Secret key exchange Problem: Obtain a joint secret key via interaction over a public channel: Alice Bob $ x ... ; X ... COMPUTATIONAL NUMBER THEORY X � � � � � � ! $ ... ; Y ... y Y � � � � � � K A F A ( x , Y ) K B F B ( y , X ) Desired properties of the protocol: • K A = K B , meaning Alice and Bob agree on a key • Adversary given X , Y can’t compute K A Mihir Bellare UCSD 1 Mihir Bellare UCSD 2 Secret Key Exchange Secret Key Exchange Can you build a secret key exchange protocol? Can you build a secret key exchange protocol? Symmetric cryptography has existed for thousands of years. But no secret key exchange protocol was found in that time. Many people thought it was impossible. Mihir Bellare UCSD 3 Mihir Bellare UCSD 4
Secret Key Exchange DH Key Exchange Video Can you build a secret key exchange protocol? Symmetric cryptography has existed for thousands of years. But no secret key exchange protocol was found in that time. http://www.youtube.com/watch?v=3QnD2c4Xovk Many people thought it was impossible. In 1976, Di ffi e and Hellman proposed one. This was the birth of public-key (asymmetric) cryptography. Mihir Bellare UCSD 5 Mihir Bellare UCSD 6 DH Secret Key Exchange DH Secret Key Exchange: Questions The following are assumed to be public: A large prime p and a number g called a generator mod p . Let Z p � 1 = { 0 , 1 , . . . , p � 2 } . • How do we pick a large prime p , and how large is large enough? Alice Bob • What does it mean for g to be a generator modulo p ? Z p � 1 ; X g x mod p $ • How do we find a generator modulo p ? x • How can Alice quickly compute x 7! g x mod p ? X � � � � � � ! • How can Bob quickly compute y 7! g y mod p ? Z p � 1 ; Y g y mod p $ y • Why is it hard to compute ( g x mod p , g y mod p ) 7! g xy mod p ? Y � � � � � � K A Y x mod p K B X y mod p • . . . • Y x = ( g y ) x = g xy = ( g x ) y = X y modulo p , so K A = K B To answer all that and more, we will forget about DH secret key exchange for a while and take a trip into computational number theory ... • Adversary is faced with computing g xy mod p given g x mod p and g y mod p , which nobody knows how to do e ffi ciently for large p . Mihir Bellare UCSD 7 Mihir Bellare UCSD 8
Notation Integers mod N For N 2 Z + , let Z = { . . . , � 2 , � 1 , 0 , 1 , 2 , . . . } • Z N = { 0 , 1 , . . . , N � 1 } • Z ⇤ N = { a 2 Z N : gcd( a , N ) = 1 } N = { 0 , 1 , 2 , . . . } • ϕ ( N ) = | Z ⇤ N | Z + = { 1 , 2 , 3 , . . . } Example: N = 12 For a , N 2 Z let gcd( a , N ) be the largest d 2 Z + such that d divides both • Z 12 = { 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 } a and N . • Z ⇤ 12 = Example: gcd(30 , 70) = 10. Mihir Bellare UCSD 9 Mihir Bellare UCSD 10 Integers mod N Integers mod N For N 2 Z + , let For N 2 Z + , let • Z N = { 0 , 1 , . . . , N � 1 } • Z N = { 0 , 1 , . . . , N � 1 } • Z ⇤ N = { a 2 Z N : gcd( a , N ) = 1 } • Z ⇤ N = { a 2 Z N : gcd( a , N ) = 1 } • ϕ ( N ) = | Z ⇤ • ϕ ( N ) = | Z ⇤ N | N | Example: N = 12 Example: N = 12 • Z 12 = { 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 } • Z 12 = { 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 } • Z ⇤ 12 = { 1 , 5 , 7 , 11 } • Z ⇤ 12 = { 1 , 5 , 7 , 11 } • ϕ (12) = • ϕ (12) = 4 Mihir Bellare UCSD 11 Mihir Bellare UCSD 12
Division and mod Groups INT - DIV ( a , N ) returns ( q , r ) such that • a = qN + r Let G be a non-empty set, and let · be a binary operation on G . This • 0 r < N means that for every two points a , b 2 G , a value a · b is defined. Refer to q as the quotient and r as the remainder. Then Example: G = Z ⇤ 12 and “ · ” is multiplication modulo 12, meaning a mod N = r 2 Z N a · b = ab mod 12 is the remainder when a is divided by N . Def: We say that G is a group if it has four properties called closure, Example: INT - DIV (17 , 3) = (5 , 2) and 17 mod 3 = 2. associativity, identity and inverse that we present next. Fact: If N 2 Z + then G = Z ⇤ N with a · b = ab mod N is a group. Def: a ⌘ b (mod N ) if a mod N = b mod N . Example: 17 ⌘ 14 (mod 3) Mihir Bellare UCSD 13 Mihir Bellare UCSD 14 Groups: Closure Groups: Associativity Associativity: For every a , b , c 2 G we have ( a · b ) · c = a · ( b · c ). Closure: For every a , b 2 G we have a · b is also in G . Fact: If N 2 Z + then G = Z ⇤ N with a · b = ab mod N satisfies associativity, meaning Example: G = Z 12 with a · b = ab does not have closure because 7 · 5 = 35 62 Z 12 . (( ab mod N ) c ) mod N = ( a ( bc mod N )) mod N Fact: If N 2 Z + then G = Z ⇤ N with a · b = ab mod N satisfies closure, Example: meaning (5 · 7 mod 12) · 11 mod 12 = (35 mod 12) · 11 mod 12 gcd( a , N ) = gcd( b , N ) = 1 implies gcd( ab mod N , N ) = 1 = 11 · 11 mod 12 = 1 Example: Let G = Z ⇤ 12 = { 1 , 5 , 7 , 11 } . Then 5 · (7 · 11 mod 12) mod 12 = 5 · (77 mod 12) mod 12 5 · 7 mod 12 = 35 mod 12 = 11 2 Z ⇤ 12 = 5 · 5 mod 12 = 1 Exercise: Prove the above Fact. Exercise: Given an example of a set G and a natural operation a , b 7! a · b on G that satisfies closure but not associativity. Mihir Bellare UCSD 15 Mihir Bellare UCSD 16
Groups: Identity element Groups: Inverses Inverses: For every a 2 G there exists a unique b 2 G such that a · b = b · a = 1 . Identity element: There exists an element 1 2 G such that This b is called the inverse of a and is denoted a � 1 if G is understood. a · 1 = 1 · a = a for all a 2 G . Fact: If N 2 Z + and G = Z ⇤ N with a · b = ab mod N then Fact: If N 2 Z + and G = Z ⇤ N with a · b = ab mod N then 1 is the identity 8 a 2 Z ⇤ 9 b 2 Z ⇤ N such that a · b mod N = 1. N element because a · 1 mod N = 1 · a mod N = a for all a . We denote this unique inverse b by a � 1 mod N . Example: 5 � 1 mod 12 is the b 2 Z ⇤ 12 satisfying 5 b mod 12 = 1, so b = Mihir Bellare UCSD 17 Mihir Bellare UCSD 18 Groups: Inverses Exercises Inverses: For every a 2 G there exists a unique b 2 G such that Let N 2 Z + and let G = Z N . Prove that G is a group under the operation a · b = b · a = 1 . a · b = ( a + b ) mod N . This b is called the inverse of a and is denoted a � 1 if G is understood. Let n 2 Z + and let G = { 0 , 1 } n . Prove that G is a group under the Fact: If N 2 Z + and G = Z ⇤ N with a · b = ab mod N then operation a · b = a � b . 8 a 2 Z ⇤ 9 b 2 Z ⇤ N such that a · b mod N = 1. N Let n 2 Z + and let G = { 0 , 1 } n . Prove that G is not a group under the We denote this unique inverse b by a � 1 mod N . operation a · b = a ^ b . (This is bit-wise AND, for example Example: 5 � 1 mod 12 is the b 2 Z ⇤ 12 satisfying 5 b mod 12 = 1, so b = 5 0110 ^ 1101 = 0100.) Mihir Bellare UCSD 19 Mihir Bellare UCSD 20
Computational Shortcuts Computational Shortcuts What is 5 · 8 · 10 · 16 mod 21? What is 5 · 8 · 10 · 16 mod 21? Slow way: First compute 5 · 8 · 10 · 16 = 40 · 10 · 16 = 400 · 16 = 6400 and then compute 6400 mod 21 = Mihir Bellare UCSD 21 Mihir Bellare UCSD 22 Computational Shortcuts Exponentiation Let G be a group and a 2 G . We let a 0 = 1 be the identity element and What is 5 · 8 · 10 · 16 mod 21? for n � 1, we let a n = a · a · · · a . Slow way: First compute | {z } n 5 · 8 · 10 · 16 = 40 · 10 · 16 = 400 · 16 = 6400 Also we let a � n = a � 1 · a � 1 · · · a � 1 . | {z } and then compute 6400 mod 21 = 16 n This ensures that for all i , j 2 Z , Fast way: • a i + j = a i · a j • 5 · 8 mod 21 = 40 mod 21 = 19 • a ij = ( a i ) j = ( a j ) i • 19 · 10 mod 21 = 190 mod 21 = 1 • a � i = ( a i ) � 1 = ( a � 1 ) i • 1 · 16 mod 21 = 16 Meaning we can manipulate exponents “as usual”. Mihir Bellare UCSD 23 Mihir Bellare UCSD 24
Examples Examples Let N = 14 and G = Z ⇤ N . Then modulo N we have Let N = 14 and G = Z ⇤ N . Then modulo N we have 5 3 = 5 3 = 5 · 5 · 5 Mihir Bellare UCSD 25 Mihir Bellare UCSD 26 Examples Examples Let N = 14 and G = Z ⇤ N . Then modulo N we have Let N = 14 and G = Z ⇤ N . Then modulo N we have 5 3 = 5 · 5 · 5 ⌘ 25 · 5 ⌘ 11 · 5 ⌘ 55 ⌘ 13 5 3 = 5 · 5 · 5 ⌘ 25 · 5 ⌘ 11 · 5 ⌘ 55 ⌘ 13 and and 5 � 3 = 5 � 3 = 5 � 1 · 5 � 1 · 5 � 1 Mihir Bellare UCSD 27 Mihir Bellare UCSD 28
Examples Examples Let N = 14 and G = Z ⇤ N . Then modulo N we have Let N = 14 and G = Z ⇤ N . Then modulo N we have 5 3 = 5 · 5 · 5 ⌘ 25 · 5 ⌘ 11 · 5 ⌘ 55 ⌘ 13 5 3 = 5 · 5 · 5 ⌘ 25 · 5 ⌘ 11 · 5 ⌘ 55 ⌘ 13 and and 5 � 3 = 5 � 1 · 5 � 1 · 5 � 1 ⌘ 3 · 3 · 3 5 � 3 = 5 � 1 · 5 � 1 · 5 � 1 ⌘ 3 · 3 · 3 ⌘ 27 ⌘ 13 Mihir Bellare UCSD 29 Mihir Bellare UCSD 30 Group Orders Group Orders The order of a group G is its size | G | , meaning the number of elements in The order of a group G is its size | G | , meaning the number of elements in it. it. Example: The order of Z ⇤ 21 is Example: The order of Z ⇤ 21 is 12 because Z ⇤ 21 = { 1 , 2 , 4 , 5 , 8 , 10 , 11 , 13 , 16 , 17 , 19 , 20 } Fact: Let G be a group of order m and a 2 G . Then, a m = 1 . Examples: Modulo 21 we have • 5 12 ⌘ (5 3 ) 4 ⌘ 20 4 ⌘ ( � 1) 4 ⌘ 1 • 8 12 ⌘ (8 2 ) 6 ⌘ (1) 6 ⌘ 1 Mihir Bellare UCSD 31 Mihir Bellare UCSD 32
Recommend
More recommend