security in computing chapter 12, cryptography explained part 3

1

Security in ComputingChapter 12, Cryptography Explained

Part 3

Summary created byKirk Scott

2

• This set of overheads corresponds to the third portion of section 12.1 in the book

• The overheads for Chapter 12 roughly track the topics in the chapter

• Keep this in mind though:• On some topics I simply go over the book’s material• On other topics I expand on the book’s material in a

significant way• You are responsible not just for what’s in the book, but

also what’s in the overheads that’s not in the book

3

Book Section 12.1, Mathematics for CryptographySubsection Heading: Properties of Arithmetic

• This is the sub-subheading covered in this portion of the overheads:

• Computing Inverses• This topic will be covered in more detail than

in the book

4

Some Proofs and Fermat’s Little Theorem

• This set of overheads falls into three sections: • 1. Preliminary Things Concerning Modular

Fields• 2. Fermat’s Little Theorem, Statement and

Preliminaries• 3. The Proof of Fermat’s Little Theorem

5

1. Preliminary Things Concerning Modular Fields

• The claim was made in the previous set of overheads that if n is prime, then modular addition and multiplication form an algebraic field.

• Most of the characteristics of a field result fairly clearly from the same characteristics in the integers.

• For example:• (2 * 3) mod 5 = (3 * 2) mod 5 (commutativity)• because:• 2 * 3 = 3 * 2

6

• A comprehensive list of the properties of a field will not be repeated here

• The fact that these properties hold for modular arithmetic with n prime will not be demonstrated.

• However, the most important property of field from the cryptographic point of view is the existence of multiplicative inverses for all elements of the field.

• This property does not obviously stem from the properties of regular arithmetic.

• It is somewhat more daunting to establish, and that topic will be pursued now.

7

• If you refer back to the multiplication tables at the end of the previous set of overheads, in the examples shown it was clear that if n = 4, not prime, not every integer between 1 and 4 had an inverse.

• It is relatively straightforward to show that for n composite, not all elements have inverses.

• This is because it is precisely the factors of the composite numbers that do not have inverses.

8

If n is Composite, Its Factors Don’t Have Inverses

• This will be shown using contradiction• We’ll suppose that a factor of a composite has

a modular inverse and find a contradiction• If n is composite, then there exist a and c not

equal to 1 such that:• ac = n• Now assume that a has an inverse:• (aa-1) mod n = 1

9

• (aa-1) mod n = 1• By definition, this implies that there exists

some p such that:• aa-1 = pn + 1• Note that from this point on, we’re not doing

modular arithmetic anymore• However, we are still dealing only with the set

of integers

10

• Follow this set of transformations:• aa-1 = pn + 1• aa-1 = p(ac) + 1 (substituting n = ac)• aa-1 = pac + 1• aa-1 – pac = 1• aa-1 – apc = 1• a(a-1 – pc) = 1

11

• a(a-1 – pc) = 1• This is a non-modular equation that has to hold in the

integers• The only possible factorization of 1 in the integers is 1 *

1• That implies that a, on the left, has to be 1• However, this is a contradiction, because it was given

that a, as a factor of n composite, was not equal to 1• Therefore, the assumption that a had an inverse in the

modular field base n has to be false

12

If n is Prime, Each Element of the Field Has an Inverse

• The next proposition of interest is that for n prime, every a, 0 < a < n, has an inverse.

• The contents of the example multiplication table give a hint at how to show this.

• Every row of the table is a permutation of the values 0 through n – 1, the only possible values in the field.

• If you can show that for an arbitrary a, there can be no duplicates in a row, then one of the row elements has to be 1.

• Thus, a has an inverse.

13

• This can be shown by contradiction.• We’re going to assume that there are duplicate entries

in a row in the table and show that this leads to a contradiction.

• Let n be prime, let a be between 0 and n, and also let there exist b, c, and d between 0 and n, where b is not equal to c.

• The idea is that a is the value of the row.• b and c are the column values.• ab and ac are entries in the row.

14

• Assume that ab and ac multiply to the same result, d.

• In other words, there are duplicate entries in the row of the multiplication table for value a.

• This can be expressed as follows:• (ab) mod n = d and (ac) mod n = d

15

• (ab) mod n = d and (ac) mod n = d• The above statement implies that there exist

some p and q such that:• ab = pn + d and ac = qn + d

16

• ab = pn + d and ac = qn + d• Without loss of generality, assume that p > q

and subtract the second equality from the first:

• ab – ac = (pn + d) – (qn + d)• ab – ac = pn - qn• ab – ac = n(p – q)• a(b – c) = n(p – q)

17

• a(b – c) = n(p – q)• There are contradictions lurking in the

statement above.• They can be considered in two cases:• Case 1: (p – q) = 1• Case 2: (p – q) > 1• There are no other cases because we are

dealing only with the set of non-negative integers, and (p – q) = 0 clearly leads nowhere.

18

• The equation we arrived at:• a(b – c) = n(p – q)• Case 1: (p – q) = 1• This would mean that n is factorable as• a(b – c)• But n is prime, so this is a contradiction

19

• The equation we arrived at:• a(b – c) = n(p – q)• Case 2: (p – q) > 1• This means that the expression on the left, a(b – c) is

factorable as n(p – q)• Then, since n was chosen to be prime, n is a prime factor of

the expression on the left• But a, b, and c were chosen to be smaller than n, and the

quantity (b – c) would also be smaller than n• The contradiction is that a quantity can’t have a prime

factor that is larger than the quantity itself

20

• The two cases (plus the 0 case) exhaust the possibilities

• Both cases lead to contradictions• Therefore, the assumption that there are

duplicates in a row in the modular multiplication table is false

• Therefore, each row contains a 1• Therefore, every element of a modular field has

an inverse in the field

21

• To repeat, this argument works on the basis of understanding that the valid values in a row range from 0 to n – 1 and there are n entries in a row.

• This means that if there are no duplicates there is a 1 in each row.

22

Another Result: Does r! Have an Inverse in a Modular Field?

• Induction came up first in considering the sum of the first n integers

• Considering the inverse of the expression r! will also involve induction

• The result isn’t earth-shaking and the proof isn’t hard

• Getting up to speed with induction is worthwhile because it will be needed for Fermat’s theorem, the result of interest

23

• The question is, for some r, 0 < r < n, n prime, does the expression r! have an inverse in the modular field with n as its base?

• To answer this question, it’s necessary to have a formal definition of factorial, !

• Because we’re interested in finding a multiplicative inverse, and 0 doesn’t have one anyway, the definition of factorial can start with 1

24

• Here is an inductive definition of factorial starting with 1:

• 1! = 1• r! = r(r – 1)!• A base case is given• Then the general case is given by defining f(r)

in terms of f(r – 1)

25

• The full definition of factorial starts with 0! = 1• Binomial coefficients will come up again, and

when they do, the full definition will be needed.

26

• The task is to show that for some r, r < n, the expression r! has an inverse in the field.

• Base case: 1! = 1, and 1 has an inverse in the field, namely itself.

• Inductive step: Show that if for r < (n – 1), r! has an inverse in the field, then (r + 1)! also has an inverse in the field.

27

• If r! has an inverse, then there exists some p (its inverse) such that:

• r!p ≡n 1• By definition:• (r + 1)! = (r + 1)r!• But (r + 1) < n, so it has an inverse.• Notice this is just (r+1), not (r + 1)!• Let q ((r + 1)’s inverse) be given such that:• (r + 1)q ≡n 1

28

• We’re trying to show that (r + 1)! = (r + 1)r! has an inverse

• Multiply the expression by the inverse of r!, p, and the inverse of (r + 1), q

• (r + 1)!pq• = (r + 1)r!pq• = (r + 1)(r!p)q• = (r + 1)1q• = (r + 1)q• = 1

29

• This is not at all surprising• If each of two factors in an expression has an

inverse, the inverse of the expression is the product of the inverses

• In the substitution, the associative property did all of the work

30

• To recap:• 1! has an inverse. • Assuming an arbitrary factorial expression has

an inverse you can show that the expression one larger also has an inverse.

• Therefore, the factorial of any valid value in the field has an inverse.

31

• Observe that the foregoing can lead to another train of thought:

• Given some r!, essentially what we’re saying is that it is equivalent, mod n, to some element of the field, u, 0 <= u < n

• Does reducibility apply for inverses?• In other words, is the inverse of r! = inverse of u?• The answer seems to be yes, and this train of

thought will not be pursued further.

32

2. Fermat’s Little Theorem, Statement and Preliminaries

• Cryptography makes use of a theorem by Fermat, known as Fermat’s Little Theorem.

• It has this name to distinguish it from another theorem of Fermat that is known as Fermat’s Last Theorem, or simply Fermat’s theorem.

• As I go along in these notes, if I make reference to Fermat’s theorem, it is to be understood that I mean the Little theorem.

33

• For the sake of your liberal education, some information on Fermat’s “Big” Theorem follows.

• Here is its statement:• An equation of the form xn + yn = zn does not

have non-zero integer solutions for x, y and z when n > 2.

34

• Recall that for n = 2, you can find sets of numbers that are called Pythagorean triples.

• Examples are {3, 4, 5}, {5, 12, 13}, and {9, 12, 15}.

• The theorem says that you can’t find such triples for any power higher than 2.

35

• Pierre de Fermat died in 1665 and a marginal note he had written in one of his books stated that he had found a proof of this theorem.

• A mathematician named Andrew Wiles, born and educated in England, who now lives in the United States, published the first proof in 1995.

• It is said that he devoted 7 years of his professional life full time to solving the problem.

• God knows how many years of their lives other people wasted unsuccessfully trying to solve this in the 300+ years since it was originally stated.

36

Statement of Fermat’s Little Theorem

• For n prime and a < n:• an ≡n a• In words: a to the nth power is equivalent mod

n to a. • Stating this in another way, there exists some

value p such that:• an = pn + a

37

• Before trying to demonstrate this, it is worthwhile to see why this result is of interest.

• It gives a way of finding a-1. • Recall that because n is prime, a does have an

inverse.

38

• an ≡n a• Multiplying both sides of the equivalence by

the inverse, a-1, once gives the following:• ana-1 ≡n aa-1

• an-1a1a-1 ≡n aa-1

• an-11 ≡n aa-1

• an-1 ≡n 1

39

• an-1 ≡n 1• Multiplying both sides of the equivalence by

the inverse, a-1, again gives the following:• an-1 a-1 ≡n 1a-1

• an-2 a1 a-1 ≡n 1a-1

• an-2 1≡n 1a-1

• an-2 ≡n a-1

40

• On the left you get an integral power of a.• On the right you get the inverse of a, a-1.• Computationally, you can find the inverse of a

by raising it to the (n – 2)nd power and taking the modulus base n.

41

• A thumbnail example will illustrate how this works.

• Let a = 3 and n = 5.• This is what the theorem states:• 35 ≡5 3

42

• Multiply both sides by a-1 a.k.a. 3-1

• 35a-1 ≡5 3a-1

• 353-1 ≡5 31*3-1

• 34 ≡5 1• Check:• 34 = 81• 81 = 5 * 16 + 1

43

• Multiply both sides again by a-1 a.k.a. 3-1

• 34a-1 ≡5 1a-1

• 343-1 ≡5 1a-1

• 33 ≡5 a-1

• 27 ≡5 a-1 • Find the value:• 27 mod 5 = 2, so a inverse should be 2

44

• Check:• 2 * 3 = 6 mod 5 = 1• 2 * 3 gives the multiplicative identity, so 2 and

3 are inverses of each other

45

A Possible Source of Confusion

• The presentation of Fermat’s Little Theorem may lead to some confusion

• Consider these steps:• 34a-1 ≡5 1a-1

• 343-1 ≡5 1a-1

• 33 ≡5 a-1 • It may “feel like” you’re multiplying by 1/3 on

the left

46

• This is not the case• You are working on a modular equivalence,

not a regular arithmetic expression.• We know how to shift from a modular

expression to one that doesn’t involve modulus

47

• Take this expression for example:• 35 ≡5 3• This is what it says, without modulus:• 35 = p*5 + 3• In this expression, if I multiplied by 3-1, I would

be multiplying by 1/3

48

• In these expressions, you’re multiplying by the modular inverse—whatever it may be—that you’re trying to find out

• 34a-1 ≡5 1a-1

• 343-1 ≡5 1a-1

• 33 ≡5 a-1

49

Binomial Coefficients

• The binomial coefficients turned up earlier when discussing the number of sub-graphs in a graph of n nodes

• A result concerning the binomial coefficients will be needed when proving Fermat’s theorem, so they are presented again here.

• This is the notation:

• In English, this is read “n choose r”.

r

n

50

• This is a verbal explanation:• Given a set of n elements, how many different

ways are there to choose a subset of r elements

• The ordering of the r does not make a difference—in other words, subsets are not considered different if they contain the same elements, even if they are in a different order.

51

• The mathematical definition looks like this:

• A concrete example looks like this:

)!(!

!

rnr

n

r

n

!3

1

)!35(

!5

)!35(!3

!5

3

5

52

• You can interpret the first factor on the right as the number of different ways of choosing 3 elements out of 5 where the order of the chosen 3 does make a difference.

• The second factor divides by the number of different ways of ordering 3 elements.

• Thus, the result is the number of different ways of choosing 3 where the order doesn’t make a difference.

!3

1

)!35(

!5

)!35(!3

!5

3

5

53

• You may also be familiar with Pascal’s triangle, a nice mnemonic device for coming up with the binomial coefficients without calculations:

• • 1• 1 1• 1 2 1• 1 3 3 1• 1 4 6 4 1• …

54

• The top of the pyramid, the 0th line in the pyramid, represents n = 0.

• There is only one coefficient in this case. • The next line down, the 1st line in the pyramid,

represents n = 1. • There are 2 coefficients in this case:

0

1

1

1

55

• The general pattern of the coefficients in each row of the triangle is:

n

nnnn,...,

2,

1,

0

56

• The binomial coefficients are so called because they arise in the formula for the expansion of a binomial raised to an arbitrary integral power:

• The fact that they arise in this way will be used to demonstrate something.

• However, the fact that they arise in this way is one step that will not be shown.

rrnn

r

n bar

nba

0

)(

57

• In part of the following argument it will turn out that we’d like to deal with the cases where r = 0 and r = n separately.

• You can observe from Pascal’s triangle that they always give 1.

• This will be demonstrated for r = 0. • The result comes to the same thing if r = n.

58

• We now run into the case where 0! has to be defined.

• In the full definition of factorial, 0! = 1:• Then this is how the 0th binomial coefficient

evalutes:

1!1

!

)!0(!0

!

0

n

n

n

nn

59

A Result Needed in Order to Prove Fermat’s Little Theorem

• This result will be needed in order to prove Fermat’s Little Theorem:

• If n is prime:• (a + b)n ≡n an + bn

• Showing that this is true takes a few steps and relies on knowledge of the binomial coefficients

60

• The key to the argument is whether or not a binomial coefficient in general is evenly divisible by n if n is prime.

• That is, does n go evenly into the binomial coefficients?

• In other words, for n prime, does the binomial coefficient equal 0 mod n?

?0)!(!

!nrnr

n

r

n

61

• Observe that n can be factored out of the expression for the binomial coefficient:

)!(!

)!1(

)!(!

!

rnr

nn

rnr

n

r

n

62

• In the cases where r = 0 and r = n, this wouldn’t work

• Since the value of the binomial coefficient is 1, it would have to be the case that the rest of the expression has the value 1/n, a fraction.

• By definition, then, n would not go evenly into the binomial coefficient.

• Therefore, we will consider the first and last coefficients separately.

63

• What about the situation where 0 < r < n? • Is it valid to factor n out of the formula for the

coefficient and expect that the other factor, shown by itself below, is always a whole number?

)!(!

)!1(

rnr

n

64

• This raises an interesting antecedent question, which came up in the previous discussion of the binomial coefficients.

• Is a binomial coefficient, in general, a whole number?

• In other words, is the following expression a whole number?

)!(!

!

rnr

n

r

n

65

• It is not immediately clear how you might prove this just using the properties of numbers.

• An informal argument was given in a previous set of overheads.

• You might also appeal to Pascal’s triangle and the constructive definition of the binomial coefficient.

• It seems clear that the sum of the integral coefficients of the like terms of a binomial expansion can only be a whole number.

66

• If you accept that the binomial coefficient overall is an integer, it is easy to reason that this factorization is a factorization into two whole factors, not a whole and a fraction:

)!(!

)!1(

)!(!

!

rnr

nn

rnr

n

67

• The key to the argument is that n is prime. • Consider the expression on the left.• If it reduces to a whole number, it can only be if

the denominator goes evenly into the numerator. • Since n is prime, no part of the denominator can

be going into it in any case. • Therefore, on the right, if n is factored out, the

remaining expression must still reduce to a whole number.

)!(!

)!1(

)!(!

!

rnr

nn

rnr

n

68

• So for 0 < r < n and n prime, you can always factor n out of the binomial coefficient and the other factor is an integer

• So the binomial coefficient is divisible by n• This means that the binomial coefficient is

equivalent to 0 mod n.

69

• Or:

0mod

n

r

n

0nr

n

70

• Remember what we’re trying to show:• If n is prime:• (a + b)n ≡n an + bn

71

• Now go back to the binomial expansion and see what the divisibility of the binomial coefficient by n implies.

• First notice that the formula for the expression can be rewritten to isolate the terms where r = 0 and r = n:

rrnn

r

nnn bar

nbaba

1

1

)(

72

• The terms with coefficients of 1 are separated out

• Every term of the summation consists of a product including a binomial coefficient where 0 < r < n.

• It was just shown that such binomial coefficients are equivalent to 0 mod n.

rrnn

r

nnn bar

nbaba

1

1

)(

73

• The reducibility properties say that the mod of a sum is the sum of the mod

• Also, the mod of a product is the product of the mod

• It doesn’t matter what the expressions in a and b are

• They are integers multiplied by a binomial coefficient.

rrnn

r

nnn bar

nbaba

1

1

)(

74

• The whole summation is equivalent to 0 mod n.

• The mod of the whole right hand side reduces simply to the mod of the first two terms, those with a coefficient of 1.

• The complete sequence of steps is shown in collapsed form on the following overhead.

rrnn

r

nnn bar

nbaba

1

1

)(

75

nbar

nbanba rrn

n

r

nnn mod)(mod)(1

1

nbar

nnbanba rrn

n

r

nnn modmod)(mod)(1

1

0mod)(mod)( nbanba nnn

76

• Or using the concise notation of equivalency:• (a + b)n ≡n an + bn

• As noted at the beginning, this equivalence is needed for the proof of Fermat’s Little Theorem.

0mod)(mod)( nbanba nnn

77

3. The Proof of Fermat’s Little Theorem

• If you’re like me, by this time you’ve nearly forgotten what Fermat’s theorem says:

• For n prime and a < n:• an ≡n a• The theorem can be proven inductively. • You need a base step and an induction step.

78

• Base step: • Because 0 to any power is 0 and because

anything goes into 0 zero times with a remainder of 0:

• 0n ≡n 0• Then symbolically, for the case of a = 0:• an ≡n a• or an mod n = a

79

• Induction step: • Given an ≡n a for n prime, show that (a + 1)n ≡n a + 1.• (a + 1)n mod n = (an + 1n) mod n

• by the result of the previous section

• = (an + 1) mod n• by simple arithmetic

• = an mod n + 1 mod n• by reducibility

• = an mod n + 1• by simple arithmetic

• = a + 1, by the inductive assumption

80

• This completes the induction, giving:• (a + 1)n mod n = a + 1• Or:• (a + 1)n ≡n a + 1• The successful induction establishes that this

holds true:• an ≡n a• For all n >= 0 (and n prime)

81

Restating Fermat’s Little Theorem and Why It’s Important

• The theorem says for n prime and a < n:• an ≡n a• The reason it’s important is that it gives a

computational formula for finding inverses in a modular field:

• ana-1 ≡n aa-1

• an-1 ≡n 1

• an-1 a-1 ≡n 1a-1

• an-2 ≡n a-1

82

• What does this mean computationally?• Exponentiation in a modular field is just

repeated multiplication as usual. • Using Fermat’s theorem to find an inverse

require would require n – 3 modular multiplications.

83

• It’s also possible to find the inverse of a value by simply searching.

• Multiply the value a by every other value in the field until you get a result which is the identity.

• There are n – 1 candidate inverses. • On average you will find the inverse after (n –

1) / 2 modular multiplications.

84

• Neither doing the computation or searching are ideal solutions.

• For a field with a non-trivial value of n and large a, the values obtained from exponentiation would tend to get large.

• Using reducibility after each computation might be helpful, and modulus itself makes sure that the final result is in range.

• For large n, the search space is large.

85

• Notice that these solutions are nowhere near exponential in complexity.

• Even so, for large values of a and n, computing modular inverses is costly.

86

An Algorithm for Finding the Inverse

• The textbook gives an algorithm adapted from Knuth, which uses the Euclidean algorithm for finding greatest common divisors in order to find inverses.

• There is a homework problem based on this.• A brief presentation will be given on the

following overheads.

87

• The algorithm in the book is related to what is known formally as the extended Euclidean algorithm

• The algorithm finds x and y (one of which will turn out to be negative) such that:

• ax + by = gcd(a, b)• In other words, the gcd(a, b) can be expressed as a

linear combination of a and b• This is accomplished by applying the Euclidean

algorithm and doing certain substitutions along the way

88

• If a and b are relatively prime, (gcd(a, b) = 1), the x and y that come out of the extended Euclidean algorithm have a special property.

• x is the inverse of a mod b• y is the inverse of b mod a• No proof of this will be given.• Your task is simply to implement the

algorithm.

89

• The algorithm, as given in the book, may be hard to follow.

• I will just work through an example so that it will hopefully be clear how the Euclidean algorithm can produce the desired x and y.

• Rather than make up a new example, the example from the Wikipedia article on the extended Euclidean algorithm is given.

90

• The idea can be outlined in this way:• Express a in terms of b and b in terms of a.• Do the Euclidean algorithm, progressing from

remainder to remainder, until you reach a remainder of 0.

• At each step, substitute “a in terms of b” and “b in terms of a” into the expressions for the remainder.

91

• At the next to last step, the remainder will be 1 = gcd(ri, rj)

• Group like terms in the expression for the remainder.

• There will be 2 terms, one for a and one for b.• The coefficients on a and b are the desired x

and y.

92

• In the following example a and b are 120 and 23, respectively.

• They are relatively prime, since 23 is prime.• The example gives this result:• 1 = 120 × −9 + 23 × 47

93

• 1 = 120 × −9 + 23 × 47• This tells you that the inverse of 120 mod 23 is -

9• You can convert this to a positive number:• The inverse of 120 mod 23 is 14 = -9 + 23.• It also tells you that the inverse of 23 mod 120 is

47.• It is easy to check both results using a calculator.

Step Quotient Remainder Substitute Combine Terms

1 120 120 = 120 × 1 + 23 × 0

2 23 23 = 120 × 0 + 23 × 1

3 5 5 = 120 − 23 × 5 5 = (120 × 1 + 23 × 0) − (120 × 0 + 23 × 1) × 5

5 = 120 × 1 + 23 × −5

4 4 3 = 23 − 5 × 4 3 = (120 × 0 + 23 × 1) − (120 × 1 + 23 × −5) × 4

3 = 120 × −4 + 23 × 21

5 1 2 = 5 − 3 × 1 2 = (120 × 1 + 23 × −5) − (120 × −4 + 23 × 21) × 1

2 = 120 × 5 + 23 × −26

6 1 1 = 3 − 2 × 1 1 = (120 × −4 + 23 × 21) − (120 × 5 + 23 × −26) × 1

1 = 120 × −9 + 23 × 47

7 2 0 end of algorithm end of algorithm

95

The End