Cryptography Summer School July 10, 2018 Lecture 1: Introduction of Cryptography Instructor:王姿月 Scribe: ¬宜" 1 One way trapdoor function Consider f is a function with domain D and image R, let x 2 D, we can consider f(x) as an encryption. If computing the inverse function f −1 without any additional information is hard and f −1 has some trapdoor information which make the inverse easy to compute, then f is an one way trapdoor function. 2 Discrete logarithm problem Let G be a group, g 2 G and 〈g 〉:= fgnjn 2 Zg. The DLP is that, given h 2 〈g 〉, find an integer m such that h = gm. Examples that DLP are easy • (Z; +),n 2〈h 〉. Find m such that n = m ∗ h • (R×; · ),g 2 R×, h 2 〈g 〉. Find m such that h = gm Examples that DLP are hard Z Z × F× ∗ • (( =p ) ; · ) or (( q ) ; · ) • Elliptic Curves 3 Diffie-Hellman key exchange Let G be a group, g 2 G of order n. Alice and Bob choose a and b respectively, where 0 < a; b < n. Bob computes B = gb and send B to Alice. Similarly, Alice computes A = ga and send A to Bob. Then, they share the same secret C, where C = Ab = Ba. Now, there is another person Eve, who knows A and B by eavesdropping. For Eve, to solve C according to A and B is a DLP on G Z× Theorem 1 ( p ; · ) is a cyclic group Theorem 2 (Fermat Little Theorem) Let a 2 Z; p - a. Then ap−1 ≡ 1 (mod p) 1-1 4 Elgamal PKC Let p be a large prime, g 2 Zp with large prime order. First, Alice chooses a private key a (1 ≤ a ≤ p−1), computes A ≡ ga mod p and sends A to Bob. Bob chooses a plain text k k m and a random ephemeral k, and he uses A to compute c1 = g mod p and c2 = m ∗ A a −1 mod p. Then he sends (c1; c2) to Alice. Finally, Alice can compute (c1) ∗ c2 mod p to derive the plain text m. a ka k a −1 k −1 k (c1 = g = A mod p and (c1) ∗ c2 = (A ) ∗ mA = m mod p) 5 RSA Alice chooses secret primes p, q and encryption exponent e such that gcd(e; (p − 1)(q − 1)) = 1 then Alice publish (N; e), where N = p ∗ q. Bob chooses a plain text m 2 Zn, uses (N; e) to computes C = ml mod N and sends C to Alice. Alice can derive m by computing d such that e ∗ d = 1 mod (p − 1)(q − 1), and cd would be m mod N. (Verify: Since gcd(e; (p − 1)(q − 1)) = 1 =) 9 r; d 2 Z such that d ∗ e + r(p − 1)(q − 1) = 1 =) d ∗ e ≡ 1 mod (p − 1)(q − 1) =) cd = med = m1−r(p−1)(q−1) = m mod N) 6 Elliptic Curve Definition 1 Let K be a field. An elliptic curve E=K is a nonsingular curve given by an equation of the form 2 3 2 y + a1xy + a3y = x + a2x + a4x + a6, ai 2 K When charK 6= 2; 3, E=K can be describe as solution of y2 = x3 + Ax + B , 3 2 with 4 := 4A + 27B 6= 0. We will add a point fOEg(at infinity) and write 2 3 E(K) = f(x; y) 2 K × Kjy = x + Ax + Bg [ fOEg: 1-2.