than computing unreduced results and then finding the modulus.
In order to show that this property holds, consider the following:
a mod n = ra ↔
a = cn + ra
b mod n = rb ↔
b = dn + rb
Evaluating a + b without reducing requires finding the sum of a and b first:
(a + b) mod n
= ((cn + ra) + (dn + rb)) mod n
= (n(c + d) + (ra + rb)) mod n
= (ra + rb) mod n
Evaluating a + b with reducing requires finding the sum of smaller
quantities:
(a + b) mod n
= ((a mod n) + (b mod n)) mod n
= (ra + rb) mod n
Note that if (ra + rb) < n, then the final result would simply be (ra + rb). If
(ra + rb) > n, then the last mod operation has an effect.
23
Reducibility Under Multiplication:
Modular arithmetic also has reducibility under multiplication:
(a * b) mod n = ((a mod n) * (b mod n)) mod n
In order to show that this property holds, consider the following:
a mod n = ra ↔ a = cn + ra
b mod n = rb ↔ b = dn + rb
Evaluating a * b without reducing requires finding the product of a and b
first:
(a * b) mod n
= ((cn + ra) * (dn + rb)) mod n
= (cn * dn + cn * rb + ra * dn + ra * rb) mod n
= (n(c * dn + c * rb + ra * d) + ra * rb) mod n
= (ra * rb) mod n
Evaluating a * b with reducing requires finding the product of smaller
quantities:
(a * b) mod n
= ((a mod n) * (b mod n)) mod n
= (ra * rb) mod n
Note that if (ra * rb) < n, then the final result would simply be (ra * rb). If
(ra * rb) > n, then the last mod operation has an effect.