Chapter 8 – Introduction to Number Cryptography and ...banach/COMP61411.Info/Course... · Lecture...
7
Cryptography and Cryptography and Network Security Network Security Chapter 8 Chapter 8 Fifth Edition Fifth Edition by William Stallings by William Stallings Lecture slides by Lecture slides by Lawrie Lawrie Brown Brown (with edits by RHB) (with edits by RHB) Chapter 8 Chapter 8 – – Introduction to Number Introduction to Number Theory Theory The Devil said to Daniel Webster: "Set me a task I can't carry o The Devil said to Daniel Webster: "Set me a task I can't carry o ut, and ut, and I'll give you anything in the world you ask for." I'll give you anything in the world you ask for." Daniel Webster: "Fair enough. Prove that for n greater than 2, t Daniel Webster: "Fair enough. Prove that for n greater than 2, t he he equation a equation a n n + + b b n n = = c c n n has no non has no non - - trivial solution in the integers." trivial solution in the integers." They agreed on a three They agreed on a three - - day period for the day period for the labor labor , and the Devil , and the Devil disappeared. disappeared. At the end of three days, the Devil presented himself, haggard, At the end of three days, the Devil presented himself, haggard, jumpy, jumpy, biting his lip. Daniel Webster said to him, "Well, how did you d biting his lip. Daniel Webster said to him, "Well, how did you d o at o at my task? Did you prove the theorem?' my task? Did you prove the theorem?' "Eh? No . . . no, I haven't proved it." "Eh? No . . . no, I haven't proved it." "Then I can have whatever I ask for? Money? The Presidency?' "Then I can have whatever I ask for? Money? The Presidency?' "What? Oh, that "What? Oh, that — — of course. But listen! If we could just prove the of course. But listen! If we could just prove the following two lemmas following two lemmas — — " " — — The Mathematical Magpie The Mathematical Magpie , Clifton Fadiman , Clifton Fadiman Outline Outline • • will consider: will consider: – – prime numbers prime numbers – – Fermat Fermat ’ ’ s and Euler s and Euler ’ ’ s Theorems & s Theorems & ø ø (n (n ) ) – – Primality Primality Testing Testing – – Chinese Remainder Theorem Chinese Remainder Theorem – – Primitive Roots & Discrete Logarithms Primitive Roots & Discrete Logarithms Prime Numbers Prime Numbers • • prime numbers only have divisors of 1 and self prime numbers only have divisors of 1 and self – – they cannot be written as a product of other numbers they cannot be written as a product of other numbers – – note: 1 is prime, but is generally not of interest note: 1 is prime, but is generally not of interest • • eg. 2,3,5,7 are prime, 4,6,8,9,10 are not eg. 2,3,5,7 are prime, 4,6,8,9,10 are not • • prime numbers are central to number theory prime numbers are central to number theory • • list of prime number less than 200 is: list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 193 197 199
Transcript of Chapter 8 – Introduction to Number Cryptography and ...banach/COMP61411.Info/Course... · Lecture...
Cryptography and Cryptography and
Network SecurityNetwork Security
Chapter 8Chapter 8
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Lecture slides by Lecture slides by LawrieLawrie BrownBrown
(with edits by RHB)(with edits by RHB)
Chapter 8 Chapter 8 –– Introduction to Number Introduction to Number
TheoryTheory
The Devil said to Daniel Webster: "Set me a task I can't carry oThe Devil said to Daniel Webster: "Set me a task I can't carry out, and ut, and I'll give you anything in the world you ask for."I'll give you anything in the world you ask for."
Daniel Webster: "Fair enough. Prove that for n greater than 2, tDaniel Webster: "Fair enough. Prove that for n greater than 2, the he equation aequation ann + + bbnn = = ccnn has no nonhas no non--trivial solution in the integers."trivial solution in the integers."
They agreed on a threeThey agreed on a three--day period for the day period for the laborlabor, and the Devil , and the Devil disappeared.disappeared.
At the end of three days, the Devil presented himself, haggard, At the end of three days, the Devil presented himself, haggard, jumpy, jumpy, biting his lip. Daniel Webster said to him, "Well, how did you dbiting his lip. Daniel Webster said to him, "Well, how did you do at o at my task? Did you prove the theorem?'my task? Did you prove the theorem?'
"Eh? No . . . no, I haven't proved it.""Eh? No . . . no, I haven't proved it."
"Then I can have whatever I ask for? Money? The Presidency?'"Then I can have whatever I ask for? Money? The Presidency?'
"What? Oh, that"What? Oh, that——of course. But listen! If we could just prove the of course. But listen! If we could just prove the following two lemmasfollowing two lemmas——""
——The Mathematical MagpieThe Mathematical Magpie, Clifton Fadiman, Clifton Fadiman
OutlineOutline
•• will consider:will consider:
–– prime numbersprime numbers
–– FermatFermat’’s and Eulers and Euler’’s Theorems & s Theorems & øø(n(n))
–– PrimalityPrimality TestingTesting
–– Chinese Remainder TheoremChinese Remainder Theorem
–– Primitive Roots & Discrete LogarithmsPrimitive Roots & Discrete Logarithms
Prime NumbersPrime Numbers
•• prime numbers only have divisors of 1 and self prime numbers only have divisors of 1 and self
–– they cannot be written as a product of other numbers they cannot be written as a product of other numbers
–– note: 1 is prime, but is generally not of interest note: 1 is prime, but is generally not of interest
•• eg. 2,3,5,7 are prime, 4,6,8,9,10 are noteg. 2,3,5,7 are prime, 4,6,8,9,10 are not
•• prime numbers are central to number theoryprime numbers are central to number theory
•• list of prime number less than 200 is: list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127 61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191 131 137 139 149 151 157 163 167 173 179 181 191
193 197 199193 197 199
王博文�
质数 - 费马和欧拉定理及ø(n) - 原始测试 - 中国剩余定理 - 原始根和离散对数�
王博文�
素数只有1和自身的除数 - 它们不能作为其他数字的产品编写 - 注意:1是素数,但通常不感兴趣•例如,2,3,5,7是素数,4,6,8,9,10不是•素数是数论的核心•小于200的素数列表是:�
Prime FactorisationPrime Factorisation
•• to to factorfactor a number a number nn is to write it as a is to write it as a
product of other numbers: product of other numbers: nn == aa xx bb xx cc
•• note that factoring a number is relatively note that factoring a number is relatively
hard compared to multiplying the factors hard compared to multiplying the factors
together to generate the number together to generate the number
•• thethe prime factorisationprime factorisation of a number of a number nn is is
when its written as a product of primes when its written as a product of primes
–– eg. eg. 9191 == 77 xx 1313 ;; 36003600 == 2244 xx 3322 xx 5522
Relatively Prime Numbers & GCDRelatively Prime Numbers & GCD
•• two numbers two numbers a,ba,b are are relatively primerelatively prime((coprimecoprime)) if they have if they have no common divisorsno common divisorsapart from apart from 11
–– eg. eg. 88 and and 1515 are relatively prime since factors of are relatively prime since factors of 88are are 1,2,4,81,2,4,8 and of and of 1515 are are 1,3,5,151,3,5,15 and and 11 is the is the only common factor only common factor
•• conversely can determine the greatest common conversely can determine the greatest common divisor bydivisor by comparing their prime factorizations comparing their prime factorizations and using least powersand using least powers–– egeg. . 300300 == 2211x3x311x5x522 ;; 1818 == 2211x3x322 hencehenceGCD(18,300)GCD(18,300) == 2211x3x311x5x500 == 66
Fermat's TheoremFermat's Theorem
•• aapp--11 == 11 (mod(mod p)p)
–– where where pp is prime and is prime and GCD(a,pGCD(a,p)) == 11
•• also known as Fermatalso known as Fermat’’s Little Theorems Little Theorem
•• also have: also have: aapp == aa (mod(mod p)p)
•• useful in public key and useful in public key and primalityprimality testingtesting
王博文�
将数字n计算为将其写为其他数字的乘积:n = a x b x c•请注意,与将因子相乘以生成数字相比,对数字进行因子分解相对较难•数n的素因子化是指其作为素数的乘积�
王博文�
相对素数和GCD•如果除1之外没有公约数,则两个数字a,b相对为素数(互质) - 例如 8和15是相对素数,因为8的因子是1,2,4,8而15是1,3,5,15和1是唯一的共同因素�
王博文�
相反,可以通过比较他们的主要因素和使用最小权力来确定最大公约数�
王博文�
- 其中p是素数,GCD(a,p)= 1•也称为费马的小定理• 也有:•在公钥和素性测试中很有用�
Euler Euler TotientTotient Function Function øø(n(n))
•• when doing arithmetic modulo when doing arithmetic modulo nn
•• complete set of residuescomplete set of residues is: is: 0..n0..n--11
•• reduced set of residuesreduced set of residues is those numbers is those numbers (residues) which are relatively prime to (residues) which are relatively prime to nn
–– eg for eg for nn == 1010, complete set of residues is , complete set of residues is
{0,1,2,3,4,5,6,7,8,9}{0,1,2,3,4,5,6,7,8,9}
–– reduced set of residues is reduced set of residues is {1,3,7,9}{1,3,7,9}
•• number of elements in reduced set of residues is number of elements in reduced set of residues is
called the called the Euler Euler TotientTotient Function Function øø(n(n))
Euler Euler TotientTotient Function Function øø(n(n))
•• to compute to compute øø(n(n) need to count number of ) need to count number of residues to be excludedresidues to be excluded
•• in general need prime factorization, butin general need prime factorization, but–– for p (p prime) for p (p prime) øø(p(p)=p)=p--11
–– for for p.qp.q ((p,qp,q prime) prime) øø(p.q(p.q)=(p)=(p--1)x(q1)x(q--1)1)
•• egeg..øø(37) = 36(37) = 36
øø(21) = (3(21) = (3––1)x(71)x(7––1) = 2x6 = 121) = 2x6 = 12
Euler's TheoremEuler's Theorem
•• a generalisation of Fermat's Theorem a generalisation of Fermat's Theorem
•• aaøø(n(n)) == 11 (mod(mod n)n)
–– for any for any a,na,n where where GCD(a,nGCD(a,n)) == 11
•• egeg..aa == 33 ;; nn == 1010 ;; øø(10)(10) == 4; 4;
hencehence 3344 == 8181 == 11 modmod 1010
aa == 22 ;; nn == 1111 ;; øø(11)(11) == 10;10;
hencehence 221010 == 10241024 == 11 modmod 1111
•• also have: also have: aaøø(n)+1(n)+1 == aa (mod n)(mod n)
王博文�
Euler Totient函数•进行算术运算时n•完整的残留物集合为:0..n-1•减少的残基集是那些相对于n的素数(残基)-eg为n = 10,完整的残基集合为{0,1,2,3,4,5,6,7,8,9} - 减少的残留量为{1,3,7,9}•减少的残差集中的元素数量称为欧拉函数ø(n)�
王博文�
•计算ø(n)需要计算要排除的残留数量•一般需要素数因子化,但是�
王博文�
费马定理的推广ꡀ
PrimalityPrimality TestingTesting
•• often need to find large prime numbers often need to find large prime numbers
•• traditionally traditionally sievesieve using using trial divisiontrial division–– ieie. divide by all numbers (primes) in turn less than the . divide by all numbers (primes) in turn less than the
square root of the number square root of the number
–– only works for small numbersonly works for small numbers
•• alternatively can use statistical alternatively can use statistical primalityprimality tests tests based on properties of primes based on properties of primes –– for which all primes numbers satisfy property for which all primes numbers satisfy property
–– but some composite numbers, called pseudobut some composite numbers, called pseudo--primes, primes, also satisfy the propertyalso satisfy the property
•• can use a slower deterministic can use a slower deterministic primalityprimality testtest
Miller Rabin AlgorithmMiller Rabin Algorithm
•• a test based on prime properties that result from a test based on prime properties that result from FermatFermat’’s Theorems Theorem
•• algorithm is:algorithm is:
TEST(TEST(nn)) is:is:
1. Find integers 1. Find integers kk,,qq,,kk>0,>0,qq odd, so that odd, so that ((nn––1)1) == 22kkqq
2. Select a random integer 2. Select a random integer aa,, 11 << aa << nn –– 11
3. 3. if if aaqq modmod nn == 11 then then return (return (““inconclusiveinconclusive");");
4. 4. for for jj == 00 to to kk –– 11 dodo
5. 5. ifif ((aa22jjqq modmod nn == nn -- 11))
then then return(return(““inconclusiveinconclusive")")
6. return (6. return (““composite")composite")
王博文�
经常需要找到大的素数•传统筛选使用试验分裂 - 即。 除以所有数字(素数)依次小于数字的平方根 - 仅适用于小数字•或者可以使用基于素数属性的统计素性测试 - 所有素数都满足财产 - 但是一些称为伪素数的复合数也满足了该属性•可以使用较慢的确定性素数测试�
王博文�
米勒拉宾算法基于费马定理产生的素数性质的检验푰
Probabilistic ConsiderationsProbabilistic Considerations
•• if Millerif Miller--Rabin returns Rabin returns ““compositecomposite”” the the
number is definitely not primenumber is definitely not prime
•• otherwise is a prime or a pseudootherwise is a prime or a pseudo--primeprime
•• chance it detects a pseudochance it detects a pseudo--prime is < prime is < 11//44
•• hence if repeat test with different random a hence if repeat test with different random a
then chance n is prime after t tests is:then chance n is prime after t tests is:
–– Pr(nPr(n prime after t tests) = 1prime after t tests) = 1--44--tt
–– egeg. for t=10 this probability is > 0.99999. for t=10 this probability is > 0.99999
•• could then use the deterministic AKS testcould then use the deterministic AKS test
Prime DistributionPrime Distribution
•• prime number theorem states that primes occur prime number theorem states that primes occur roughly every (roughly every (lnln nn) integers) integers
•• but can immediately ignore evensbut can immediately ignore evens
•• so in practice need only test so in practice need only test 0.5 0.5 ln(nln(n))
numbers of size numbers of size nn to locate a primeto locate a prime
–– note this is only the note this is only the ““averageaverage””
–– sometimes primes are close togethersometimes primes are close together
egeg. 1,000,000,000,061 and 1,000,000,000,063 both prime. 1,000,000,000,061 and 1,000,000,000,063 both prime
–– other times are quite far apartother times are quite far apart
egeg. (1001!+2), (1001!+3) . (1001!+2), (1001!+3) …… (1001!+1001) all composite(1001!+1001) all composite
Chinese Remainder TheoremChinese Remainder Theorem
•• used to speed up modulo computations used to speed up modulo computations
•• if working modulo a product of numbers if working modulo a product of numbers
–– eg. eg. modmod MM == mm11mm22..m..mkk
•• Chinese Remainder theorem lets us work Chinese Remainder theorem lets us work in each modulus in each modulus mmii separately separately
•• since computational cost is proportional to since computational cost is proportional to
size, this is faster than working in the full size, this is faster than working in the full modulus modulus MM
王博文�
概率考虑因素•如果Miller-Rabin返回“复合”,那么这个数字绝对不是素数•否则是素数或伪素数•它检测到伪素数的可能性<1/4•因此,如果用不同的随机重复测试a,那么在t测试之后机会n是素数: - Pr(t检验后为n)= 1-4-t - 例如 对于t = 10,该概率> 0.99999•然后可以使用确定性AKS测试�
王博文�
•素数定理表明素数大致出现在每个(ln n)个整数上•但可以立即忽略均衡•因此在实践中只需要测试t0.5 ln(n)个大小为n的数字来定位素数 - 注意这只是“平均” - 有时素数很接近 - 其他时间相距甚远�
王博文�
中国剩余定理•用于加速模数计算•如果工作模数是数字的乘积•中国剩余定理让我们分别在每个模数mi中工作•由于计算成本与尺寸成正比,因此比在全模数M下工作更快�
Chinese Remainder TheoremChinese Remainder Theorem
•• can implement CRT in several wayscan implement CRT in several ways
•• to compute to compute AA (mod(mod M)M)
–– first compute all first compute all aaii == AA modmod mmii separatelyseparately
–– determine constants determine constants ccii below, where below, where MMii == M/mM/mii
–– then combine results to get answer using:then combine results to get answer using:
Primitive RootsPrimitive Roots
•• from Eulerfrom Euler’’s theorem have s theorem have aaøø(n(n)) modmod nn == 1 1
•• consider consider aamm == 11 (mod(mod n),n), GCD(a,nGCD(a,n)) == 11
–– must exist for must exist for mm == øø(n(n)) but may be smallerbut may be smaller
–– once powers reach once powers reach mm, cycle will repeat, cycle will repeat
•• if smallest is if smallest is mm == øø(n(n)) then then aa is called a is called a primitive rootprimitive root
•• if if pp is prime, then successive powers of is prime, then successive powers of aa"generate" the group "generate" the group mod pmod p
•• these are useful but relatively hard to find these are useful but relatively hard to find
Powers mod 19Powers mod 19Discrete LogarithmsDiscrete Logarithms
•• the inverse problem to exponentiation is to find the inverse problem to exponentiation is to find the the discrete logarithmdiscrete logarithm of a number of a number bb modulo modulo pp
•• that is to find that is to find ii such that such that bb == aaii (mod p)(mod p)
•• this is written as this is written as ii == dlogdlogaa bb (mod p)(mod p)
•• if if aa is a primitive root is a primitive root modmod pp then then dlogdlogaa always always exists, otherwise it may not, exists, otherwise it may not, egeg..xx == loglog33 44 modmod 1313 has no answer has no answer
xx == loglog33 33 modmod 1313 == 44 by trying successive powers by trying successive powers
•• whilst exponentiation is relatively easy, finding whilst exponentiation is relatively easy, finding discrete logarithms is generally a discrete logarithms is generally a hardhard problemproblem(which is good for cryptography, of course) (which is good for cryptography, of course)
王博文�
•可以通过多种方式实施CRT•计算A(mod M) - 首先分别计算所有ai = A mod mi - 确定下面的常数ci,其中Mi = M / mi - 然后结合使用结果得到答案:�
王博文�
从欧拉定理来看•考虑一下 - 必须存在m =ø(n)但可能更小 - 一旦功率达到m,循环将重复•如果最小的是m =ø(n)则a被称为原始根•如果p为素数,则“生成”组mod p的连续幂•这些很有用,但相对难以找到�
王博文�
离散对数�
王博文�
求幂的逆问题是找到b模p的离散对数•如果a是原始根mod p,那么dloga总是存在,否则它可能不存在,例如。x = log3 4 mod 13没有答案通过尝试连续的幂,x = log3 3 mod 13 = 4•虽然求幂是相对容易的,但找到离散对数通常是一个难题(当然,这对加密很有用)�
Discrete Logarithms Discrete Logarithms mod 19mod 19
