INTRODUCTION & NUMBER THEORY Services, Mechanisms and attacks-the OSI security architecture-Network security model-classical Encryption techniques (Symmetric cipher model, substitution techniques, transposition techniques, steganography).FINITE FIELDS AND NUMBER THEORY: Groups, Rings, Fields-Modular arithmetic- Euclid’s algorithm-Finite fields- Polynomial Arithmetic –Prime numbers-Fermat’s and Euler’s theorem- Testing for primality -The Chinese remainder theorem- Discrete logarithms.

1. CS6701 CRYPTOGRAPHY AND
NETWORK SECURITY
UNIT – I
Dr.A.Kathirvel, Professor, Dept of CSE
M.N.M Jain Engineering College, Chennai

2. UNIT - I
Services, Mechanisms and attacks-the OSI security
architecture-Network security model-
classical Encryption techniques (Symmetric cipher
model, substitution techniques, transposition
techniques, steganography).FINITE FIELDS AND
NUMBER THEORY: Groups, Rings, Fields-Modular
arithmetic- Euclid’s algorithm-Finite fields-
Polynomial Arithmetic –Prime numbers-Fermat’s and
Euler’s theorem- Testing for primality -The Chinese
remainder theorem- Discrete logarithms.
2

3. BACKGROUND
• Information Security requirements have
changed in recent times
• traditionally provided by physical and
administrative mechanisms
• computer use requires automated tools to
protect files and other stored information
• use of networks and communications links
requires measures to protect data during
transmission
3

4. DEFINITIONS
• Computer Security - generic name for
the collection of tools designed to
protect data and to thwart hackers
• Network Security - measures to
protect data during their transmission
• Internet Security - measures to protect
data during their transmission over a
collection of interconnected networks
4

5. AIM OF COURSE
• our focus is on Internet Security
• which consists of measures to deter,
prevent, detect, and correct security
violations that involve the transmission &
storage of information
5

6. SECURITY TRENDS
6

7. OSI SECURITY ARCHITECTURE
• ITU-T X.800 “Security Architecture for OSI”
• defines a systematic way of defining and
providing security requirements
• for us it provides a useful, if abstract, overview
of concepts we will study
7

8. ASPECTS OF SECURITY
• consider 3 aspects of information
security:
–security attack
–security mechanism
–security service
8

9. SECURITY ATTACK
• any action that compromises the security of
information owned by an organization
• information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
• often threat & attack used to mean same thing
• have a wide range of attacks
• can focus of generic types of attacks
– passive
– active
9

10. PASSIVE ATTACKS
10

11. ACTIVE ATTACKS
11

12. SECURITY SERVICE
• enhance security of data processing systems
and information transfers of an organization
• intended to counter security attacks
• using one or more security mechanisms
• often replicates functions normally associated
with physical documents
–which, for example, have signatures, dates;
need protection from disclosure, tampering,
or destruction; be notarized or witnessed; be
recorded or licensed
12

13. SECURITY SERVICES
• X.800:
“a service provided by a protocol layer of
communicating open systems, which
ensures adequate security of the systems or
of data transfers”
• RFC 2828:
“a processing or communication service
provided by a system to give a specific kind
of protection to system resources”
13

14. SECURITY SERVICES (X.800)
• Authentication - assurance that the
communicating entity is the one claimed
• Access Control - prevention of the unauthorized
use of a resource
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received is as
sent by an authorized entity
• Non-Repudiation - protection against denial by
one of the parties in a communication
14

15. SECURITY MECHANISM
• feature designed to detect, prevent, or
recover from a security attack
• no single mechanism that will support all
services required
• however one particular element underlies
many of the security mechanisms in use:
–cryptographic techniques
• hence our focus on this topic
15

16. SECURITY MECHANISMS (X.800)
• specific security mechanisms:
–encipherment, digital signatures, access
controls, data integrity, authentication
exchange, traffic padding, routing control,
notarization
• pervasive security mechanisms:
–trusted functionality, security labels, event
detection, security audit trails, security
recovery
16

17. MODEL FOR NETWORK SECURITY
17

18. MODEL FOR NETWORK SECURITY
• using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by
the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to use
the transformation and secret information for a
security service
18

19. MODEL FOR NETWORK ACCESS SECURITY
19

20. MODEL FOR NETWORK ACCESS SECURITY
• using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated information
or resources
• trusted computer systems may be useful to help
implement this model
20

21. SUMMARY
• have considered:
–definitions for:
•computer, network, internet security
• X.800 standard
• security attacks, services, mechanisms
• models for network (access) security
21

22. Classical Encryption Techniques
22

23. CRYPTOGRAPHY
• Cryptography is the study of secret (crypto-)
writing (-graphy)
• Concerned with developing algorithms which may be
used to:
– Conceal the context of some message from all
except the sender and recipient (privacy or
secrecy), and/or
– Verify the correctness of a message to the recipient
(authentication or integrity)
• Basis of many technological solutions to computer and
communications security problems
23

24. BASIC TERMINOLOGY
• Cryptography - The art or science encompassing the
principles and methods of transforming message an
intelligible into one that is unintelligible, and then
retransforming that message back to its original form
• Plaintext - The original intelligible message
• Ciphertext - The transformed message
• Cipher - An algorithm for transforming an intelligible
message into one that is unintelligible by transposition
and/or substitution methods
• Key - Some critical information used by the cipher,
known only to the sender & receiver
24

25. • Encipher (encode) - Process of converting plaintext to
ciphertext using a cipher and a key
• Decipher (decode) - The process of converting
ciphertext back into plaintext using a cipher and a key
• Cryptanalysis (codebreaking) - The study of principles
and methods of transforming an unintelligible message
back into an intelligible message without knowledge of
the key.
• Cryptology - The field encompassing both
cryptography and cryptanalysis
BASIC TERMINOLOGY - 2
25

26. • Encryption
– The mathematical function mapping plaintext to
ciphertext using the specified key:
Y = EK(X) or E(K, X)
• Decryption
– The mathematical function mapping ciphertext to
plaintext using the specified key:
X = DK(Y) or D(K, X) = EK
-1(Y)
BASIC TERMINOLOGY - 3
26

27. • Cryptographic system (Cryptosystem)
A cryptosystem is a five-tuple (P, C, K, E, D), where
following conditions are satisfied :
1. P is a finite set of possible plaintexts
2. C is a finite set of possible ciphertexts
3. K, the keyspace, is a finite set of possible keys
4. For each K K, there is an encryption algorithm
EK E and a corresponding decryption
algorithm DK D. Each EK : P C and DK : C
P are functions such that DK(EK(X)) = X for
every plaintext X P.
BASIC TERMINOLOGY - 4
27

28. SIMPLIFIED CONVENTIONAL ENCRYPTION MODEL
• Requirements
1. Strong encryption algorithm
2. Share of the secret key in a secure fashion
• Conventional
– Secret-Key ( Public-Key)
– Single-Key ( Two-Key)
– Symmetric ( Asymmetric)
Kerchhoff’s Principle
“Encryption algorithms being
used should be assumed to be
publicly known and the security
of the algorithm should reside
only in the key chosen”

29. CONVENTIONAL CRYPTOSYSTEM MODEL
29

30. CRYPTANALYSIS
• Process of attempting to discover X or K or both.
• Various types of cryptanalytic attacks
Probable-word
attack
Differential
cryptanalysis
30

31. EXHAUSTIVE KEY SEARCH
• Brute-force attack
• Always theoretically possible to simply try every key
• Most basic attack, directly proportional to key size
• Assume either know or can recognize when plaintext
is found
– Average Time Required for Exhaustive Key Search
31

32. UNCONDITIONAL AND COMPUTATIONAL SECURITY
• Unconditionally secure (Perfect secure)
– No matter how much computer power is
available, the cipher cannot be broken since
the ciphertext provides insufficient
information to uniquely determine the
corresponding plaintext
• Computationally secure
– The cost of breaking the security exceeds the
value of the secured service or information.
– The time required to break the security
exceeds the useful lifetime of the information
32

33. CLASSICAL ENCRYPTION TECHNIQUES
• Substitution Techniques
–Caesar Cipher
–Monoalphabetic Ciphers
–Playfair Cipher
–Hill Cipher
–Polyalphabetic Ciphers
–One-Time Pad
33

34. • Transposition (Permutation) Techniques
–Rail Fence Technique
–Block (Columnar) Transposition
Technique
• Product Techniques
–Substitution and transposition ciphers
are concatenated
CLASSICAL ENCRYPTION TECHNIQUES
34

35. CAESAR CIPHER
• 2000 years ago, by Julius Caesar
• A simple substitution cipher, known as Caesar
cipher
• Replace each letter with the letter standing 3
places further down the alphabet
–Plain: meet me after the toga party
–Cipher: PHHW PH DIWHU WKH WRJD
SDUWB
35

36. • No key, just one mapping (translation)
0123456...
Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC
3456789...
• ci=E(3,pi)=(pi+3) mod 26;
pi=D(3,ci)=(ci-3) mod 26
36

37. GENERALIZED CAESAR CIPHER
• Can use any shift from 1 to 25, i.e.,
replace each letter by a letter a fixed
distance away
ci=E(k,pi)=(pi+k) mod 26;
pi=D(k,ci)=(ci-k) mod 26
• Shift cipher
• Key = k
37

38. • Key letter: the letter a plaintext A
maps to
–e.g. a key letter of F means A maps to
F, B to G, …, Y to D, Z to E
• Hence have 26 (25 useful) ciphers
–Key space = 26
38

39. BRUTE-FORCE CRYPTANALYSIS OF CAESAR CIPHER
• Ciphertext only attack
• Charateristics for
success
1. The encryption and
decryption algorithms are
known
2. There are only 25 keys to
try
3. The language of the
plaintext is known and
easily recongnizable

40. AFFINE CIPHER
• ci=E(k,pi)=(k1pi+k2) mod 26; gcd(k1,26)=1
pi=D(k,ci)=(k1
-1(ci-k2)) mod 26
• Key k = (k1,k2)
• Number of keys = (26) x 26 = 12 x 26 = 312
(m):= the number of integers in Zm that are
relatively prime to m
k1 {1,3,5,7,9,11,15,17,19,21,23,25}
• Caesar/Shift ciphers are special cases of affine
ciphers
40

41. MONOALPHABETIC SUBSTITUTION CIPHERS
• Further generalization of the Caesar cipher,
Plain:
abcdefghijklmnopqrstuvwxyz
Cipher:
DEFGHIJKLMNOPQRSTUVWXYZABC
is obtained by allowing any permutation of 26
characters for the cipher
• Key size = 26
• Key space = 26! 4x1026
41

42. •Unique mapping of plaintext alphabet to
ciphertext alphabet  Monoalphabetic
•For a long time thought secure, but
easily breakable by frequency analysis
attack
42

43. RELATIVE FREQUENCY OF LETTERS IN ENGLISH TEXT
43

44. FREQUENCY STATISTICS OF LANGUAGE
• In addition to the frequency info of single letters, the
frequency info of two-letter (digram) or three-letter
(trigram) combinations can be used for the
cryptanalysis
• Most frequent digrams
– TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO,
NT, HA, ND, OU, EA, NG, AS, OR, TI, IS, ET, IT, AR,
TE, SE, HI, OF
• Most frequent trigrams
– THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS,
ETH, FOR, DTH
44

45. HOMOPHONES
• Monoalphabetic substitution ciphers are easy to
break through letter frequency analysis
• Multiple substitutes (homophones) for a single letter
can be used to hide the single-letter frequency
information
• But even with homophones, multiple-letter patterns
(e.g. digram frequencies) still survive in the ciphertext
• Two approaches for this problem
– Encrypt multiple letters of plaintext
• Playfair cipher
• Hill cipher
– Use multiple cipher alphabets
• Polyalphabetic cipher
45

46. PLAYFAIR CIPHER
• Best-known multiple-letter substitution cipher
• Digram cipher (digram to digram, i.e., E(pipi+1) = cici+1
through keyword-based 5x5
• transformation table)
• Great advance over simple monoalphabetic cipher
(26 letters 26x26=676 digrams)
Keyword = monarchy
Plaintext: H S E A A R M U
Ciphertext: B P I M R M C M
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
46

47. • Still leaves much of the structure of the
plaintext language  relatively easy to
break
• Can be generalized to polygram cipher
47

48. RELATIVE FREQUENCY OF OCCURRENCE OF LETTERS
48

49. HILL CIPHER
• Multi-letter cipher
• Takes m successive plaintext letters and substitutes
for them m ciphertext letters
• 3x3 Hill cipher:
• K =
• C = EK(P) = KP ; P = DK(C) = K-1C = K-1KP = P
• m x m Hill cipher hides (m-1)-letter frequency info
• Strong against for the ciphertext-only attack, but
easily broken with known plaintext attack
– with m plaintext-ciphertext pairs, each of length m;
K = CP-1
c1 = (k11p1 + k12p2 + k13p3) mod 26
c2 = (k21p1 + k22p2 + k23p3) mod 26
c3 = (k31p1 + k32p2 + k33p3) mod 26
k11 k12 k13
k21 k22 k23
k31 k32 k33
49

50. POLYALPHABETIC CIPHER
• Typically a set of monoalphabetic
substitution rules is used
• Key determines which rule to use
50

51. VIGENÈRE CIPHER
• Best-known polyalphabetic ciphers
• Each key letter determines one of 26 Caesar (shift)
ciphers
• ci = E(pi) = pi + ki mod(key length) mod 26
• Example:
Key: deceptivedeceptivedeceptive
Plaintext: wearediscoveredsaveyourself
Cipheretxt: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
51

52. • Keyword is repeated to make a key as long as the
plaintext
• (Kasiski Test) Given a sufficient amount of ciphertext,
common sequences are repeated, exposing the
period (keyword length)  Target of the
cryptanalysis
52

53. VIGENÈRE CIPHER - 2
53

54. VIGENÈRE CIPHER - 3
• If the keyword length is N, then Vigenère cipher, in
effect, consists of N monoalphabetic substitution
ciphers  Consider each of the ciphers
separately
• Improvement over the Playfair cipher, but language
structure and frequency information still remain
• Vigenère autokey system: after key is exhausted, use
plaintext for running key (to eliminate the periodic
nature)
Key: deceptivewearediscoveredsav
Plaintext: wearediscoveredsaveyourself
Cipheretxt: ZICVTWQNGKZEIIGASXSTSLVVWLA
54

55. • Key and plaintext share the same frequency
distribution of letters  a statistical technique
can be used for the cryptanalysis, (e.g., e
enciphered with e would occur with a
frequency of (0.1275)2 0.0163, t enciphered
with t would occur with a frequency of
(0.0925)2 0.0086, etc.)
55

56. ONE-TIME PAD
• Perfect substitution cipher
• Improved Vernam cipher
• Use a random key (pad) which is as long as the
message, with no repetitions.
–Key distribution is a problem
–Or, random key stream generation is a problem
• With such key, plaintext and ciphertext are
statistically independent
• Unconditionally secure (Unbreakable)
56

57. TRANSPOSITION (PERMUTATION) TECHNIQUES
• Hide the message by rearranging the letter
order without altering the actual letters
used
• Rail Fence Cipher
–Write message on alternate rows, and
read off cipher row by row
–Example:
M e m a t r h t g p r y
e t e f e t e o a a t MEMATRHTGPRYETEFETEOAAT
57

58. • Generalization: multiple transpositions  More
secure
• Block (Columnar) Transposition Ciphers
–Message is written in rectangle, row by row, but
read off column by column; The order of
columns read off is the key
–Example:
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext:TTNAAPTMTSUOAODWCOIXKNLYPETZ
58

59. ROTOR MACHINES
• Mechanical cipher machines, extensively used in WWII;
Germany (Enigma), Japan (Purple), Sweden (Hagelin)
• Each rotor corresponds to a
substitution cipher
• A one-rotor machine produces a
polyalphabetic cipher with period
26

60. •Output of each rotor is input to next rotor
•After each symbol, the “fast” rotor is
rotated
•After a full rotation, the adjacent rotor is
rotated (like odometer)
–- An n rotor machine produces a
polyalphabetic cipher with period 26n
60

61. THREE-ROTOR MACHINES

62. STEGANOGRAPHY
• “The art of covered writing”
• “Security by obscurity”
• Hide mesasages in other messages
• Conceal the existence of message
• Conceal what you are communicating
(Sending encrypted messages would make
you a spy)
62

63. – Character marking. Overwrite with a pencil
– Invisible ink, - Pin punctures, - First letter of each
word
– Letter position on page, - Drawings, - Codes
– Typewriter correction ribbon
– Microdots
– Digital steganography
– Spread spectrum
63

64. STEGANOGRAPHY - EXAMPLE
• News Eight Weather: Tonight increasing snow.
Unexpected precipitation
• Smothers Eastern towns. Be extremely cautious and use
snowtires especially
• heading east. The highways are knowingly slippery.
Highway evacuation is
• suspected. Police report emergency situations in
downtown ending near
• Tuesday
64

65. • First letter of each word yields: Newt is upset
because he thinks he is President
• This example was created by Neil F. Johnson,
and was published in Steganography,Technical
Report TR_95_11_nfj, 1995.
URL: http://www.jjtc.com/pub/tr_95_11_nfj/
65

66. • From WWII German spy (Kahn):
• Apparently neutral’s protest is thoroughly discounted
and ignored. Isman
• hard hit. Blockade issue affects pretext for embargo
on by products, ejecting
• suets and vegetable Oils.
• Second letter of each word yields: Pershing sails from
NY June 1.
66

67. STEGANOGRAPHY - EXERCISE
What is the message
embedded in the
left figure? (Prob. 2.1)
67

68. Introduction to Number Theory
68

69. Group
• a set of elements or “numbers”
• with some operation whose result is also
in the set (closure)
• obeys:
–associative law: (a.b).c = a.(b.c)
–has identity e: e.a = a.e = a
–has inverses a-1: a.a-1 = e
• if commutative a.b = b.a
–then forms an abelian group
69

70. Cyclic Group
• define exponentiation as repeated
application of operator
–example: a-3 = a.a.a
• and let identity be: e=a0
• a group is cyclic if every element is a power
of some fixed element
–ie b = ak for some a and every b in group
• a is said to be a generator of the group
70

71. Ring
• a set of “numbers”
• with two operations (addition and multiplication)
which form:
• an abelian group with addition operation
• and multiplication:
– has closure
– is associative
– distributive over addition: a(b+c) = ab + ac
• if multiplication operation is commutative, it
forms a commutative ring
• if multiplication operation has an identity and no
zero divisors, it forms an integral domain
71

72. Field
• a set of numbers
• with two operations which form:
–abelian group for addition
–abelian group for multiplication (ignoring
0)
–ring
• have hierarchy with more axioms/laws
–group -> ring -> field
72

73. Modular Arithmetic
• define modulo operator “a mod n” to be
remainder when a is divided by n
• use the term congruence for: a = b mod n
– when divided by n, a & b have same remainder
– eg. 100 = 34 mod 11
• b is called a residue of a mod n
– since with integers can always write: a = qn + b
– usually chose smallest positive remainder as residue
• ie. 0 <= b <= n-1
– process is known as modulo reduction
eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7
73

74. Divisors
• say a non-zero number b divides a if for
some m have a=mb (a,b,m all integers)
• that is b divides into a with no remainder
• denote this b|a
• and say that b is a divisor of a
• eg. all of 1,2,3,4,6,8,12,24 divide 24
74

75. Modular Arithmetic Operations
• is 'clock arithmetic'
• uses a finite number of values, and loops
back from either end
• modular arithmetic is when do addition &
multiplication and modulo reduce answer
• can do reduction at any point, ie
– a+b mod n = [a mod n + b mod n] mod n
75

76. Modular Arithmetic
• can do modular arithmetic with any group of
integers: Zn = {0, 1, … , n-1}
• form a commutative ring for addition
• with a multiplicative identity
• note some peculiarities
– if (a+b)=(a+c) mod n
then b=c mod n
– but if (a.b)=(a.c) mod n
then b=c mod n only if a is relatively prime to n
76

77. Modulo 8 Addition Example
+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6 77

78. Greatest Common Divisor (GCD)
• a common problem in number theory
• GCD (a,b) of a and b is the largest number
that divides evenly into both a and b
–eg GCD(60,24) = 12
• often want no common factors (except 1)
and hence numbers are relatively prime
–eg GCD(8,15) = 1
–hence 8 & 15 are relatively prime
78

79. Euclidean Algorithm
• an efficient way to find the GCD(a,b)
• uses theorem that:
–GCD(a,b) = GCD(b, a mod b)
• Euclidean Algorithm to compute GCD(a,b) is:
EUCLID(a,b)
1. A = a; B = b
2. if B = 0 return A = gcd(a, b)
3. R = A mod B
4. A = B
5. B = R
6. goto 2 79

80. Example GCD(1970,1066)
1970 = 1 x 1066 + 904 gcd(1066, 904)
1066 = 1 x 904 + 162 gcd(904, 162)
904 = 5 x 162 + 94 gcd(162, 94)
162 = 1 x 94 + 68 gcd(94, 68)
94 = 1 x 68 + 26 gcd(68, 26)
68 = 2 x 26 + 16 gcd(26, 16)
26 = 1 x 16 + 10 gcd(16, 10)
16 = 1 x 10 + 6 gcd(10, 6)
10 = 1 x 6 + 4 gcd(6, 4)
6 = 1 x 4 + 2 gcd(4, 2)
4 = 2 x 2 + 0 gcd(2, 0)
80

81. •On RSA, encyption as well as decryption require Modular
Exponentiation, i.e. determine xc mod n. This can be done
in c-1 modulo multiplications but is very inefficient when c is
large.
•The "square-and-multiply“ algorithms reduces the amount of
modulo multiplications needed to at most 2l, where l is the
number of bits in the binary representation of c.
•Since l <= k, it is possible to find xc mod n in O(k3).
Thus RSA encryption and decryption can be performed in
polynomial time.
Modular exponentiation
81

82. Exponential Notation
• Recall that exponential notation represents an expression
of the form
,
where a represents the base of the expression and k
represents the exponent. If the exponent k is a positive
integer, then
k
a
 
k timesmultiplieda
k
aaaaa
82

83. 741MOD71
841MOD4941MOD72
2341MOD6441MOD)8(41MOD)7(41MOD7 2224
3741MOD52941MOD)23(41MOD)7(41MOD7 2248
1641MOD136941MOD)37(41MOD)7(41MOD7 22816
1041MOD25641MOD)16(41MOD)7(41MOD7 221632
1841MOD10041MOD)10(41MOD)7(41MOD7 223264
83

84. Hence,
3841MOD7Hence,38
41MOD38
141MOD288and3841MOD161Note41MOD)138(
2881816and161237thatNote41MOD)288161(
aboves'fromngSubstituti41MOD)1816237(
41MOD)7777(
41MOD7417
85
641641
64164185
MOD
84

85. Exponentiation
• can use the Square and Multiply Algorithm
• a fast, efficient algorithm for exponentiation
• concept is based on repeatedly squaring base
• and multiplying in the ones that are needed to
compute the result
• look at binary representation of exponent
• only takes O(log2 n) multiples for number n
–eg. 75 = 74.71 = 3.7 = 10 mod 11
–eg. 3129 = 3128.31 = 5.3 = 4 mod 11
85

86. Exponentiation
86

87. Modular Exponentiation
• An efficient way to compute ab mod n
• Repeated squaring
• Computes ac mod n as c is
increased from 0 to b
• Each exponent computed
in a sequence is either twice
the previous exponent or
one more than the previous
exponent
• Each iteration of the loop
uses one of the identities
a2c mod n = (ac)2 mod n,
a2c+1 mod n = a (ac)2 mod n
depending on whether bi = 0 or 1
• Just after bit bi is read and processed, the value of c is the same as the prefix
bkbk-1…bi of the binary representation of b
• Variable c is not needed (included just for explanation)
Modular-Exponentiation(a, b, n)
1. c 0
2. d 1
3. let bkbk-1…b0 be the binary representation of b
4. for i k downto 0
5. do c 2c
6. d (d d) mod n
7. if bi = 1
8. then c c + 1
9. d (d a) mod n
10. return d
87

88. Modular Exponentiation - Example
Modular-Exponentiation(a, b, n)
1. c 0
2. d 1
3. let bkbk-1…b0 be the binary representation of b
4. for i k downto 0
5. do c 2c
6. d (d d) mod n
7. if bi = 1
8. then c c + 1
9. d (d a) mod n
10. return d
• Example
– Result of Modular-Exponentiation algorithm for ab mod n, where a =
7, b = 560 = 1000110000, n = 561. The values are shown after
each execution of the for loop
88

89. Finite fields
89

90. Fields
• Definition 3.1.1: A field is a nonempty set F of elements with two
operations “+” and “‧” satisfying the following axioms.
– (i) F is closed under + and ‧; i.e., a+b and a‧b are in F.
– (ii) Commutative laws: a+b=b+a, a‧b=b‧a
– (iii) Associative laws: (a+b)+c=a+(b+c) , (a‧b)‧c=a‧(b‧c)
– (iv) Distributive law: a‧(b+c) = a‧b + a‧c
– (v) (vi) Identity: a+0 = a , a‧1 = a for all a F. 0‧a = 0.
– (vii) Additive inverse: for all a F, there exists an additive inverse
(-a) such that a+(-a)=0
– (viii) Multiplicative inverse: for all a F, a≠0, there exists a
multiplicative inverse a-1 such that a‧a-1=1
, ,a b c F
90

91. Fields
• Lemma 3.1.3: F is a field.
– (i) (-1)．a = -a
– (ii) ab = 0 implies a =0 or b =0.
• Proof:
– (i) (-1)．a + a = (-1)．a + 1．a = ((-1)+1)．a = 0．a
=0
Thus, (-1)．a = -a
– (ii) If a≠0, then b = 1*b = (a-1a)b = a-1(ab) = a-1* 0 = 0.
,a b F
91

92. Fields
• Definition:
– A field containing only finitely many elements is
called a finite field.
– A set F satisfying axioms (i)-(vii) in Definition3.1.1 is
called a (commutative) ring.
• Example 3.1.4:
– Integer ring: The set of all integers Z={0, ±1, ±2, …}
forms a ring under the normal addition and
multiplication.
– The set of all polynomials over a field F, F[x] =
{a0+a1x+…+anxn | ai F, n≧0} forms a ring under the
normal addition and multiplication of polynomials.
92

93. Fields
• Definition 3.1.5: Let a, b and m>1 be integers. We say
that a is congruent to b modulo m, written as
if m| (a - b); i.e., m divides a - b.
• Remark 3.1.7: a = mq + b ,where b is uniquely
determined by a and m. The integer b is called the
(principal) remainder of a divided by m, denoted by
(a (mod m))
(mod )a b m
93

94. Fields
• Ring Zm (or Z/(m)) is the set {0, 1, …, m-1}
under addition and multiplication defined as
follows
– + : a + b in Zm = (a + b) mod m
– ．: a ．b in Zm = ab mod m
• Example 3.1.8:
– Z2 is a ring also a field.
– Z4 is a ring but not a field since 2-1 does not exist.
94

95. Fields
• Theorem 3.1.9 Zm is a field if and only if m is a prime.
Proof:
– ()Suppose that m is a composite number and let m = ab for
two integers 1< a, b< m. Thus, a≠0, b≠0. 0=m=ab in Zm. This is a
contradiction to Lemma 3.1.3. Hence Zm is not a field.
() If m is a prime. 0<a<m, a is prime to m. there exist
two integers u,v such that ua +vm =1. ua≡1 (mod m). u =a-1. This
implies that axiom (viii) in Definition 3.1.1 is also satisfied and
hence Zm is a field.
mZa
95

96. Fields
• Definition 3.1.10:
Let F be a field. The characteristic of F is the least positive
integer p such that p*1=0, where 1 is the multiplicative identity
of F.
If no such p exists, we define the characteristic to be 0.
• Example 3.1.11
– The characteristics of Q, R, C are 0.
– The characteristic of the field Zp is p for any prime p.
96

97. Fields
• Theorem 3.1.12: The characteristics of a field is
either 0 or a prime number.
• Proof: 1 is not the characteristic as 1*1≠0.
Suppose that the characteristic p of a field F is
composite. Let p = m*n for 1<n, m < p.
This contradicts the definition of the characteristic.
)3.1.3(0)1(or0)1(
0)1)(1(
011
01)(
01
11
lemmanm
nm
mn
p
n
i
m
i
97

98. Fields
• In abstract algebra a subfield is a subset of a field
which, together with the additive and multiplicative
operators restricted to it, is a field in its own right.
• If K is a subfield of L, then L is said to be a field
extension of K.
• Example:
– Q is a subfield of both R and C.
– R is a subfield of C.
– Let F be a field of characteristic p; then Zp can be
naturally viewed as a subfield of F.
98

99. Fields
• Theorem 3.1.14: A finite field F of characteristic p contains
pn elements for some integer n≧1.
• Proof:
– Choose an element α1 F*. We claim that 0‧α1, 1‧α1,…,(p-1)‧α1
are pairwise distinct. If i‧α1= j‧α1 for some 0≦i ≦j ≦p-1, then (j - i)
α1= 0. Hence i = j .(∵characteristic of F is p)
If F={0‧α1, 1‧α1,…,(p-1)‧α1}, we are done.
– Otherwise, we choose an element α2 in F{0‧α1, 1‧α1,…,(p-1)‧α1}.
We claim that a1α1+a2α2 are pairwise distinct. If a1α1+a2α2=
b1α1+b2α2 for some 0≦a1, a2, b1, b2 ≦p-1, then a2=b2. Otherwise,
α2=(b2-a2)-1(a1-b1)α1 contradict our choice of α2. Since a2=b2, then
a1=b1.
– In the same manner, we can show that a1α1+…+anαn are pairwise
distinct for all ai Zp. This implies |F| = pn.

100. Polynomial rings
• Definition 3.2.1:
– is called the polynomial
ring over a field F.
–deg( f(x)): for a polynomial , n is
called the degree of f(x).
–deg(0) = -∞
–A nonzero polynomial is said to be
monic if an = 1 .
– deg(f(x)) >0, f(x) is said to be reducible if there exist
g(x), h(x), such that deg(g(x)) < deg(f(x)), deg(h(x)) <
deg(f(x)) and f(x) = g(x) h(x) . Otherwise f(x) is said to
be irreducible.
0,:][
0
nFaxaxF i
n
i
i
i
n
i
i
i xaxf
0
)(
n
i
i
i xaxf
0
)(
100

101. Polynomial rings
• Example 3.2.2
– f(x) = x4 + 2x6 Z3[x] is of degree 6.
It is reducible as f(x) = x4(1+2x2).
– g(x) = 1+ x+ x2 Z2[x] is of degree 2. It is irreducible since g(0) = g(1) = 1 ≠0.
– 1+ x+ x3 and 1 +x2 +x3 are irreducible over Z2.
• Definition3.2.3: Let f(x) F[x], deg(f(x)) ≧1.
For any polynomial g(x) F[x], there exists a unique pair ( s(x), r(x)) with
deg(r(x)) < deg(f(x)) or r(x) =0 such that g(x) = s(x)f(x) + r(x).
– r(x) is called (principal) remainder of g(x) divided by f(x), denoted by ( g(x)
(mod f(x)))
101

102. Finite Fields
• will now introduce finite fields
• of increasing importance in cryptography
–AES, Elliptic Curve, IDEA, Public Key
• concern operations on “numbers”
–where what constitutes a “number” and the
type of operations varies considerably
• start with concepts of groups, rings, fields
from abstract algebra

103. 103

104. 104

105. 105

106. 106

107. 107

108. 108

109. 109

110. 110

111. 111

112. 112

113. 113

114. 114

115. 115

116. 116

117. 117

118. 118

119. 119

120. 120

121. 121

122. 122

123. 123

124. 124

125. 125

126. 126

127. 127

128. 128

130. PRIME NUMBERS
• An integer p > 1 is a prime number if its only divisors
are 1 and p
• There are infinite number of primes
• Distribution of Primes
– The Prime Number Theorem
• Let (N) denote the number of primes not
exceeding N. Then (N) is approximately N / lnN
– Twin Primes
• (Infinitely many) pairs of primes differ by two
• e.g., (5, 7), (11, 13), (101, 103), (4967, 4969), …
– For any positive integer n, there are at least n
consecutive composite positive integers s.t.
(n+1)! + 2, (n+1)! + 3, … , (n+1)! + (n+1)

131. PRIMES UNDER 2000

132. PRIME FACTORIZATION
• Unique Factorization
– The Fundamental Theorem of Arithmetic
• Every positive integer a>1 can be factored
uniquely as
a = p1
a1 p2
a2 … pt
at , where p1 < p2 < … < pt
are primes and
each ai > 0
– If P is the set of all prime numbers, then any
positive integer can be written uniquely in the
following form
132

133. • The value of any positive integer can be
specified by listing all nonzero exponents (ap)
• 12 (= 22x3) is represented by {a2 = 2, a3 = 1}
• (Multiplication) k = ab  kp = ap + bp for all p
P
• (Divisibility) a|b  ap bp for all p P
PRIME FACTORIZATION
133

134. FERMAT’S LITTLE THEOREM
• Theorem If p is prime and a is a positive integer not
divisible by p, then ap-1
1 mod p
• Proof
Start by listing the first p – 1 positive multiples of a:
a, 2a, 3a, …, (p-1)a
Suppose that ja and ka are the same modulo p,
then we have
j k mod p, so the p-1 multiples of a above are
distinct and nonzero; that is, they must be
congruent to 1, 2, 3, …, p-1 in some order. Multiply
all these congruences together and we find
a 2a 3a (p-1)a 1 2 3 (p-1)
mod p
or better, ap-1(p-1)! (p-1)! mod p. Divide both side
by (p-1)! to complete the proof.

135. • Corollary If p is prime and a is a
positive integer, then ap
a mod p
• Corollary If p is prime and a is a
positive integer not divisible by p,
then ap-2
is an inverse of a modulo p
FERMAT’S LITTLE THEOREM
135

136. EULER’S PHI-FUNCTION
• Definition Euler’s phi-function
(n) is defined to be the number
of positive integers less than n
(including 1) that are relatively
prime to n
136

137. • Properties
(1) (1) = 1 (by convention)
(2) p is prime , (p) = p-1
(3) Let p be a prime and a is a positive integer.
Then (pa) = pa – pa-1 = pa(1 - 1/p)
(4) Let m and n be relatively prime positive integers.
Then (mn) = (m) (n)
(5) Let n = p1
a1 p2
a2 … pt
at be the prime-power
factorization of the positive integer n. Then
(n) = n(1-1/p1)(1-1/p2) (1-1/pt)
EULER’S PHI-FUNCTION
137

138. EULER’S THEOREM
• Generalization of Fermat’s little
theorem
• Theorem For every a and n that are
relatively prime,
a (n) 1 mod n
138

139. • Proof
– The proof is completely analogous to that of the
Fermat's Theorem except that instead of the set of
residues {1,2,...,n-1} we now consider the set of
residues {x1,x2,...,x (n)} which are relatively prime
to n. In exactly the same manner as before,
multiplication by a modulo n results in a
permutation of the set {x1, x2, ..., x (n)}. Therefore,
two products are congruent:
x1x2 ... x (n) (ax1)(ax2) ... (ax (n)) mod n
dividing by the left-hand side proves the theorem.
• Corollary
(1) a (n)+1 a mod n
(2) If gcd(a,n) = 1, then a (n)-1 is an inverse of a
modulo n 139

140. Primality Testing
• often need to find large prime numbers
• traditionally sieve using trial division
• ie. divide by all numbers (primes) in turn less than the
square root of the number
• only works for small numbers
• alternatively can use statistical primality tests based
on properties of primes
• for which all primes numbers satisfy property
• but some composite numbers, called pseudo-primes, also
satisfy the property
• can use a slower deterministic primality test
140

141. CHINESE REMAINDER THEOREM
• Chinese Remainder Theorem (CRT)
Suppose m1 , … , mk are pairwise relatively prime
positive integers, and suppose a1 , … , ak are integers.
Then the system of k congruences x ai (mod mi) (1 ≤
i ≤ k) has a
unique solution modulo M = m1 mk, which is
given by
where ci = Mi (Mi
-1 mod mi) and Mi = M / mi , for 1 ≤ i ≤ k.
141

142. CHINESE REMAINDER THEOREM
Proof
• Let M = m1 m2 … mk, where mi’s are pairwise
relatively prime, i.e., gcd(mi , mj) = 1, 1 ≤ i ≠ j ≤ k
• A (a1, a2, … ,ak), where A ZM, ai Zmi
, and ai = A
mod mi for 1 ≤ i ≤ k
• One to one correspondence (bijection) between ZM
and the Cartesian product Zm1 Zm2 … Zmk
– For every integer A such that 0 ≤ A < M, there is a
unique k-tuple (a1, a2, … ,ak) with 0 ≤ ai < mi
– For every such k-tuple (a1, a2, … ,ak), there is a
unique A in ZM
142

143. • Computing A from (a1, a2, … ,ak) is done as follows:
• Let Mi = M/mi for 1 ≤ i ≤ k, i.e., Mi = m1 m2 …
mi-1 mi+1 … mk
• Note that Mi ≡ 0 (mod mj) for all j ≠ i and gcd (Mi,
mi) = 1
• Let ci = Mi x (Mi
-1 mod mi) for 1 ≤ i ≤ k
• Then A ≡ (a1c1+ a2c2 + + akck) mod M
 ai = A mod mi, since cj ≡ Mj ≡ 0 (mod mi) if j≠ i
and ci ≡ 1 (mod mi)
CHINESE REMAINDER THEOREM
143

144. CHINESE REMAINDER THEOREM
• Operations performed on the elements of ZM can be
equivalently performed on the corresponding k-tuples
by performing the operation independently in each
coordinate position
– ex) A ↔ (a1, a2, ... ,ak), B ↔ (b1, b2, … ,bk)
(A B) mod M ↔ ((a1 b1) mod m1, … ,(ak bk)
mod mk)
(A B) mod M ↔ ((a1 b1) mod m1, … ,(ak bk)
mod mk)
(A B) mod M ↔ ((a1 b1) mod m1, … ,(ak bk)
mod mk)
• CRT provides a way to manipulate (potentially large)
numbers mod M in term of tuples of smaller numbers
144

145. CHINESE REMAINDER THEOREM
• Example
– Let m1 = 37, m2 = 49, M = m1 m2 = 1813, A = 973, B
= 678
– M1 = 49, M2 = 37
– Using the extended Euclid’s algorithm
• M1
-1 mod m1 = 34, and M2
-1 mod m2 = 4
– Taking residues modulo 37 and 49
• 973 (11, 42), 678 (12, 41)
– Add the tuples element-wise
• (11 + 12 mod 37, 42 + 41 mod 49) = (23, 34)
145

146. –To verify, we compute
•(23, 34) (a1c1+ a2c2) mod M =
(a1M1M1
-1 + a2M2M2
-1 ) mod M
= [(23)(49)(34) +
(34)(37)(4)] mod 1813 = 1651
•which is equal to (678 + 973) mod
1813 = 1651
146

147. 147

148. 148

149. 149

150. 150

151. 151

152. 152

153. 153

154. Discrete Logarithm(s) (DLs)
• Fix a prime p. Let a, b be nonzero integers
(mod p). The problem of finding x such that ax
≡ b (mod p) is called the discrete logarithm
problem. Suppose that n is the smallest
integer such that an ≡1 (mod p),
i.e., n=ordp(a). By assuming 0≤x<n, we denote
x=La(b), and call it the discrete log of b w.r.t. a
(mod p)
• Ex: p=11, a=2, b=9, then x=L2(9)=6
154

155. Discrete Logarithms
• In the RSA algorithms, the difficulty of
factoring a large integer yields good
cryptosystems
• In the ElGamal method, the difficulty of
solving the discrete logarithm problem yields
good cryptosystems
• Given p, a, b, solve ax ≡ b (mod p)
• a is suggested to be a primitive root mod p
155

156. One-Way Function
• A function f(x) is called a one-way
function if f(x) is easy to compute,
but, given y, it is computationally
infeasible to find x with y=f(x).
• La(b) is a one-way function if p is
large
156

157. Primitive Roots mod 13
• a is a primitive root mod p if
{ak | 1≦k≦p-1} = {1,2, …,p-1}
♪ 2, 6,7,11 are primitive roots mod 13
• 33 ≡ 1 (mod 13), 46 ≡ 1 (mod 13),
• 54 ≡ 1 (mod 13), 84 ≡ 1 (mod 13),
• 93 ≡ 1 (mod 13), 106 ≡ 1 (mod 13),
• 122 ≡ 1 (mod 13)
157

158. Solve ax ≡ b (mod p)
• An exhaustive search for all 0 ≤ x < p
• Check only for even x or odd x according to b(p-
1)/2 ≡ (ax)(p-1)/2 ≡(a(p-1)/2)x ≡(-1)x≡ 1 or -1 (mod
p), where a is a primitive root
(Ex) p=11, a=2, b=9, since b(p-1)/2 ≡95≡1,
then check for even numbers {0,2,4,6,8,10}
only to find x=6 such that 26 ≡ 9 (mod 11)
158

159. Solve ax ≡ b (mod p) by Pohlig-Hellman
Let p-1 = Πqr for all q|(p-1), write b0 =b,and
x=x0 + x1q +x2q2 + … + xr-1qr-1 for 0 ≤ xi ≤ q-1
1. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡b(p-1)/q ,
then x0 ≡k, next let b1≡b0a-x0
2. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡[b1](p-1)/q^2 , then x1
≡k, next let b2≡b1a-x1
3. Repeat steps 1, 2 until xr-1 is found for a q
4. Repeat steps 1~3 for all q’s, then apply Chinese
Remainder Theorem to get the final solution
159

160. 7x ≡12 (mod 41); p=41, a=7, b=12,
• p-1=41-1=40 =23 5
• b0 =12
• For q=2: b0 =12, b1 =31, b2=31, and
x = x0 +2x1+4x2 ≡1+2·0+4·1≡ 5 (mod 8)
• For q=5: b0 =12, b1 =18, and
x = x0 ≡ 3 (mod 5)
Solving x ≡ 5 (mod 8) and x≡ 3 (mod 5),
We have x≡13 (mod 40)
160

161. Solve ax ≡ b (mod p) by Index Calculus
Let B be a bound and let p1,p2,…, pm be the
primes less than B and cover all of the prime
Factors of p-1. Then appropriately choose
k(j)’s such that ak(j)≡(p1)r1(p2)r2 … (pm)rm , i.e.,
r1*La(p1)+r2*La(p2)+… + rm*La(pm) ≡k(j) for
several j’s, solve the linear system to get
La(p1), La(p2), … , La(pm), then select R apply
baR ≡(p1)b1 (p2)b2 … (pm)bm , then the solution is
La(b)≡-R+ΠbiLa(pi)
161

162. Solve 2x ≡37 (mod 131)
p=131, a=2, b=37, let B=10, then
p1=2, p2=3, p3=5, p4=7, since
28≡53 , 212≡5·7 , 214≡32 , 234≡3·52 (mod p),
we have
3L2(5)≡ 8 (mod 130)
L2(5)+ L2(7)≡12 (mod 130)
2L2(3)≡14 (mod 130)
L2(3)+2L2(5)≡34 (mod 130)
162

163. L2([3, 5, 7])=[72, 46, 96]
Choose R=43, then
37·243 ≡3·5·7 (mod 131), so we have
L2(37) ≡-43+ L2(3)+ L2(5)+ L2(7)
≡ 41 (mod 130)
♪ L2(11) ≡ 56 (mod 130) [R=4]
♪ L2(23) ≡ 23 (mod 130) [R=5]
163

164. A Lemma on p≡3 (mod 4)
Let p≡3 (mod 4), r≥2. Suppose a and g are
nonzero integers such that g≡ay(2^r) (mod p).
Then
g(p+1)/4 ≡ ay[2^(r-1)] (mod p)
[Proof]
g(p+1)/4 ≡ a(p+1)y[2^(r-2)] ≡ay(2^(r-1))[a(p-1)]y(2^(r-2))
≡ ay(2^(r-1)) (mod p)
164

165. A La(b) (mod 4) Machine
• Let a be a primitive root (mod p), where
p≡3 (mod 4) is large, then
Computing La(b) (mod 4) is as difficult as
finding the solution of ax ≡ b (mod p)
[P.172]
165

166. The ElGamal Public Key Cryptosystem
Alice wants to send a message m to Bob.
Bob chooses a large prime p and a primitive
root a. Assume m is an integer 0≤m<p, and
Bob selects a secret integer x to compute
b≡ax (mod p). The information (p,a,b) is
made public and is Bob’s public key. Alice
does the following procedures.
166

167. Encryption and Decryption
1. Downloads (p,a,b)
2. Chooses a secret random k and computes
r≡ak (mod p)
3. Computes t≡bkm (mod p)
4. Sends the pair (t,r) to Bob
Bob decrypts by computing tr-x (≡m (mod p))
167

168. Questions ?