1

Secrecy Codes andError-Correcting Codes

James L. Massey(Prof.-em. ETH Zurich)

Trondhjemsgade 3, 2THDK-2100 Copenhagen, Denmark

jamesmassey@compuserve.com

Supélec8 Jan. 2009

2

M A S S E YP D V V H B

(PLAINTEXT)

(CIPHERTEXT)

AB

CZ

YX

01

2

2524

23

.. .

...

Arithmetic on a CIRCLE(Modulo 26 arithmetic )

Encrypt = Add 3(move clockwise 3 places)

Decrypt = Subtract 3(move counterclockwise 3 places)

“SECRET KEY” = 3

The Caesar Cipher (ca. 60 B.C.)

This seems to be the first use ofmodular arithmetic in cryptography .

Gaius Julius Caesar

3

0

1

Today we usually use a SMALLER CIRCLE !

Arithmetic on this CIRCLE(modulo 2 arithmetic )

Encrypt = Add(move clockwise )

Decrypt = Subtract(move counterclockwise )

⇒⇒⇒⇒ ADDITION = SUBTRACTION

1 ⊕⊕⊕⊕ 1 = 0.

4

The dream of cryptographers fromancient times onwards was to create theunbreakable cipher . Many people overthe centuries, including some famousmathematicians, erroneously thought thatthey had achieved this.

Monkeywith fairbinary coin

BSS = 1

Definition of the Binary Symmetric Source (BSS)

Each time he is asked to output a binary digit, the monkey flips his fair coin and reports the result.

5

Vernam’s 1926 Cipher:

BinaryPlaintext Source

BSS

Destination

Secure Channel

M ME

K K

K

Enemy cryptanalystin a ciphertext -onlyattack .

The secret key , K is a “totally random” binary sequence .

6

Vernam claimed that his cipher wasunbreakable , and also stated that hehad confirmed this in “field trialswith the U. S. Army Signal Corps” .

Shannon ‘s 1949 definition: A cipher providesperfect secrecy against a ciphertext-onlyattack if the plaintext and the ciphertext ,considered as random variables, arestatistically independent .

What does “unbreakable ” really mean?

7

Claude ElwoodShannon 1916 - 2001

(photograph by Lotfi Zadeh)

The founder ofinformation theoryand, in particular, thefounder of channelcoding theory (orerror-correctingcodes), and a pioneerin cryptography .

8

Monkeywith fairbinary coin

BSS =

Cryptographic property of the BSS:

The modulo-two sum of a BSS output and anarbitrary random sequence is another BSSoutput that is STATISTICALLY INDEPENDENTof the arbitrary random sequence .

Example:

BSS output: 0 1 0 0 1 0 1 0 1 1 1 0 1 . . .

Arb. Ran. Seq. 1 1 1 1 1 1 1 1 1 1 1 1 1 . . .

Modulo-2 sum 1 0 1 1 0 1 0 1 0 0 0 1 0 . . .

1

9

BinaryPlaintext Source

BSS

Destination

Secure Channel

M ME

K K

K

Enemy cryptanalystin a ciphertext -onlyattack .

The cryptographic property of the BSS implies that theciphertext E is statistically independent of the plaintext M,i.e., that Vernam’s cipher is indeed “unbreakable.”

This simple proof was given by Shannon in 1949.

10

Modular arithmetic is just as useful inchannel coding (or “error-correctingcoding ”) as it is in secrecy coding .

11

The (3, 1) binary “repeat” codeWorld’s simplest single-error-correcting code

information bit01

Codeword0 0 01 1 1

The Hamming distance between two words is thenumber of positions in which the two words differ.

A code can correct all patterns of t orfewer errors if and only if the minimumHamming distance, dmin , betweendistinct codewords is at least 2t + 1.

12

Encoder uu u u

Decoderû

e1 e2 e3channel error pattern =

ei = 1 if and only if y i = u ⊕⊕⊕⊕ ei is in error.

y1 = u ⊕ e1y2 = u ⊕ e2y3 = u ⊕ e3

⇒⇒⇒⇒ û = Majority(y1,y2 ,y3) willbe correct if there is at mosta single error, i.e., if at most oneof the error bits is a 1.

y1 y2 y3

The (3, 1) binary “repeat” code has dmin = 3 and is thus single-error-correcting.

How can we perform the error correction?

Three noisy versionsof the information bit.

131st axis

2nd axis

3rd axis

000

100

010

001

111

011

110

101

Hammingsphere ofradius 1 withcenter at 111

The two spheresare disjoint andcompletely fill3D Hamming space!

14

A code with codeword length n is said to beperfect t-error-correcting code if theHamming spheres of radius t with centers atthe codewords are disjoint and completely filln-dimensional Hamming space.

The (3, 1) binary “repeat” code is a perfect single-error-correcting code, but it is not a very interestingcode since one can equivalently put three times asmuch energy in an information bit rather thanrepeating this bit three times.

For a code to be useful, it musthave more than one information bit.

15

There are 27 = 128 points in 7-dimensional Hamming space.A (7, 4) code has 24 = 16 codewords.The Hamming sphere of radius 1 about a codeword contains 1+ 7 = 8 points.8 × 16 = 128 , which means that a single-error-correcting(7, 4) code would be a perfect code.

Yes! Hamming found this codeand moreover, for every m ≥ 3,he constructed a perfect(n = 2m-1, k = 2m-m-1) single-error-correcting code. His paperappeared in 1950.

Hamming Codes

Does such a code exist?

Richard W. Hamming1915 - 1998

16

Marcel J. E. Golay1902 - 1989

A (23, 12) code has 212 = 4096 codewords.The Hamming sphere of radius 3 about a codewordcontains 1 + 23 + 253 + 1771 = 2048 points.

4096 × 2048 = 8,388,608,which means that a triple-error-correcting (23, 12) codewould be a perfect code.

Yes! Golay found this code in1949. He guessed correctly thatthere are no other perfect binarycodes (besides the Hammingcodes and repeat codes).

Does such a code exist?

There are 223 = 8,388,608 points in 23-dimensionalHamming space.

17

Shannon’s famous 1948 formula for the capacity inbits/sec of the additive white Gaussian noise(AWGN) channel:

W = bandwidth of s(t) in Hz

log = base 2 logarithm

P = average power of s(t)

No = noise power spectral density

+=

WNP

1logWCo

s(t)r(t)

n(t)

++

Shannon proved in 1948 that any channel ischaracterized by its capacity C in the sense that onecan design the transmitter and receiver so that abinary information sequence can be recovered witharbitrarily small probability of error if and only ifthe rate (in info bits/sec ) of the binary informationsequence is less than C .

18

Shannon noted that “as we increase thebandwidth W, the noise power N in the bandwill increase proportionally” as N = NoW.Nonetheless, C increases monotonicallywith the bandwidth W and

oW N

P443.1Clim =

∞→

This same limit obtains if one uses binaryantipodal modulation together with a soft-decision demodulator . But if one uses a hard-decision demodulator , the limit is reduced by afactor of 2/π or about 2 dB .

bits/sec

19

Pioneer 9 in 1968 was the first spacecraftto exploit “error-correcting” codes .

In Pioneer 9 (as in most deep-spaceprobes), the transmission was binaryantipodal modulation .

We can think of binary digits as beingtransmitted and noisy versions of thesebinary digits as being received.

20

Pioneer 9

Launch date: 8 November 1968Launch place: Cape CanaveralBooster rocket: Delta EPayload Mass: 63 kgOrbital data: Solar orbit between

0,8 and 1,2 AUMission ended: 1983

Nation: USACrew: Unmanned Goal: Solar measurements

21

At the range of 1 AE or about 150,000,000 km,there was just enough power for the codingsystem to be able to transmit data from Pioneer 9at the rate of 8 info-bits/sec.

Radio waves travel at about 3 × 105 km/sec.

This meant that each bit of information wasstretched out over about

3 × 105 km/sec 8 bits/sec

= 37,500 km /info-bit

The data had to be recovered essentially error-freein spite of the thermal noise in the receiver.

22

Which of the previous codeswas used in Pioneer 9?

None of them! In fact, a different type of code called aconvolutional code was used. In a convolutional code,the codeword length is, in a sense, infinite.

Example: A rate R = 1/2 binary convolutional code .x2i = uix2i+1 = ui ⊕ ui-1

i = 0, 1, 2, ...

For each i, there is 1 new information bit and 2new encoded bits. Thus, R = 1/2 info-bits/code-bit.

X2i+1 ⊕ x2i-2 = (ui ⊕ ui-1) ⊕ ui-1 = uiX2i+3 ⊕ x2i+2 = (ui+1 ⊕ ui) ⊕ ui+1 = ui

Note that

23

P/Sui, ui+1, ...

one-bitdelay

x2i, x2i+1, ...

e2i, e2i+1, ...

y2i, y2i+1, ...x2i

x2i+1

⇒⇒⇒⇒ y2i = x2i ⊕⊕⊕⊕ e2i = ui ⊕⊕⊕⊕ e2iy2i+1⊕⊕⊕⊕ y2i-2 = x2i+1⊕⊕⊕⊕ e2i+1 ⊕⊕⊕⊕ x2i-2 ⊕⊕⊕⊕ e2i-2 = ui ⊕⊕⊕⊕ e2i+1 ⊕⊕⊕⊕ e2i-2 y2i+3⊕⊕⊕⊕ y2i+2 = x2i+3⊕⊕⊕⊕ e2i+3 ⊕⊕⊕⊕ x2i+2 ⊕⊕⊕⊕ e2i+2 = ui ⊕⊕⊕⊕ e2i+3 ⊕⊕⊕⊕ e2i+2

ûi = Majority(y2i, y2i+1⊕⊕⊕⊕ y2i-2, y2i+3⊕⊕⊕⊕ y2i+2) willbe correct if there is at most a single 1 amongthe five error bits in these equations

ui-1

Implementation of this simple convolutional code:Encoder

ui

Three noisyversions ofthe singleinformationbit u i.

24

The convolutional code used on Pioneer 9 was verymuch like that on the previous slide except that,instead of a single one-bit delay in the encoder, therewas a cascade of 20 one-bit delays (with a carefulsection of which points between delays theinformation bit was added modulo-two).

A convolutional code was used in preference to ablock code because it was known how to do “soft-decision decoding” for a convolutional code, butnobody knew how to do this for a comparablypowerful block code . (We still today do not knowhow to do this! )

Recall that there is a 2 dB penalty (factor of1.6 in power) for doing “hard-decisiondecoding” on a Gaussian noise channel.

25

The Pioneer 9 coding system gave a 3 dB gain (a factor of 2in power) over uncoded transmission , but the system wasstill about 5.5 dB (a factor of 3.5 in power) from the“Shannon Limit”. This includes a 1.2 dB loss because ofthe finite bandwidth (the coded bandwidth was only twice theuncoded bandwidth), which loss is essentially unavoidable.Thus Pioneer 9 in 1968 was about 4.3 dB (a factor of 2.7 inpower) from ideal performance . In 1992 we were at aboutthe same place!

The invention of “turbo coding” in 1993 by C.Berrou, A. Glavieux and P. Thitimajshima hasmade possible coding systems that achieveperformance within a small fraction of a dB to theideal. We are still trying to understand whythese systems work !

26

Goals of Cryptography

Privacy Authenticity

Determines who canread the message

Determines who canwrite the message

• Prevent forgery• Prevent alteration

• Prevent eavesdropping• Prevent tracing

Up to now we have been talking only about privacyor “secrecy”? We will now say something aboutauthenticity, which gives a chance to say somethinginteresting about modular arithmetic.

27

Arithmetic modulo a prime p(arithmetic on a circle of p points)

For arithmetic modulo a prime p, exactly halfof the nonzero numbers have two square rootsand exactly half have no square roots.

If b is a nonzero number with a square rootmodulo p, then its two square roots are easyto compute.

a 1 2 3 4 5 6 7 8 9 10

a2 1 4 9 5 3 3 5 9 4 1

Example: p = 11

√5 = 4 or 7 [ = -4]

28

If p is a prime and (p-1)/2 is odd , and if β isa square for arithmetic modulo p, then

α = β(p+1)/4

is a square root of β, as is also -α.

Example: p = 11, β = 5.

α = β(p+1)/4 = β3 = β ⊗ β ⊗ β = (5 ⊗ 5) ⊗ 5 = 3 ⊗ 5 = 4.

It is only slightly more complicated to find squareroots modulo a prime p if (p-1)/2 is even .

The fancy name for a “square”, i.e. for a numberwith square roots, is “quadratic residue ”.

29

Practical cryptographic systems rely on thedifficulty , rather that the impossibility ofbreaking them. Systems that are impossibleto break, such as Vernam’s cipher, requireimpractically long secret keys.

Much of “public key cryptography ” (wherethere is no common secret key betweenusers) is based on the assumed difficulty offactoring the product of two large andrandomly chosen primes .

30

Arithmetic modulo a product m of two distinct odd p rimes

A unit is a number that is nonzero modulo each of thefactors or, equivalently, that is relatively prime to m.

α 1 2 4 5 8 10 11 13 16 17 19 20

α2 1 4 16 4 1 16 16 1 4 16 4 1

Example: m = 3 ×××× 7 = 21

√4 = 2 or 19 [ = -2] or 5 or 16 [ = -5]

For arithmetic modulo a product of two distinct oddprimes , exactly one-fourth of the units have foursquare roots and exactly three-fourths have nosquare roots. The four square roots of a unit withsquare roots divide into two pairs of elements thatare the negatives of one another .

units

31

Two square roots of a unit ββββ are said to be essentiallydifferent if they are not equal and are not the negativesof one another.

If you can find square roots, you can factor m.

• If m is the product of two distinct odd primes,• if ββββ is a unit that has square roots modulo m (i.e. aquadratic residue),• and if a and γγγγ are essentially different square rootsof b,then gcd( a + g, m) is a prime factor of m.

Arithmetic modulo a product m of two distinct odd primes

Factoring m is computationally equivalent tofinding square roots for arithmetic modulo m.

32

Proof that if you can take square roots then you can factor:

Suppose m = pq where p and q are distinct oddprimes and suppose that αααα and γγγγ areessentially different square roots of some ββββfor arithmetic modulo m.

⇒⇒⇒⇒ αααα ≠ γγγγ and αααα ≠ -γγγγ ⇒⇒⇒⇒ α α α α � γγγγ ≠ 0 and α α α α ⊕ γγγγ ≠ 0⇒⇒⇒⇒ m = pq does not divide α α α α − γγγγ or α α α α + γγγγ But (α α α α � γγγγ)(α )(α )(α )(α ⊕ γγγγ) = αααα2222 � γγγγ2222 = 0 ⇒⇒⇒⇒ m = pq divides (α α α α − γγγγ)(α α α α + γγγγ)⇒⇒⇒⇒ p divides α α α α − γγγγ and q divides α α α α + γγγγ (or vice versa)

33

Example: m = 3 ×××× 7 = 21.2 and 16 are essentially different squareroots of 4.gcd( 2 + 16, 21) = gcd(18, 21) = 3.

Example: m = 11 ×××× 13 = 143.1 and 12 are essentially different square rootsof 1.gcd( 1 + 12, 143) = gcd(13, 143) = 13.

34

If one knows the factorization of m = pq , where p and q aredistinct odd primes, then it is easy to compute the foursquare roots of any unit ββββ that has square roots modulo m.Just find square roots αααα and γγγγ of ββββ modulo p and ββββ moduloq, respectively, and then find the number x between 1and m-1 with these remainders when divided by p and q.

Proof that if you can factor then you can take square roots.

Example: m = 3 ×××× 7 = 21. Suppose ββββ = 16. ⇒⇒⇒⇒ ββββ mod 3 = 1 and ββββ mod 7 = 2.The square roots of 1 for arithmetic modulo 3 are 1 and 2.The square roots of 2 for arithmetic modulo 7 are 3 and 4.x mod 3 = 2 and x mod 7 = 4 ⇒⇒⇒⇒ x = 11 is a square root of 16 modulo 21.x mod 3 = 1 and x mod 7 = 4 ⇒⇒⇒⇒ x = 4 is a square root of 16 modulo 21.

35

No-Knowledge Proof of Identity (Fiat- Shamir )

ALICEBOB

Hi! It’s Alice.Prove it by showing thatyou know Alice’s secret.

OK. Here’s my proof:�☺☺�����

You convinced me, Alice

What did you learnabout my secret, Bob?

Absolutely nothing, Alice!

A, s

b

t

36

• Everybody knows the product m of two large distinct randomlychosen odd primes, but nobody knows the factorization of m.• Every user, say Alice, randomly chooses a unit x A, thencomputes its square yA and puts (A, yA) in the Trusted PublicDirectory (TPD ) but keeps x A secret to herself .

Randomly chooses aunit r and computes itssquare s modulo m.

Randomly chooses asingle binary digit b.

Computes

t = r ×××× (xA)b.

A, s

b Fetches yA from theTPD and computes

s = s ×××× (yA)b.

Computes t2. Accepts

Alice if s = t2.

t

ALICEBOB

37

How the Fiat-Shamir scheme works:

The correct responses for b = 0 and b = 1 are r and r×××× xA from which one can compute xA by division. Thusonly Alice (or someone who can factor m) can haveboth correct responses ready . The probability is atbest one-half that an impostor can convince Bob thatshe is Alice (but the game can be played many timesuntil Bob is truly convinced that the real Alice isanswering.)

For either choice of b, the only information that Bobobtains is a randomly chosen unit and its square .He could have obtained this information for himselfwithout using the protocol, so he has learnednothing at all from the protocol.

38

Today it appears infeasible to factor m, aproduct of two distinct randomly chosen primesif m is about 1000 bits long (300 decimaldigits). If this is true, the Fiat- Shamir zero-knowledge proof-of-identity is secure .

The Fiat-Shamir zero-knowledge proof-of-identity protocol can be used repeatedlywithout sacrifice of its security. This makes itvery attractive for many applications.

39

Since this is slide 397, I thinkit’s about time I quit talking!

7