斯坦福 密码学 I 学习笔记6：Lecture 5 Basic Key Exchange

本系列为斯坦福 Dan Boneh教授的"密码学 I"的学习笔记
课程网址: http://www.coursera.org/lecture/crypto/course-overview-lboqg

---

内容在CSDN、知乎和微信公众号同步更新

• CSDN博客
• 知乎
• 微信公众号

• Markdown源文件暂未开源，如有需要可联系邮箱
• 笔记难免存在问题，欢迎联系邮箱指正

---

课程完整目录如下

• 课程大纲
• 0 Introduction
• 1 Stream Ciphers
• 2 Block Ciphers
• 3 Message Integrity
• 4 Authenticated Encryption
• 5 Basic Key Exchange
• 6 Public-Encryption

本文为其中Chapter 5 Basic Key Exchange 的内容，包括：

---

5 Basic Key Exchange

之前的章节：

• know how two users can protext data using a shared secret key

接下来

• How did these two users generate a shared secret key?
• ———— 密钥交换！
• 还会引入public key cryptographys

5.1 Basic Key Exchange 1: problem statement

• 本章内容：
  • 首先look at a few toy key exchange protocols
    • Trusted 3rd party
    • 对称密码
  • 引入Public key cryptography
  • 之后再根据public key建立 key exchange protocols

5.1.1 Truested 3rd parties

Key management

• Problem: n users.
  • Storing mutual secret keys

• Total: O(n) keys per user
  • 如何改进：引入Trusted 3rd party

A better solution

• Online Trusted 3rd Party (TTP)
  • 每个user都share a key with TTP:
  • Key exchange 通过 TTP完成

Generating keys: a toy protocol

• Alice wants a shared key with Bob
  • Eavesdropping security only
  • 能够抵抗active attack的protocol会在后续说明
  • (E,D): a CPA-secure cipher

• 1st step: Alice send a require to TTP
• 2nd step: TTP choose random $K_{AB}$
• 3rd step: TTP 返回给Alice两个信息：
  • $E(k_A,"A,B"||K_{AB})$
  • ticket = $E(k_B,"A,B"||K_{AB})$
• 4th: A 解密得到$K_{AB}$, 并forward ticket to B
• 5th: B get $K_{AB}$, end

Generating keys: a toy protocol

• Alice wants a shared key with Bob

• Eavesdropper sees:

  • $E(k_A,"A,B"||K_{AB})$ and
  • $E(k_B,"A,B"||K_{AB})$

• (E,D) is CPA-secure:

  • 意味着Eavesdropper看到的都和真的随机数一样
    • the definition of CPA security
  • Eavesdropper无法获得关于$k_{AB}$的信息
  • $\Rightarrow$ eavesdropper learns nothing about $K_{AB}$

• Note:

  • TTP needed for every key exchange
  • TTP knows all session keys
    • 必须是可信的
  • (basis of Kerberos system)

Toy protocol: insecure against active attacks

• Example:
  • insecure against replay attacks
    • 重放攻击
  • Alice向Bob买书 (Bob: online merchant)
    • 发了一个book order
  • Attacker replays session to Bob
    • Bob就会think Alice is ordering another copy of book
    • 显然不安全

Key question:

• Can we generate shared keys without an online trusted 3rd parthy

  • (除了主动攻击的另一个问题)

• Answer: yes

  • 基于对称加密
    • Merkle (1974)
      • Next segment
  • 基于public key encryption:
    • Diffie-Hellman (1976)
    • RSA (1977)
  • More recently:
    • ID-based enc. (BF 2001)
    • Functional enc. (BSW 2011)

5.1.2 Merkle Puzzles

This segment:

• First key exchange protocol
• without a trusted third party

Key exchange without an online TTP??

• Goal: Alice and Bob want shared key
  • unknown to evaesdropper
  • For now, no active attack

• Can this be done using generic symmetric crypto?
  • Yes, but very inefficient! $\downarrow$

Merkle Puzzles (1974)

---

• Main tool: Puzzles
  • Puzzles: 解决起来很困难，但也可以解决的problems
    • Problems that can be solved with some effort
  • Example: E(k,m) a symmetric cipher with k ∈ { 0 , 1 } 128 k\in \{0,1 \}^{128} k∈{0,1}128
    • Puzzle§ = E(P,“message”) where $P=0^{96}||b_1{b}_2...b_{3}2$
    • Goal: find P!
      • 尝试$2^{32}$种可能即可，困难但可以解决 – puzzles

---

Merkle puzzles:

• Alice: prepare $2^{32}$ puzzles
  • For $i=1,2,...,2^{32}$ choose random P i ∈ { 0 , 1 } 32 P_i \in \{0,1 \}^{32} Pi​∈{0,1}32 and x i , k i ∈ { 0 , 1 } 128 x_i, k_i \in \{0,1 \}^{128} xi​,ki​∈{0,1}128
    • set $puzzl{e}_i$ $\leftarrow$ $E(0^{96}||P_i$, “Puzzle #x_i” || k_i)$
    • “Puzzle #x_i” || $k_i$: 明文， 以单词 "puzzle"开头， "$x_i$"作为标记， 加上 $k_i$
    • 这样，就可以得到$2^{32}$个不同的puzzles (因为密钥有$2^{32}$个)
  • send puzzl_1, puzzle_2, …, puzzle_$2^{32}$ to Bob
• Bob: choose a random $puzzl{e}_j$ and solve it
  • obtain $(x_j,k_j)$
    • $k_j$就是共享密钥
  • send $x_j$ to Alice
  • Alice得到$x_j$后即可找到对应的$k_j$
• 复杂度：
  • Alice:
    • 准备$2^{32}$个puzzle, 每个puzzle只需要加密1次，所以**时间复杂度O(2^{32}) = O(N)**
    • 得到Bob返回的的$x_j$查找$k_j$复杂度也是O(1)
  • Bob:
    • 选择$puzzl{e}_j$： O(1)
    • 解决该Puzzle：遍历，时间复杂度O(2^{32}) = O(N)

• Eavesdropper’s work的时间复杂度
  • 看到了 N 个Puzzles
  • 以及返回的 $x_j$
  • 如何破解：
    • 对N个Puzzles进行解密，每个解密复杂度O(N),直到解出正确的$x_j$
    • 故总时间复杂度$O(N^2)$
    • e.g., O(2^{64})

---

• The participants (Alice and Bob):
  • Linear time
• The attacker:
  • quadratic time!
• 时间复杂度上的差距：“quardratic gap”

Impossibility Result

• Can we achieve a better gap using a general symmetric cipher?

  • Ans: unkown

• But: roughly speaking

  • quarratic gap is best possible if we treat cipher as a black box oracle

• 那如何才能打破"quardratic gap"呢?

  • 从而变得更加安全、高效
  • Public Key Encryption!
    • 使用一些functions that have very special properties
    • 必须要rely on some algebra
    • see in the next segment

5.2 Basic key exchange 2: two solutions

5.2.1 The Diffie-Hellman Protocol

This segment:

• Diffie-Hellman Protocol
• the first practical key exchange mechanism

• Key exchange without an online TTP
  • Goal: Alice and Bob want shared secret
  • unkown to eavesdropper
• For now: security against eavesdropping onlye
  • no tempering

Can this be done with an exponential gap?

The Diffie-Hellman Protocol

若要达到exponential gap， 只有symmetric primitives是不行的 (block ciphers)
需要使用更加complex的structure
例如， algebra knowledge algebra 代数

• informally
  • Next week, we will describe the protocol more abstractly and with rigorous security analysis

• The Diffie-Hellman protocol:

  • 产生p,g () 每次一旦产生，不再更改
    • Fix a large prime p (e.g., 600 digits)
    • Fix an integer g in {1,2, ,…, p}
  • Alice: choose random a in {1,2, …, p-1}
  • Bob: choose random b in {1,2, …, p-1}
  • Alice compute $A=g^{a}modp$ and send A to Bob
  • Bob: compute $B=g^{b}modep$
  • Generate Shared Key:
    • $k_{AB}=g^{ab}modp=B^{a}modp=A^{b}modp$

• 历史意义

  • 1976年被提出
    • Hellman: a professor at Standford
    • Diffie was his graduate student
  • 开启了new age in cryptography
    • 密码学不仅仅是designing block ciphers
    • 还有designing protocols that have properties
  • 实现了指数gap (exponential gap)

Security

• 比起理解key exchange的步骤，更重要的是证明安全性！
  • This segment只是简要说明
  • Much more on this later
• Eavesdropper sees:
  • p
  • g
  • $A=g^a(modp)$
  • $B=g^b(modp)$
• Can he compute $g^{ab}(modp)$ ??
• More generally:
  • define $D{H}_g(g^a,g^b)=g^{ab}(modp)$
  • How hard is the DH function mod p?
    • （p is very large, 600 bits）

How hard is the DH function mod p?

• Suppose prime p is n bits long
• Best known algorithm
  • (GNFS)
    • General number field sieve (普通数域筛选法)
    • 已知效率最高的分解整数的算法
    • 是一个more general algorithm that computes the discrete log function
      • 下周讲解
    • 这里认为它是passive破解Diffie-Hellman function的最effecitive方法
  • run time $exp(O(\sqrt[3]{n}))$
    • 这里的$exp(O(\sqrt[3]{n}))$并不精确，只是估计值

• modulus size:
  • 即n的值
  • The large prime P 的范围
  • 对应的破解时间复杂度约为$exp(O(\sqrt[3]{n}))$
• cipher key size:
  • 生成的密钥长度
  • 安全的话需要256 bits
• 问题：显然，256bits的key size对应的modulus size太大
  • quite slow
  • How to do better?
    • Yes! translate the DH protocol from an arithmetic model arithmetic model 算术模型 to another setting: Elliptic Curve (第三列)
    • 也就是：
      • 传统的DH protocol基于的algerbaic object是算术模型
      • 将其转换到椭圆曲线模型即可大幅降低复杂度

• As a result:
  • slow transition away from (mod p) to elliptic curves
  • 利用elliptic curves： 可实现size的缓慢过度！！ —— 降低对素数大小的要求！
  • 但无论使用什么model, DH protocol的核心思想都是统一的！
    • see next week

Insecure against man-in-the middle

• As described, the protocol is insecure against active attacks

• 中间人攻击 man-in-the middle， MiTM
  • MiTM先intercept A，再自己生成错误的a’和A’发送给B
  • 之后，MiTM intercept B, 再生成错误的b’和B’发送给A
  • MiTM可分别计算出正确的密钥和错误的密钥
  • 然后即可瞒过A和B进行通信，同时窃取信息

Another look at DH

• DH的一个好处：不需要顺序通信和交互！
  • can be viewd as a non-interactive protocol!

• Everybody把自己的$g^a$, $g^b$, … 上传到自己的public profile中
• 之后就可以直接建立shared key:
  • 比如，if Alice and Charlie wanna communicate:
    • 它们do not need communication at all!
    • Charlie read Alice’s public profile
      • and comupte the shared key $K_{AC}$
    • Alice read Charlie’s public profile
      • and comupte the shared key $K_{AC}$
    • 即可建立$K_{AC}$
• 即所谓的 “non-interactive property of the Diffie-Hellman protocol!”

An open problem: Can we do this for more than two party?

• Setting:
  • All people (N people) post their values to their Facebook profiles
  • Our goal:
    • Just by reading Facebook profiles
    • all of them can set up a secret key!
• 研究现状：
  • if N = 2:
    • DH protocol
  • if N = 3:
    • a known protocol named “Joux”
  • if N >= 4:
    • Still Open!

Next segment:

• another key exchange mechanism

5.2.2 Public-Key Encryption

This segment:

• a new key exchange protocol based on the concept of public key encryption

Establishing a shared secret

• Goal: Alice and Bob want shared secret

  • unknown to eavesdropper

• For now: security against eavesdropping only

  • no tampering

• 已经学过：

  • based on block ciphers
  • DH protocol
    • is used over the web very frequently

• This segment:

  • a different approach
  • based on public encryption

Public key encryption

• 用于encryption:
  • Alice
    • using public key (PK) of Bob to encrypt
  • Bob
    • using secret key (SK) of Bob to decrypt

• More precisely definition $\downarrow$

Public key encryption

• Def: a public-key encryption system is a triple of algs (G,E,D)
  • G(): randomized alg. outputs a key pair (pk, sk)
  • E(pk, m): randomized alg. that taks $m\in M$
    • outputs $c\in C$
  • D(sk,c): det. alg. that takes $c\in C$ and outputs $m\in M$ or $\perp$
• Consistency:
  • $\forall (pk,sk)$ output by G:
    • $\forall m\in M$: D(sk, E(pk, m)) = m

Semantci Security

• For b = 0,1 define experiments EXP(0) and EXP(1) as:
  • 1st: the challenger run the key generation alg.
    • generate a public key and a secret key pair
  • 2nd: the challenger send pk to the adv.
    • and keep the sk to himself
  • 3rd: the adv output two equal length messages: $m_0$ and $m_1$
  • 4th: the challenger 任选$m_0$ / $m_1$之一进行加密，并返回$c\leftarrow E(pk,m_b)$
  • 5th: the adv. 猜测b的值，若猜对则攻击成功
• Semantic security definition:
  • 目标：攻击者无法区分到底是实验0还是实验1，即输出0和输出1的概率是相等：
  • Def: E= (G,E,D) is sem. secure (a.k.a IND-CPA)
    • INDistinguishability under Chosen Plaintext Attack
  • if for all efficient A:
    • $Ad{v}_{SS}[A,E]=|Pr[EXP(0)=1]-Pr[EXP(1)=1]|<negligible$
• 注意：
  1. 对于public encryption, 没有必要突出“选择明文攻击”
     • The adv. 根据pk可自行Encryption， 因为没有区分"选择明文"攻击
  2. 该定义仅适用于概率性加密方案，即仅根据E和pk无法得到唯一的encryption + 敌手必须是多项式时间
     • 否则敌手就可以计算出encryption再进行比较
     • (来自杨波老师现代密码学第四版):

Establishing a shared secret

• 过程

  • 1： Alice 使用G()生成(pk,sk)
  • 2: Alice send pk to Bob
  • 3: Bob choose x ∈ { 0 , 1 } 128 x \in \{0,1 \}^{128} x∈{0,1}128 作为shared key
  • 4: Bob 将E(pk,x) send to A
  • 5: Alice 使用sk decrypt and get x

• 与DH完全不同！

  • This segment’s method 中A和B必须交互：
    • B选择一个数，加密给A
    • 然后A才能得到secret key
  • 而DH则不需要interaction
    • participants can directly get the secret key from pubic profiles

Security

• eavesdropping
• Adversary sees pk, E(pk,x)
  • and wants $x\in M$
• Semantic security
  • $\Rightarrow$ the adv. cannot distinguish {pk, E(pk,x), x} from {pk, E(pk,x), rand $\in$ M}
• $\Rightarrow$ can derive session key from x
  • 攻击者无法进行判断，所以可以被用来当做secrit session
  • (仅被动攻击)
• Note: protocol is vulnerable vulnerable 易受伤害的 to man-in-the-middle

Insecure against man in the middle

• As described, the protocol is insecure against active attacks
• 攻击方法：
  • 和DH protocol中间人攻击类似

Public key encryption: Constructions

• Constructions generally rely on hard problems from number theory and algebra
• Next module:
  • brief detour detour 绕行，改道，这里指偏一下题 to catch up on the relevant background
• 之后再继续讨论public key for encryption and key exchange

Further readings

• Merkle Puzzles are Optimal 2009
  • quadratic gap is optimal for block ciphers
• On formal models of key exchange (sections 7-9) 1999
  • summarize some of the key exchange mechanisms that we talked about！

Next segment:

• number theory and algebra背景

5.3 Number Theory 1: modular arithmetic

arithmetic 算术

5.3.1 Notation

Last module:

• we saw that number theory can be useful for key exchange

This module

• 体系化地了解some basic facts of number theory

Background

• We will use a bit of number theory to construct:
  • Key exchange protocols
  • Digital signatures
  • Public-key encryption
• This module:
  • Crash course on relevant concepts
• More info：
  • read parts of Shoup’s book

Notation

• From here on:
  • N: denotes a positive integer
  • p: denotes a prime
  • $\mathcal{Z}$: set ${\mathcal{Z}}_N=0,1,2,...,N$
• Can do addition and multiplication modulo N

Modular arithmetic

• Examples:
  • Let N = 12
    • 9 + 8 = 15 in ${\mathcal{Z}}_{12}$
    • $5\times 7=11$ in ${\mathcal{Z}}_{12}$
    • $5-7=10$ in ${\mathcal{Z}}_{12}$
• Arthmetic in ${\mathcal{Z}}_N$ 满足实数域上的很多运算法则，如
  • 分配律：
    • a(b+c) in ${\mathcal{Z}}_{12}$ = $ab+ac$ in ${\mathcal{Z}}_{12}$

Greatset common divisor

• Def:
  • For ints. x,y:
    • gcd(x,y) is the greatest common divisor of x,y:
  • example:
    • gcd(12,18) = 6
• Fact:
  • for all ints. x,y there exists ints. a,b such that
  • $a\times x+b\times y=gcd(x,y)$
  • $a,b$ can be found efficiently using the extended Euclid alg.
    • 可用于求逆 – later
• Relatively prime (互素)
  • If gcd(x,y) = 1, we say that x and y are relatively prime

Modular inversion

• Over the rationals, inverse of 2 is $1/2$

  • What about ${\mathcal{Z}}_N$

• Def:

  • The inverse of x in ${\mathcal{Z}}_N$ is an element y in ${\mathcal{Z}}_N$ s.t.,
    • $x\times y = 1 $ in ${\mathcal{Z}}_N$
  • y is demoted $x^{-1}$

• Example:

  • Let N be an odd integer
  • The inverse of 2 in ${\mathcal{Z}}_N$ is :
    • $(N+1)/2$

Modular inversion

• which elemets have an inverse in ${\mathcal{Z}}_N$
• Lemma: x in ${\mathcal{Z}}_N$ has an inverse
  • if and only if
  • gcd(x,N) = 1
  • 当且仅当gcd(x,N) = 1时，x有mod N的逆！
• Proof:
  • $gcd(x,N)=1$ $\Rightarrow$ $\exists a,b: ax + bN = 1 mod N $
    • $\Rightarrow$ $ax=1$ $\Rightarrow$ a就是x的inverse！
    • 因为 a,b可以通过扩展的欧几里得算法得到，所以x的inverse也可以通过扩展的欧几里得算法得到
  • 下面证明当$gcd(x,N)>1$时，x一定没有inverse
    • $gcd(x,N)>1$ $\Rightarrow$ $\forall a:gcd(a\cdot x,N)>1$
    • $\Rightarrow$ $\forall a,a\times x\ne 1$ in ${\mathcal{Z}}_N$
    • $\Rightarrow$ x没有inverse
    • 以gcd(x,N)>2为例：
      • $\forall a:a\cdot x$ is even
      • $\Rightarrow$ $a\times x\ne b\times N+1$
• 该证明可以认为是一个"computer science" prrof:
  • 不仅给出了证明
  • 还给出了如何求inverse
    • 利用扩展欧几里得算法求a即可

More notation

• Def: ${\mathcal{Z}}_N^{\ast }$ = (set of invertible elements in ${\mathcal{Z}}_N$)
  • = {$x\in {\mathcal{Z}}_N:gcd(x,N)=1$}
• Examples:
  • 1 for prime p
    • ${\mathcal{Z}}_p^{\ast }$ = ${\mathcal{Z}}_{p}0$ = $1,2,...,p-1$
    • |${\mathcal{Z}}_p^{\ast }$| = p-1
  • 2 ${\mathcal{Z}}_{12}^{\ast }=1,5,7,11$
• For x in ${\mathcal{Z}}_N^{\ast }$, can find $x^{-1}$ using extended Euclid algorithm

Solving modular linear equations

• 至此，我们已经可以求解mod N 上的线性方程：
• Solve: $x\cdot x+b=0$ in ${\mathcal{Z}}_N$
  • Solution: $x=-b\cdot a^{-1}$ in ${\mathcal{Z}}_N$
• Find $a^{-1}$ in ${\mathcal{Z}}_N$ using extended Euclid.
  • Run time: $O(lo{g}^2(N))$

Next segment:

• 继续看如何求解modular quadratic euqations!

5.3.2 Fermat and Euler

This segment:

• 从古希腊(extended Euclid Alg.)前进到17-18 century
• talk about Fermat and Euler contributions

Review

• N denotes an n-bit positive integer

  • p denotes a prime

• ${\mathcal{Z}}_N$ = {0,1, …, N-1}

• (${\mathcal{Z}}_N^{\ast }$) = (set of invertible elements in ${\mathcal{Z}}_N$)

  • = {$x\in {\mathcal{Z}}_N$: gcd(x,N) = 1}

• Can find inverses efficiently using Extend Euclid alg.

  • time = $O(lo{g}^2(N))$ = $O(n^2)$
  • n为N的位数

Fermat’s theorem (1640)

• Thm: Let p be a prime
  • $\forall x\in ({\mathcal{Z}}_p^{\ast })$:
    • $x^{p-1}=1$ in $Z_p$
• Example:
  • p = 5
    • $3^4=81=1$ in ${\mathcal{Z}}_5$
• Proof:
  • Fermat自己没有证明
  • 而是在100年后由Euler给出了证明 (Euler定理的特例)
• A simple application:
  • 求inverse
  • $x\in {\mathcal{Z}}_p^{\ast }$ $\Rightarrow$ $x\cdot x^{p-2}=1$
    • $\Rightarrow$ $x^{-1}=x^{p-2}$ in ${\mathcal{Z}}_p$
  • another way to compute inverses, but less efficient than Euclid
    • Do modular exponentiations: $O(lo{g}^{3}P)=O(n^3)>O(n^2)$
    • 而且less general:
      • 只能用于N为素数的case

Aplication: generating random primes

• Suppose we wan to generate a large random prime
  • say, prime p of length 1024 bits (i.e. $p\approxeq 2^{1024}$)
• Process:
  • Step 1: choose a random integer $p\in [2^{1024},2^{1025}-1]$
  • Step 2: test if $2^{p-1}=1$ in ${\mathcal{Z}}_p$
    • If so, output p
      • 大概率是素数
      • p越大是素数的概率就越大
    • Else: goto step 1
      • 一定不是素数
      • 平均需要迭代200次左右
• Simple algorithm (not the best)
  • Pr[p not prime] $<2^{-60}$
  • 是一个概率性算法，其可以应用的原因是是 “大概率能够成功”
    • 即下图中FP的比例很小
  • 但也有更好的方法
    • 只是一个有趣且简单的思路

The structure of $({\mathcal{Z}}_p{)}^{\ast }$

• Thm (Euler):

  • $({\mathcal{Z}}_p{)}^{\ast }$ is a cylic group, that is:
    • $\exists g \in (\mathcal{Z}_{p})^{*} $ such that {$1,g^1,g^2,...,g^{p-2}$} = $({\mathcal{Z}}_p{)}^{\ast }$
    • g is called a generator of $({\mathcal{Z}}_p{)}^{\ast }$
  • Example:
    • p = 7:
      • 存在g = 3
      • {$1,3,3^1,3^2,...,3^5$} = {1,3,2,6,4,5} = $({\mathcal{Z}}_7^{\ast })$

• Note:

  • 但并不是所有的$g\in ({\mathcal{Z}}_p{)}^{\ast }$ 都成立
    • e.g., {$1,2,2^2,2^3,2^4,2^5$, …} = {1,2,4}

Order 阶数

• For $g\in ({\mathcal{Z}}_p^{\ast })$, the set {$1,g^2,g^3,...$} is called
  • the group generated by g, denoted $<g>$
• Def: The order of $g\in ({\mathcal{Z}}_p^{\ast })$ is the size of $<g>$:
  • $or{d}_p(g)=|<g>|$ = (smallest a>0 s.t. $g^a=1$ in ${\mathcal{Z}}_p$)
• examples:
  • $or{d}_7(3)=6$: $3^6=729=1mod7$
  • $or{d}_7(2)=3$: $2^3=8=1mod7$
  • $or{d}_7(1)=1$
• Thm (Langrange):
  • $\forall g\in ({\mathcal{Z}}_p^{\ast }):$
    • $or{d}_p(g)$ divides (p-1):
  • 根据该定理可证明Fermat’s theorem

Euler’s generalization of Fermat

• Def: For an integer N define $\varphi (N)=|({\mathcal{Z}}_N^{\ast })|$

  • Eluer’s $\varphi$ functions

• Examples:

  • $\varphi (12)=|1,5,7,11|=4$
  • $\varphi (p)=p-1$
  • For N = $p\cdot q$ (p and q are primes)
    • $\varphi (N)=N-p-q+1=(p-1)(q-1)$
      • 剔除p个能整除q的，再提出q个能整除p的，再加上一个能整除pq的(0)

• Thms (Euler):

  • $\forall x\in ({\mathcal{Z}}_N^{\ast })$:
    • $x^{\phi(N)} = 1 $ in ${\mathcal{Z}}_N$

• Example:

  • $5^{\varphi (12)}=5^4=625=1$ in ${\mathcal{Z}}_{12}$

• Generalization of Fermat.

  • Basis of the RSA cryptosystem
    • 见next module

• Euler theorem的证明：

  • 不难
  • 也是special case of Lagrange’s general theorem

Next segment:

• continue with modular quadratic equations

5.3.3 Modular e’th Roots

Previous segment:

• talked about how to solve modular linear equations

This segment:

• How to solve modular quadratic equations

Modular e’th roots

• we know how to solve modular linear equations:
  • $a\cdot x+b=0$ in ${\mathcal{Z}}_N$
  • Solution: $x=-b\cdot a^{-1}$ in ${\mathcal{Z}}_N$
• What about higher degree polynomials?
  • Example:
    • Let p be a prime and $c\in {\mathcal{Z}}_p$
    • can we solve:
      • $x^2-c=0$ in ${\mathcal{Z}}_P$
        • 需要计算$\sqrt{x}$
      • $x^3-c=0$ in ${\mathcal{Z}}_P$
        • 需要计算$\sqrt[3]{x}$
      • $x^{37}-c=0$ in ${\mathcal{Z}}_P$
        • 与上类似

---

Let p be a prime and $c\in {\mathcal{Z}}_P$

• Def: $x\in {\mathcal{Z}}_p$ s.t.,

  • $x^e=c$ in ${\mathcal{Z}}_P$ is called an e’th root of c

• Example:

  • in ${\mathcal{Z}}_{11}$

    • $7^{1/3}=6$
      • $6^3=216=7$ in ${\mathcal{Z}}_{11}$
    • $3^{1/2}=5$
    • $1^{1/3}=1$

  • $2^{1/2}$ does not exist in ${\mathcal{Z}}_{11}$

  • 所以什么时候存在什么时候不存在？？

The easy case: gcd(e, p-1) = 1

• When does $c^{1/e}$ in ${\mathcal{Z}}_P$ exist?

• Can we compute it efficiently?

• The easy case: suppose gcd(e,p-1) = 1

  • Then for all c in $({\mathcal{Z}}_P^{\ast })$:
    • $c^{1/e}$ exists in ${\mathcal{Z}}_P$ is easy to find!
  • Proof: Let $d=e^{-1}$ in ${\mathcal{Z}}_{p-1}$ (因为gcd(e,p-1) = 1，所以存在d), then $c${1/e} = c^d$ in ${\mathcal{Z}}_P$
    • 具体原因：
      • $d\cdot e=1$ in ${\mathcal{Z}}_{P-1}$
      • $\Rightarrow$ $\exists k \in Z: $, $d\cdot e=k(p-1)+1$
      • $\Rightarrow$ $(c^d{)}^e=c^{de}=c^{k(p-1)+1}$
      • $\Rightarrow$ $[c^{p-1}{]}^k\cdot c$ = c in ${\mathcal{Z}}_P$
    • 因此 $c${1/e} = c^d$ in ${\mathcal{Z}}_P$

The case e=2: square roots

• e =2 往往意味着 gcd(e, p-1) $\ne 1$
  • 因此是另一种情况，但也可以解决

• If p is an odd prime then gcd(2,p-1) $\ne 1$

• Fact: in ${\mathcal{Z}}_P^{\ast }$, $x\to x^2$ is a 2-to-1 function!
  • Example: in ${\mathcal{Z}}_{11}^{\ast }$

• Def: x in ${\mathcal{Z}}_P$ is a quadratic residue (Q.R.) if it has a square root in ${\mathcal{Z}}_P$
  • 假设p是素数，a是整数。 如果存在一个整数x使得x^2≡a(mod p) （即$x^2-a$可以被p整除）， 那么就称a在p的剩余类中是平方剩余的。
  • p odd prime $\Rightarrow$ the # Q.R. in ${\mathcal{Z}}_p$ is (p-1)/2 + 1
    • +1: 0 总是平方剩余(QR)的
• In this case:对于${\mathcal{Z}}_p$ ， 一半元素有平方根，一半元素没有！
  • 与the easy case (gcd(e,p-1) = 1) is very different!

Euler’s theorem

• Thms:
  • x in (${\mathcal{Z}}_p^{\ast }$) is a Q.R.
  • 等价于
  • $x^{(p-1)/2}=1$ in ${\mathcal{Z}}_p$
  • (p is an odd prime)
• Example:

• Note:
  • $x\ne 0$ $\Rightarrow$ $x^{(p-1)/2}=(x^{p-1}{)}^{1/2}=1^{1/2}$ $\in$ {1,-1} in ${\mathcal{Z}}_P$
  • 即等式左侧只能为1或-1
• Def:
  • $x^{(p-1)/2}$ is called the Legendre Symbol of x over p (1798)

至此为止，对于The case e=2: square roots

• 已经知道了如何判断是否存在
• 但怎么计算呢？

Computing square roots mod p

• Suppose p = 3 (mod 4)
  • 情况1
• Lemma:
  • if $c\in {\mathcal{Z}}_P$ is Q.R.
  • then: $\sqrt{c}=c^{(p+1)/4}$ in ${\mathcal{Z}}_P$
    • p + 1 = 0 mod 4 $\Rightarrow$ (p+1)/4 is整数
• Proof
  • $[c^{(p+1/4)}{]}^2=c^{(p+1)/2}=c^{(p-1/2)}\cdot c=1\cdot c=c$ in ${\mathcal{Z}}_P$
• When p = 1 mod (4), can also be done efficiently ,but a bit harder.
  • 暂无deterministic alg., 只有random alg.
    • 但也不错
  • run time = $O(lo{g}^{3}p)$

至此，已经可以计算平方根！
下面求解二次方程

Solving quadratic equations mod p

• Solve:
  • $a\cdot x^2+b\cdot x+c=0$ in ${\mathcal{Z}}_P$
  • Solution:

• Find: $(2a{)}^{-1}$ in ${\mathcal{Z}}_P$ using extended Euclid

• Find square root of $b^2-4ac$ in ${\mathcal{Z}}_P$ (if exists) using a square root algorithm

• 假如不是prime p 呢？

Computing e’th roots mod N?

• Let N be a composite number and $e>1$
• When does $c^{1/e}$ in ${\mathcal{Z}}_N$ exist?
  • Can we compute it efficiently?
• Answering these questions requires the factorization of N
  • (as far as we know)
  • 对于非素数的求根问题，需要对N进行分解！
  • 大数分解
• 素数的e’th root问题比较简单，但对于合数而言非常非常困难！！

Next segment:

• turn to modular algorithms
• 加法、乘法、指数算法、modulo primes and composites

5.4 Number Theory: easy and hard problems

5.4.1 Arithmetic algorithms

• 接下来：考虑对大数的模运算！

Representing bignums

• Representing an n-bit integer (e.g., n = 2048) on a 64-bit machine

• Note:
  • some processors have 128-bit registers (or more)
    • support multiplication on thenm
  • 64-bit machine 使用32 bits block的原因：
    • 32 bits能够直接相乘，相乘结果小于64 bits

Arithmetic

不同模运算的复杂度

Given: two n-bit integers

• Additions and subtraction: linear time O(n)
• Multiplication: naively $O(n^2)$
  • Karatsuba(1960): O(n^{1.585})
    • 递归分析
  • best (asymptotic) algorithm: about $O(n\cdot logn)$
    • 但该算法复杂度有一个很大的常数
    • 因此除非n很大，否则并不比Karatsuba快多少
    • 通常Karatsuba更常用一些
  • 方便起见，本节简单认为是$O(n^2)$
• Division with remainder: $O(n^2)$

Exponentiation

• Finite cyclic group G
  • For example $G={\mathcal{Z}}_P^{\ast }$
• Goal： Given g in G and x
  • compute $g^x$
• 直接计算复杂度太高，通常按下面思路计算

• Example: Suppose x = 53 = $(110101{)}_2$ = 32+16 + 4 + 1
  • Then: $g^{53}=g^{32+16+4+1}$ = $g^{32}\cdot g^{16}\cdot g^4\cdot g^1$
  • 重复平方法！ repeated squaring algorithm!

The repeated squaring alg.

• Input: g in G and x>0
• Output: $g^x$

• 算法

write x = (x_n, x_{n-1}, ..., x_2, x_1, 0)_2 # 二进制表示
y = g
z = 1
for i in range(n+1):
  if (x[i] == 1):
    z = z * y
  y = y * y

return z

Running times

• 总结上述几种运算的running time

Given n-bit int. N:

• Addition and Subtraction in ${\mathcal{Z}}_N$:
  • linear time $T_{+}=O(n)$
• Modular multiplication in ${\mathcal{Z}}_N$:
  • naively $T_{\times }=O(n^2)$
• Modular exponentiation in ${\mathcal{Z}}_N(g^x)$:
  • $O((logx)\cdot T_{\times })\le O((logx)\cdot n^2)\le O(n^3)$
  • (X < N)

Next segment:
hard problems modulo primes and composites

5.4.2 Intractable Problems

Intractable 顽固的，困难的

This segment:

• Look at some hard problems that come up in the context of modular arithmetic
• 这些hard problem 是公钥密码学的基础！
  • 公钥密码学 – 下周

Easy problem

• 先来看一些modular arithmetic中的easy problem!

• Inverse:

  • Given composite N and x in ${\mathcal{Z}}_N$
    • find $x^{-1}$ in ${\mathcal{Z}}_N$
  • 使用拓展欧几里得算法

• polynomial f(x) = 0 in ${\mathcal{Z}}_p[x]$

  • Given prime p and polynomial f(x) in ${\mathcal{Z}}_p[x]$
  • find x in ${\mathcal{Z}}_P$ s.t. f(x) = 0 in ${\mathcal{Z}}_P$ (if one exists)
  • Running time is linear in def(f)

• But many problems are difficult!

  • these difficult problems form the basis of many public-key cryptosystems

Intractable problems with primes

• Fix a prime p>2 and g in ${\mathcal{Z}}_p^{\ast }$ of order q

  • Consider the function:
    • $x\rightarrowtail g^x$ in ${\mathcal{Z}}_P$
  • As shown in the last segment:
    • 这种给定g, 已知x求幂$g^x$的运算相当简单

• 然而！consider the inverse function:

  • $Dlo{g}_g(g^x)=x$ where x in {0,1, …, q-2}
  • 即**给定g, 已知$g^x$求它的离散对数x**
    • hard problem!
    • 对数：求本来就是对数运算；
    • 离散：限制在${\mathcal{Z}}_P$上，是离散的!

• Example:

  • in ${\mathcal{Z}}_{11}$
  • $Dlo{g}_2(1)=0$ (2^0 = 1 mod 11)
  • $Dlo{g}_2(2)=1$ (2^1 = 2 mod 11)
  • $Dlo{g}_2(3)=8$ (2^8 = 256 = 3 mod 11)
  • $Dlo{g}_2(4)=2$ (2^2 = 4 mod 11)
  • $Dlo{g}_2(5)=4$ (2^4 = 5 mod 11)
    … …

DLOG: more generally

• Let G be a finite cyclic group and
  • g: a generator of G
  • G = {1, g, $g^2$, …, g^{q-1}}
    • q is called the order of G
• DLOG是hard problem 的定义：
  • Definition: We say that DLOG is hard in G if for all efficien alg. A:
    • $P{r}_{g\leftarrow G,x\leftarrow {\mathcal{Z}}_q}[A(G,q,g,g^x)=x]$ < negligible
  • 算法的输入：group G, the order of the group, 底数g 和 $g^x$
  • 算法的目标: x
  • 注：
    • 并不是所有group上都是难的！
    • 例如上一题中group = ${\mathcal{Z}}_{11}^{\ast }$就不难！
• Example candidates:
  • (1) (${\mathcal{Z}}_P^{\ast }$) for large p
  • (2) Elliptic curve groups mod p
    • 椭圆曲线中的problem set is much harder than problem in ${\mathcal{Z}}_p^{\ast }$
    • (假设size相等)
    • 意味着Elliptic curve groups mod p可以使用更少的参数！

Computing Dlog in ${\mathcal{Z}}_P^{\ast }$

• n-bit prime p
• Best known algorithm (GNFS):
  • run time $exp(O(\sqrt[3]{n}))$
• 对称密码 和 基于DLOG的密码的run time 难度对应后的结果：

• 对于椭圆曲线group, 最佳算法的时间复杂度：
  • $exp(O(n/2))$
  • 真正的指数复杂度！
  • 椭圆曲线group所需要的size始终是对称密码size的两倍：也是因为这个2！

An application: Collision resistance

• 对离散对数hardness的直接应用

• Choose a group G where Dlog is hard (e.g., ${\mathcal{Z}}_P^{\ast }$ for large p)

• Let $q=|G|$ be a prime

  • Choose generators g,h of G:
  • For x,y $\in 1,2,...,q$, define $H(x,y)=g^x\cdot g^y$ in G

• Lemma: finding collision for H(.,.) is as hard as computing $Dlo{g}_g(h)$

• Proof:

  • Suppose we are given a collision H(x_0, y_0) = H(x_1, y_1)
  • then:
    • $g^{x_0}{h}^{y_0}=g^{x_1}{h}^{y_1}$
    • $\Rightarrow$ $g^{x_0-x_1}=h^{y_1-y_0}$
    • $\Rightarrow$ $h=g^{x_0-x_1/y_1-y_0}$
  • 意味着：假如能够找到碰撞，那么就可以根据该碰撞计算出离散对数 $Dlo{g}_g(h)$，
    • $\Rightarrow$ 假如能找到碰撞，就能找到离散对数
    • 矛盾！所以无法找到碰撞
  • Why we need q be a prime?
    • because we need to make sure that $y_1-y_0$ is always invertible
    • 对素数求mod时，除0外的所有数都是invertible的！
      • $gcd(y_1-y_0,q)=1$!
    • 假如$y_1-y_0=0$, 那么这个碰撞相同，不叫碰撞

• 实用性：

  • This method is not really used
    • it is relatively slow!
    • 每个hash都需要compute two exponentiations
  • Much much slower than SHA-256

Intractable problems with composites

• Consider the set of integers:
  • (e.g., for n = 1024)
  • ${\mathcal{Z}}_{(2)}(n)$ := {N = $p\cdot q$ where p and q are n-bit primes}
• Problem 1: Factor a random N in ${\mathcal{Z}}_{(2)}(n)$
  • e.g., for n = 1024
• Problem 2: Given a polynomial f(x) where degree(f) > 1
  • and a random N in ${\mathcal{Z}}_{(2)}n$
  • find x in ${\mathcal{Z}}_N$, s.t. f(x) = 0 in ${\mathcal{Z}}_N$
  • 如上一节所属，sqrt root/ cubic root is hard for composites polynomial

---

目前，总共三个hard problem:

• 离散对数
• 大数分解
• 合数上多项式方程求根

---

The factoring problem

“The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic”

• Gauss (1805)

  • 提出了两个问题：
    • factoring 大数分解
      • still hard!
    • primality testing 素性测试
      • has been completely solved

• Best known alg. (NFS)

  • run time $exp(O(\sqrt[3]{n}))$ for n-bit integer

• Current world recort:

  • RSA-768 (232 bits)
  • Work: two years on hundreds of machines
  • Factoring a 1024-bit integer
    • abou 1000 times harder
    • likely possible this decade
      • 根据Moore定律等

Futuer reading

• A computational Introduction to Number theory and Algebra, 2008

Next chapter:

• build cryptosystems using 本章的数学知识！