Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems • ”Public-Key Cryptosystems Based on the Discrete Logarithm Problem,” Symmetric Asymmetric Chapter 8 of Understanding Cryptography by Paar & Pelzl Each pair of users, A and B , share a Each user, A , has a public encryption private encryption/decryption key, k A , B . key, e A , and a private decryption key, d A . • ”Primitive Roots,” Chapter 7 of Andrews. Q: How do you distribute keys Q: How do you perform this magic? Note: quickly and securely? A: RSA & see below. Our terminology Andrew’s terminology ≡ Q: How do manage the large number primitive element primitive root Q: How do you know it is secure? of keys? discrete log ≡ index No simple answer. 3 4
Uses of Public Key Systems (RSA, ElGamal, etc.) Families of PCKs Integer-Factorization Schemes E.g., RSA Encryption You can encrypt a message. But don’t do this unless the message is short! Discrete-Logarithm Schemes E.g., Diffie-Hellman and ElGamal. Key distribution Can distribute keys for a (fast) stream or block cipher. Elliptic Curve (EC) Schemes E.g., EC-RSA, EC-Diffie-Hellman, and EC-ElGamal. Nonrepudiation Can provide unforgeable signatures for messages. Lattice-based Schemes (Post-Quantum) E.g., NTRU, Learning-with-errors, ... Identification And others ... Can build challenge/response protocols for establishing identity for banking. based on hashing, coding-theory, etc. Etc. Many other nifty things can be built with these things. To talk about about the discrete-log schemes, we need YET MORE MATH! 5 6 Fields Example Finite Field, F 2 = ( { 0, 1 } , + 2 , ∗ 2 ) Example: ( Z p , + p , × p ) acts like a miniature version of Q . Definition A field F is a set with operations + F and × F satisfying the usual: • associative laws: ( a + F b ) + F c = a + F ( b + F c ) . ( a × F b ) × F c = a × F ( b × F c ) . + 2 0 1 ∗ 2 1 a + F b = b + F a . • commutative laws: 0 0 1 1 1 a × F b = b × F a . 1 1 0 • distributive law: ( a + F b ) × F c = a × F c + F b × F c . • There is an additive identity (0 F ) and additive inverses ( − a ). • There is a multiplicative identity (1 F ) and mult. inverses ( a − 1 ). Examples: R , C , Z p (or F p ). We usually drop the F subscript on + F , × F , 0 F , . . . . 7 8
Example Finite Fields, F 7 = ( { 0, . . . , 6 } , + 7 , ∗ 7 ) Example Finite Fields, F 4 = ( { 0, 1, x , 1 + x } , + , ∗ ) + 1 + x 0 1 x 1 + x 0 0 1 x + 7 0 1 2 3 4 5 6 ∗ 7 1 2 3 4 5 6 1 1 0 1 + x x 0 0 1 2 3 4 5 6 1 1 2 3 4 5 6 1 + x x x 0 1 1 1 2 3 4 5 6 0 2 2 4 6 1 3 5 1 + x 1 + x x 1 0 2 2 3 4 5 6 0 1 3 3 6 2 5 1 4 3 3 4 5 6 0 1 2 4 4 1 5 2 6 3 4 4 5 6 0 1 2 3 ∗ 1 + x 1 x 5 5 3 1 6 4 2 5 5 6 0 1 2 3 4 1 + x 1 1 x 6 6 5 4 3 2 1 6 6 0 1 2 3 4 5 x x 1 + x 1 1 + x 1 + x 1 x 9 10 More on Fields F 4 Again • A vector space over a field F is defined just like a vector space over R . + 0 1 x 1 + x • The number of elements in the smallest basis for a vector space is the 1 + x 0 0 1 x • F 4 is an extension of F 2 of degree 2. dimension of the vector space. 1 + x 1 1 0 x • F ′ � F is called an extension field . x x 1 + x 0 1 • 1 and x form a basis of F 4 as a vector F ′ is automatically a vector space over F . 1 + x 1 + x x 1 0 space over F 2 . Example: C is a 2-dimensional vector space over R . Example: R is an ∞ -dimensional vector space over Q . { 0, 1, x , 1 + x } ∗ 1 x 1 + x • F ′ is a finite extension of F 1 1 x 1 + x = { a · 1 + b · x : a , b ∈ F 2 } . iff F ′ is a finite dimensional vector space over F . 1 + x x x 1 • The degree of F ′ is the dimension of the vector space over F . 1 + x 1 + x 1 x 11 12
Fields and Characteristics Discrete-Log PKCs Fields and Characteristics Definition 2018-09-25 • F has characteristic 0 iff for all n , ( ∑ n i = 1 1 ) � = 0. • F has characteristic m iff m = min ( { n ∈ Z + ( ∑ n i = 1 1 ) = 0 } ) < + ∞ . Q: What is the characteristic of: F 2 ? F 4 ? F 7 ? Facts • If F has char. n > 0, then n is prime. proof on board Definition Fields and Characteristics • For each q , there is at most one field with q elements. • If F is finite, then � F � = p d for some prime p & d ≥ 1. • F has characteristic 0 iff for all n , ( ∑ n i = 1 1 ) � = 0. Claim: If F has characteristic n > 0, then n is prime. • F has characteristic m iff m = min ( { n ∈ Z + ( ∑ n i = 1 1 ) = 0 } ) < + ∞ . Proof: n · 1 = 0 in F Suppose by way of contradiction that n = j · k where 1 < j , k < n . Then: Q: What is the characteristic of: F 2 ? F 4 ? F 7 ? 1 + 1 + · · · + 1 + · · · + 1 + 1 + · · · + 1 Facts � �� � � �� � j j • If F has char. n > 0, then n is prime. proof on board � �� � k • For each q , there is at most one field with q elements. C ASE 1: j · 1 = 0. But since 0 < j < n , this contradicts our choice of n . • If F is finite, then � F � = p d for some prime p & d ≥ 1. C ASE 2: j · 1 � = 0. Then k · 1 = 0. (Why?) But since 0 < k < n , this also contradicts our choice of n . 13 Fields and Primes Discrete-Log PKCs Fields and Primes Definition (a) F ∗ = def the nonzero elements of F . 2018-09-25 (b) The order of a ∈ F ∗ is min { n ∈ Z + a n = 1 } . (c) F q = def the finite field with q elements. (Recall: For each q there is at most one finite field with q -many elms.) For each prime q , F q = ( Z q , + q , × q ) . Proposition Definition Suppose a ∈ F ∗ q . Then (the order of a ) | ( q − 1 ) . proof on board Fields and Primes Definition A primitive element (or generator ) α of F q is an α ∈ F ∗ q with order q − 1. (a) F ∗ = def the nonzero elements of F . (Thus, F ∗ q = { α 1 , α 2 , . . . , α q − 1 } .) Puzzle: What are the primitive elements of F 2 ? F 4 ? F 7 ? a n = 1 } . (b) The order of a ∈ F ∗ is min { n ∈ Z + Proof of Propositon. Let F ∗ q = { a 1 , . . . , a q − 1 } . Claim 1. a i �→ a × F q a i is 1-1. (Why?) (c) F q = def the finite field with q elements. Claim 2. In F q : a q − 1 = 1. (Recall: For each q there is at most one finite field with q -many elms.) Proof. Consider For each prime q , F q = ( Z q , + q , × q ) . a 1 × F q a 1 × F q · · · × F q a q − 1 = ( a × F q a 1 ) × F q ( a × F q a 1 ) × F q · · · × F q ( a × F q a q − 1 ) ( Why ? ) = a q − 1 × F q ( a 1 × F q a 2 × F q · · · × F q a q − 1 ) . Proposition Suppose a ∈ F ∗ q . Then (the order of a ) | ( q − 1 ) . proof on board a q − 1 = 1. Therefore, in F q , Definition Now let n a = the order of a . Clearly n a ≤ q − 1. A primitive element (or generator ) α of F q is an α ∈ F ∗ q with order q − 1. Write q − 1 = k · n a + r where 0 ≤ r < n a . q = { α 1 , α 2 , . . . , α q − 1 } .) Then, in F q : 1 = a q − 1 = a k · n a + r = ( a n a ) k × F q a r = a r . (Thus, F ∗ a n = 1 } , it follows that r = 0. Since r < n a and n a = min { n > 0 Puzzle: What are the primitive elements of F 2 ? F 4 ? F 7 ? 14 Hence, n a | ( q − 1 ) .
Fields and Primes Discrete-Log PKCs Definition More on Primitive Elements (a) F ∗ = def the nonzero elements of F . 2018-09-25 (b) The order of a ∈ F ∗ is min { n ∈ Z + a n = 1 } . (c) F q = def the finite field with q elements. (Recall: For each q there is at most one finite field with q -many elms.) For each prime q , F q = ( Z q , + q , × q ) . Proposition Suppose a ∈ F ∗ q . Then (the order of a ) | ( q − 1 ) . proof on board Fields and Primes Definition A primitive element (or generator ) α of F q is an α ∈ F ∗ q with order q − 1. Theorem (Thus, F ∗ q = { α 1 , α 2 , . . . , α q − 1 } .) Puzzle: What are the primitive elements of F 2 ? F 4 ? F 7 ? (a) Every F ∗ Puzzle: What are the primitive elements of F 2 ? F 4 ? F 7 ? q has a primitive element. Answer: (b) g is a primitive element of F ∗ q • In F k , 1 j = 1 for all j , so 1 is never a prim. elm. unless k = 2. iff for each i with gcd ( i , q − 1 ) = 1 , g i is a primitive element. • In F 4 , both x and x + 1 are prim. elms. • In F 7 , 2 3 = 1 and 6 2 = 1 so they don’t work. However, 3, 4, and Proof. 5 do work (as you can check). See the proof of Proposition II.1.2 on page 34 of A Course in Number Theory and Cryptography, 2/e by Neal Koblitz, Springer 1994. Thus, each F ∗ q has exactly ϕ ( q − 1 ) -many primitive elements. 15 Aside: When Does the Ring Z ∗ n Have Primitive Elements? The Discrete Log Definition Suppose F q has primitive element α and y ∈ F ∗ q . By Andrews § 7.2, Z ∗ n has a primitive element when: The discrete log of y to the base α (notation: dlog α ( y ) ) is the solution for x of: • n = 2 or y = α x . • n = 4 or Example: 3 = dlog 5 ( 6 ) in F 7 . • n = p k where p is an odd prime and k > 0 or • n = 2 p k where p is an odd prime and k > 0. Fact ( α , x ) �→ α x is easy, but these seem hard: Puzzle Otherwise, Z ∗ n fails to have a primitive element. What is: dlog 5 ( a ) in F 7 for • Given α and y , find x ∋ y = α x a = 1, . . . , 5? In particular, Z ∗ p · q fails to have a primitive element when p and q are distinct odd basis of many cryptosystems Hint: Make a table of ( 5 k mod 7 ) , for primes (the RSA case). • Given x and y , find α ∋ y = α x k = 1, . . . , 6. basis of RSA (although Z p · q is not a field). 16 17
Recommend
More recommend
