Lecture 1: Introduction of Cryptography 1 One Way Trapdoor

Cryptography Summer School July 10, 2018 Lecture 1: Introduction of Cryptography Instructor:王姿月 Scribe: 馬宜訢

1 One way trapdoor function

Consider f is a function with domain D and image R, let x ∈ D, we can consider f(x) as an encryption. If computing the inverse function f −1 without any additional information is hard and f −1 has some trapdoor information which make the inverse easy to compute, then f is an one way trapdoor function.

2 Discrete logarithm problem

Let G be a group, g ∈ G and 〈g 〉:= {gn|n ∈ Z}. The DLP is that, given h ∈ 〈g 〉, ﬁnd an integer m such that h = gm. Examples that DLP are easy

• (Z, +),n ∈〈h 〉. Find m such that n = m ∗ h

• (R×, · ),g ∈ R×, h ∈ 〈g 〉. Find m such that h = gm Examples that DLP are hard

Z Z × F× ∗ • (( /p ) , · ) or (( q ) , · ) • Elliptic Curves

3 Diﬃe-Hellman key exchange

Let G be a group, g ∈ G of order n. Alice and Bob choose a and b respectively, where 0 < a, b < n. Bob computes B = gb and send B to Alice. Similarly, Alice computes A = ga and send A to Bob. Then, they share the same secret C, where C = Ab = Ba. Now, there is another person Eve, who knows A and B by eavesdropping. For Eve, to solve C according to A and B is a DLP on G

Z× Theorem 1 ( p , · ) is a cyclic group

Theorem 2 (Fermat Little Theorem) Let a ∈ Z, p - a. Then ap−1 ≡ 1 (mod p)

1-1 4 Elgamal PKC

Let p be a large prime, g ∈ Zp with large prime order. First, Alice chooses a private key a (1 ≤ a ≤ p−1), computes A ≡ ga mod p and sends A to Bob. Bob chooses a plain text k k m and a random ephemeral k, and he uses A to compute c1 = g mod p and c2 = m ∗ A a −1 mod p. Then he sends (c1, c2) to Alice. Finally, Alice can compute (c1) ∗ c2 mod p to derive the plain text m. a ka k a −1 k −1 k (c1 = g = A mod p and (c1) ∗ c2 = (A ) ∗ mA = m mod p)

5 RSA

Alice chooses secret primes p, q and encryption exponent e such that gcd(e, (p − 1)(q − 1)) = 1 then Alice publish (N, e), where N = p ∗ q. Bob chooses a plain text m ∈ Zn, uses (N, e) to computes C = ml mod N and sends C to Alice. Alice can derive m by computing d such that e ∗ d = 1 mod (p − 1)(q − 1), and cd would be m mod N. (Verify: Since gcd(e, (p − 1)(q − 1)) = 1 =⇒ ∃ r, d ∈ Z such that d ∗ e + r(p − 1)(q − 1) = 1 =⇒ d ∗ e ≡ 1 mod (p − 1)(q − 1) =⇒ cd = med = m1−r(p−1)(q−1) = m mod N)

6 Elliptic Curve

Deﬁnition 1 Let K be a ﬁeld. An elliptic curve E/K is a nonsingular curve given by an equation of the form 2 3 2 y + a1xy + a3y = x + a2x + a4x + a6, ai ∈ K

When charK 6= 2, 3, E/K can be describe as solution of y2 = x3 + Ax + B , 3 2 with 4 := 4A + 27B 6= 0. We will add a point {OE}(at inﬁnity) and write

2 3 E(K) = {(x, y) ∈ K × K|y = x + Ax + B} ∪ {OE}.

1-2