Lecture Slides

CSE 291-I: Applied Cryptography

Nadia Heninger UCSD

Spring 2020 Lecture 8 Legal Notice

The Zoom session for this class will be recorded and made available asynchronously on Canvas to registered students. Announcements

1. HW 3 is due today! Volunteer to grade!

2. HW 4 is due before class in 1 week, April 29. I ﬁxed an error so check the web page again: API_KEY should be 256 bits. Last time: Authenticated encryption

This time: Number theory review Fundamental theorem of arithemtic

Theorem e e Every n Z n = 0 has unique factorization n = p 1 p 2 ...per 2 6 ± 1 2 r with pi distinct primes and ei positive integers. Division and remainder

Theorem a, b Z, b > 0, unique q, r Z s.t. a = bq + r, 0 r < b. 2 9 2  r a mod bamod b = a b a ⌘ b b c Because we’re in CS, we also write r = a mod b.

b a a mod b = 0 | () a = b mod N: (a mod N)=(b mod N)

a = b mod N N (a b) () | - l isan ok N l (b-a) too l ) multiplier Proof. Let I = sa + rb r, s Z Let d be the smallest positive elt. of I . { | 2 } d divides every element of I : • 1. Choose c = sc a + rc b. 2. c = qd + r: r = c qd = s a r b q(ax +by )=(s qx)a+(r qy)b I c c c c 2 Thus r = 0byminimalityofd, thus d c. | d is largest: Assume d > d s.t. d a, • 9 0 0 | d b = d xa + yb 0 | ) 0 | = d d but d > d contradiction. ) 0 | 0

GCDs and Extended Euclidean Algorithm gcd(a, b):greatest common divisor d s.t. d a and d b | |

Theorem (Extended Euclidean Algorithm) a, b Z (and positive) x, y Z s.t. ax + by = gcd(a, b) 2 9 2 d is largest: Assume d > d s.t. d a, • 9 0 0 | d b = d xa + yb 0 | ) 0 | = d d but d > d contradiction. ) 0 | 0

GCDs and Extended Euclidean Algorithm gcd(a, b):greatest common divisor d s.t. d a and d b | |

Theorem (Extended Euclidean Algorithm) a, b Z (and positive) x, y Z s.t. ax + by = gcd(a, b) 2 9 2 Proof. Let I = sa + rb r, s Z Let d be the smallest positive elt. of I . { | 2 } d divides every element of I : • 1. Choose c = sc a + rc b. 2. c = qd + r: r = c qd = s a 1 r b q(ax +by )=(s qx)a+(r qy)b I c c c c 2 Thus r = 0byminimalityofd, thus d c. | GCDs and Extended Euclidean Algorithm gcd(a, b):greatest common divisor d s.t. d a and d b | |

Theorem (Extended Euclidean Algorithm) a, b Z (and positive) x, y Z s.t. ax + by = gcd(a, b) 2 9 2 - Proof. Let I = sa + rb r, s Z Let d be the smallest positive elt. of I . { | 2 } d divides every element of I : • 1. Choose c = sc a + rc b. 2. c = qd + r: r = c qd = s a r b q(ax +by )=(s qx)a+(r qy)b I c c c c 2 Thus r = 0byminimalityofd, thus d c. | d is largest: Assume d > d s.t. d a, • 9 0 0 | d b = d xa + yb 0 | ) 0 | = d d but d > d contradiction. ) 0 | 0 Facts about ideals: 0 I :0 a = 0 I • 2 · 2 a I = a I : a ( 1)= a I • 2 ) 2 · 2 a, b I = a b I • 2 ) 2

Math version: Ideals

We deﬁned I = sa + rb r, s Z . { | 2 } a b I is an ideal of Z. ↳not thesane , I Z • ✓ Closed under addition: xa, b I = xa + b I • x 2 ) x 2 Closed under multiplication in Z: ax I , z Z = xaz I • 2 2 ) 2 Math version: Ideals

We deﬁned I = sa + rb r, s Z . { | 2 } I is an ideal of Z. I Z • ✓ Closed under addition: a, b I = a + b I • 2 ) 2 Closed under multiplication in Z: a I , z Z = az I • 2 2 ) 2

Facts about ideals: 0 I :0 a = 0 I • 2 · 2 a I = a I : a ( 1)= a I • 2 ) 2 · 2 a, b I = a b I • 2 ) 2 is an ideal • Z 1 I = I = Z • 2 ) aZ = az z Z =“idealgeneratedbya” • { | 2 } “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal.

In short: aZ + bZ = dZ, d = gcd(a, b)

Principal ideals

More facts about ideals: 0 is an ideal • { } 1 I = I = Z • 2 ) aZ = az z Z =“idealgeneratedbya” • { | 2 } “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal.

In short: aZ + bZ = dZ, d = gcd(a, b)

Principal ideals

More facts about ideals: 0 is an ideal • { } x ' of2 U closedunder TV by 2 ✓ is an ideal . subset • Z

properties : sketch 2 closed under t

closedunder xby E aZ = az z Z =“idealgeneratedbya” • { | 2 } “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal.

In short: aZ + bZ = dZ, d = gcd(a, b)

Principal ideals properties : sketch 2 closed under t

More facts about ideals: closedunder x by 2 0 is an ideal • { } is an ideal • Z 1 I = I = Z • 2 ) “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal.

In short: aZ + bZ = dZ, d = gcd(a, b)

Principal ideals properties : sketch 2 closed under t

More facts about ideals: closedunder x by 2 0 is an ideal • { } is an ideal • Z 1 I = I = Z • 2 ) aZ = az z Z =“idealgeneratedbya” • { | 2 } Principal ideals

More facts about ideals: 0 is an ideal • { } is an ideal • Z 1 I = I = Z • 2 ) aZ = az z Z =“idealgeneratedbya” • { | 2 } “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal.

In short: aZ + bZ = dZ, d = gcd(a, b) Euclidean Algorithm

Input: a, b Z 2 Output: d = gcd(a, b)

If b = 0: return a else: return gcd(b, a mod b) Extended Euclidean Algorithm

Input: a, b Z 2 Output: d, x, y with d = gcd(a, b), ax + by = d

If b a: | return b, 0, 1 else: compute a = qb + r d, x, y = egcd(b, r) (xb + yr = d) return (d, y, x yq)

Theorem The Extended Euclidean Algorithm runs in time O(lg(a)lg(b)). Theorem If c ab, gcd(a, c)=1 = c b | ) | Proof. = ) ab 1 mod N ⌘ ab = 1 + cN ab cN = 1 = gcd(a, N)=1 )

= ax + Ny = 1 = x = a 1 mod N ( )

Modular inverses Inverse of b mod N: bb 1 1 mod N ⌘ Not deﬁned if b not invertible. • 0hasnoinverse. • Theorem a invertible modN gcd(a, N)=1 () = ax + Ny = 1 = x = a 1 mod N ( )

Modular inverses Inverse of b mod N: bb 1 1 mod N ⌘ Not deﬁned if b not invertible. • 0hasnoinverse. • Theorem a invertible modN gcd(a, N)=1 () Proof. = ) ab 1 mod N ⌘ ab = 1 + cN ab cN = 1 = gcd(a, N)=1 ) Modular inverses 1 Inverse of b mod N: bb 1 mod N Purposes ⌘ module Not deﬁned if b not invertible. Compute • 0hasnoinverse. inverses using • extended GCD algorithm. Theorem a invertible modN gcd(a, N)=1 () Proof. = ) ab 1 mod N ⌘ ab = 1 + cN ab cN = 1 = gcd(a, N)=1 )

= ax + Ny = 1 = x = a 1 mod N ( ) Abelian group: commutative: g, hg h = h g • 8 Cyclic group: G =(a , ) (G is generated by one element) • h i

Groups

Group: (S, ) with S asetand an operation G is a group if: closed under operation • identity: e G s.t. e g = g = g e g G • 2 8 2 inverses: g G h G s.t. g h = e = h g • 8 2 9 2 associative: (g g ) g = g (g g ) • 1 2 3 1 2 3 Abelian group: commutative: g, hg h = h g • 8 Cyclic group: G =(a , ) (G is generated by one element) • h i Z not a group with • ⇥ ( mod N, +) is a group • Z cyclic, generated by 1

(Z mod N, ) is not a group • ⇥ ( 1, 2,...,p 1 mod p, ) is a group if p prime • { } ⇥ “multiplicative group mod p” Zp⇤

Examples of groups

abelian group with + • Z identity = 0, inverse = g,cyclic,generatedby1 ( mod N, +) is a group • Z cyclic, generated by 1

(Z mod N, ) is not a group • ⇥ ( 1, 2,...,p 1 mod p, ) is a group if p prime • { } ⇥ “multiplicative group mod p” Zp⇤

Examples of groups

abelian group with + • Z identity = 0, inverse = g,cyclic,generatedby1

2 hasno inane ME) Z not a group with ( no inverses : e. s . • ⇥ (Z mod N, ) is not a group • ⇥ ( 1, 2,...,p 1 mod p, ) is a group if p prime • { } ⇥ “multiplicative group mod p” Zp⇤

Examples of groups

abelian group with + • Z identity = 0, inverse = g,cyclic,generatedby1 Z not a group with • ⇥ ( mod N, +) is a group • Z cyclic, generated by 1 ( 1, 2,...,p 1 mod p, ) is a group if p prime • { } ⇥ “multiplicative group mod p” Zp⇤

Examples of groups

abelian group with + • Z identity = 0, inverse = g,cyclic,generatedby1 Z not a group with • ⇥ ( mod N, +) is a group • Z cyclic, generated by 1

(Z mod N, ) is not a group O hasno inverse • Il ⇥ Ca N) El . ) - N rel if la ) not (god , . N , Gil .. D prine , , ⇒a has no inure Examples of groups

abelian group with + • Z identity = 0, inverse = g,cyclic,generatedby1 Z not a group with • ⇥ ( mod N, +) is a group • Z cyclic, generated by 1

(Z mod N, ) is not a group • ⇥ ( 1, 2,...,p 1 mod p, ) is a group if p prime • { } ⇥ “multiplicative group mod p” Zp⇤

- closed ✓

: - identity I ✓ ⇒ inure V - inverse : ) =/ frae gcdla, p Epa Multiplicative group mod p

Z⇤ =( 1, 2,...,p 1 mod p, ) is a group if p is prime p { } ⇥ a G = a = a, a2, a3,...,ap 1 Is cyclic: s.t. / . 9 h i { } Not every a G generates G: g might be a subgroup of G. 2 h i Group orders in Zp⇤

eﬃcent p.p.t alg. to ﬁnd generator if factorization of p 1is 9 known Corollary (Fermat’s little theorem) p prime, ap 1 1 mod p ⌘

Fermat’s little theorem

Theorem G an abelian group with G = m = g m = 1 g G | | ) 8 2 Proof. g g g =(gg ) (gg ) (gg )=g m (g g ...g ) 1 2 ··· m 1 2 ··· m 1 2 m 1 1 1 Multiply each side by g g ...g . 1 2 m Fermat’s little theorem

Theorem G an abelian group with G = m = g m = 1 g G | | ) 8 2 Proof. g g g =(gg ) (gg ) (gg )=g m (g g ...g ) 1 2 ··· m 1 2 ··· m 1 2 m 1 1 1 Multiply each side by g g ...g . 1 2 m - - . . = " - . , gog , gi gog gj

Corollary (Fermat’s little theorem) p prime, ap 1 1 mod p ⌘ - I 12pm =p Computations with modular arithmetic

Eﬃcient: Addition • Subtraction • Multiplication • Inversion (using GCD algorithm) • Modular exponentiation • Eﬃcient modular exponentiation

Ineﬃcient exponentiation: g a = g g ...gatimes: not poly-time in lg a -· a times Eﬃcient exponentiation: Square and multiply (left-to-right) Input: base b,exponenta,modulusm

Output: ba mod m Vulnerability "

Algorithm: I f-attack- can measure decryption result = 1 time :

for i from `...0(a has ` bits) - If a is a secret result = result2 mod m cryptographic

- branches + if a[i]=1: (bit i of a is 1) program running time bits result = result b mod m depend on the at a · return result Discrete log

" " Inverse operator for modular exponentiation

No general-purpose eﬃcient algorithms.

Discrete log Given y, g ﬁnd x s.t. g x y mod p ⌘

current discrete log record mud p : 295 bits bib Current factory record: 830

field sieve Bestalgoithm : Number subetponertrl time