CSE 291-I: Applied Cryptography Nadia Heninger UCSD Spring 2020 Lecture 8 Legal Notice The Zoom session for this class will be recorded and made available asynchronously on Canvas to registered students. Announcements 1. HW 3 is due today! Volunteer to grade! 2. HW 4 is due before class in 1 week, April 29. I fixed an error so check the web page again: API_KEY should be 256 bits. Last time: Authenticated encryption This time: Number theory review Fundamental theorem of arithemtic Theorem e e Every n Z n = 0 has unique factorization n = p 1 p 2 ...per 2 6 ± 1 2 r with pi distinct primes and ei positive integers. Division and remainder Theorem a, b Z, b > 0, unique q, r Z s.t. a = bq + r, 0 r < b. 2 9 2 r a mod bamod b = a b a ⌘ − b b c Because we’re in CS, we also write r = a mod b. b a a mod b = 0 | () a = b mod N: (a mod N)=(b mod N) a = b mod N N (a b) () | − - l isan ok N l (b-a) too l ) multiplier Proof. Let I = sa + rb r, s Z Let d be the smallest positive elt. of I . { | 2 } d divides every element of I : • 1. Choose c = sc a + rc b. 2. c = qd + r: r = c qd = s a r b q(ax +by )=(s qx)a+(r qy)b I − c − c − c − c − 2 Thus r = 0byminimalityofd, thus d c. | d is largest: Assume d > d s.t. d a, • 9 0 0 | d b = d xa + yb 0 | ) 0 | = d d but d > d contradiction. ) 0 | 0 GCDs and Extended Euclidean Algorithm gcd(a, b):greatest common divisor d s.t. d a and d b | | Theorem (Extended Euclidean Algorithm) a, b Z (and positive) x, y Z s.t. ax + by = gcd(a, b) 2 9 2 d is largest: Assume d > d s.t. d a, • 9 0 0 | d b = d xa + yb 0 | ) 0 | = d d but d > d contradiction. ) 0 | 0 GCDs and Extended Euclidean Algorithm gcd(a, b):greatest common divisor d s.t. d a and d b | | Theorem (Extended Euclidean Algorithm) a, b Z (and positive) x, y Z s.t. ax + by = gcd(a, b) 2 9 2 Proof. Let I = sa + rb r, s Z Let d be the smallest positive elt. of I . { | 2 } d divides every element of I : • 1. Choose c = sc a + rc b. 2. c = qd + r: r = c qd = s a 1 r b q(ax +by )=(s qx)a+(r qy)b I − c − c − c − c − 2 Thus r = 0byminimalityofd, thus d c. | GCDs and Extended Euclidean Algorithm gcd(a, b):greatest common divisor d s.t. d a and d b | | Theorem (Extended Euclidean Algorithm) a, b Z (and positive) x, y Z s.t. ax + by = gcd(a, b) 2 9 2 - Proof. Let I = sa + rb r, s Z Let d be the smallest positive elt. of I . { | 2 } d divides every element of I : • 1. Choose c = sc a + rc b. 2. c = qd + r: r = c qd = s a r b q(ax +by )=(s qx)a+(r qy)b I − c − c − c − c − 2 Thus r = 0byminimalityofd, thus d c. | d is largest: Assume d > d s.t. d a, • 9 0 0 | d b = d xa + yb 0 | ) 0 | = d d but d > d contradiction. ) 0 | 0 Facts about ideals: 0 I :0 a = 0 I • 2 · 2 a I = a I : a ( 1)= a I • 2 ) 2 · − − 2 a, b I = a b I • 2 ) − 2 Math version: Ideals We defined I = sa + rb r, s Z . { | 2 } a b I is an ideal of Z. ↳not thesane , I Z • ✓ Closed under addition: xa, b I = xa + b I • x 2 ) x 2 Closed under multiplication in Z: ax I , z Z = xaz I • 2 2 ) 2 Math version: Ideals We defined I = sa + rb r, s Z . { | 2 } I is an ideal of Z. I Z • ✓ Closed under addition: a, b I = a + b I • 2 ) 2 Closed under multiplication in Z: a I , z Z = az I • 2 2 ) 2 Facts about ideals: 0 I :0 a = 0 I • 2 · 2 a I = a I : a ( 1)= a I • 2 ) 2 · − − 2 a, b I = a b I • 2 ) − 2 is an ideal • Z 1 I = I = Z • 2 ) aZ = az z Z =“idealgeneratedbya” • { | 2 } “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal. In short: aZ + bZ = dZ, d = gcd(a, b) Principal ideals More facts about ideals: 0 is an ideal • { } 1 I = I = Z • 2 ) aZ = az z Z =“idealgeneratedbya” • { | 2 } “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal. In short: aZ + bZ = dZ, d = gcd(a, b) Principal ideals More facts about ideals: 0 is an ideal • { } x ' of2 U closedunder TV by 2 ✓ is an ideal . subset • Z properties : sketch 2 closed under t closedunder xby E aZ = az z Z =“idealgeneratedbya” • { | 2 } “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal. In short: aZ + bZ = dZ, d = gcd(a, b) Principal ideals properties : sketch 2 closed under t More facts about ideals: closedunder x by 2 0 is an ideal • { } is an ideal • Z 1 I = I = Z • 2 ) “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal. In short: aZ + bZ = dZ, d = gcd(a, b) Principal ideals properties : sketch 2 closed under t More facts about ideals: closedunder x by 2 0 is an ideal • { } is an ideal • Z 1 I = I = Z • 2 ) aZ = az z Z =“idealgeneratedbya” • { | 2 } Principal ideals More facts about ideals: 0 is an ideal • { } is an ideal • Z 1 I = I = Z • 2 ) aZ = az z Z =“idealgeneratedbya” • { | 2 } “principal ideal”: ideal of form a • Z Theorem All ideals of Z are principal. In short: aZ + bZ = dZ, d = gcd(a, b) Euclidean Algorithm Input: a, b Z 2 Output: d = gcd(a, b) If b = 0: return a else: return gcd(b, a mod b) Extended Euclidean Algorithm Input: a, b Z 2 Output: d, x, y with d = gcd(a, b), ax + by = d If b a: | return b, 0, 1 else: compute a = qb + r d, x, y = egcd(b, r) (xb + yr = d) return (d, y, x yq) − Theorem The Extended Euclidean Algorithm runs in time O(lg(a)lg(b)). Theorem If c ab, gcd(a, c)=1 = c b | ) | Proof. = ) ab 1 mod N ⌘ ab = 1 + cN ab cN = 1 = gcd(a, N)=1 − ) = ax + Ny = 1 = x = a 1 mod N ( ) − Modular inverses Inverse of b mod N: bb 1 1 mod N − ⌘ Not defined if b not invertible. • 0hasnoinverse. • Theorem a invertible modN gcd(a, N)=1 () = ax + Ny = 1 = x = a 1 mod N ( ) − Modular inverses Inverse of b mod N: bb 1 1 mod N − ⌘ Not defined if b not invertible. • 0hasnoinverse. • Theorem a invertible modN gcd(a, N)=1 () Proof. = ) ab 1 mod N ⌘ ab = 1 + cN ab cN = 1 = gcd(a, N)=1 − ) Modular inverses 1 Inverse of b mod N: bb− 1 mod N Purposes ⌘ module Not defined if b not invertible. Compute • 0hasnoinverse. inverses using • extended GCD algorithm. Theorem a invertible modN gcd(a, N)=1 () Proof. = ) ab 1 mod N ⌘ ab = 1 + cN ab cN = 1 = gcd(a, N)=1 − ) = ax + Ny = 1 = x = a 1 mod N ( ) − Abelian group: commutative: g, hg h = h g • 8 ◦ ◦ Cyclic group: G =(a , ) (G is generated by one element) • h i ◦ Groups Group: (S, ) with S asetand an operation ◦ ◦ G is a group if: closed under operation • ◦ identity: e G s.t. e g = g = g e g G • 2 ◦ ◦ 8 2 inverses: g G h G s.t. g h = e = h g • 8 2 9 2 ◦ ◦ associative: (g g ) g = g (g g ) • 1 ◦ 2 ◦ 3 1 ◦ 2 ◦ 3 Cyclic group: G =(a , ) (G is generated by one element) • h i ◦ Groups Group: (S, ) with S asetand an operation ◦ ◦ G is a group if: closed under operation • ◦ identity: e G s.t. e g = g = g e g G • 2 ◦ ◦ 8 2 inverses: g G h G s.t. g h = e = h g • 8 2 9 2 ◦ ◦ associative: (g g ) g = g (g g ) • 1 ◦ 2 ◦ 3 1 ◦ 2 ◦ 3 Abelian group: commutative: g, hg h = h g • 8 2 ◦ ◦ Groups Group: (S, ) with S asetand an operation ◦ ◦ G is a group if: closed under operation • ◦ identity: e G s.t. e g = g = g e g G • 2 ◦ ◦ 8 2 inverses: g G h G s.t. g h = e = h g • 8 2 9 2 ◦ ◦ associative: (g g ) g = g (g g ) • 1 ◦ 2 ◦ 3 1 ◦ 2 ◦ 3 Abelian group: commutative: g, hg h = h g • 8 ◦ ◦ Cyclic group: G =(a , ) (G is generated by one element) • h i ◦ Z not a group with • ⇥ ( mod N, +) is a group • Z cyclic, generated by 1 (Z mod N, ) is not a group • ⇥ ( 1, 2,...,p 1 mod p, ) is a group if p prime • { − } ⇥ “multiplicative group mod p” Zp⇤ Examples of groups abelian group with + • Z identity = 0, inverse = g,cyclic,generatedby1 − ( mod N, +) is a group • Z cyclic, generated by 1 (Z mod N, ) is not a group • ⇥ ( 1, 2,...,p 1 mod p, ) is a group if p prime • { − } ⇥ “multiplicative group mod p” Zp⇤ Examples of groups abelian group with + • Z identity = 0, inverse = g,cyclic,generatedby1 − 2 hasno inane ME) Z not a group with ( no inverses : e.