Embed Size (px)
DESCRIPTION
chapter 4
Citation preview
Cryptography and Cryptography and Network SecurityNetwork Security
Chapter 4Chapter 4
Fourth EditionFourth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 4 – Finite FieldsChapter 4 – Finite FieldsThe next morning at daybreak, Star flew indoors, The next morning at daybreak, Star flew indoors, seemingly keen for a lesson. I said, "Tap eight." She did seemingly keen for a lesson. I said, "Tap eight." She did a brilliant exhibition, first tapping it in 4, 4, then giving me a brilliant exhibition, first tapping it in 4, 4, then giving me a hasty glance and doing it in 2, 2, 2, 2, before coming a hasty glance and doing it in 2, 2, 2, 2, before coming for her nut. It is astonishing that Star learned to count up for her nut. It is astonishing that Star learned to count up to 8 with no difficulty, and of her own accord discovered to 8 with no difficulty, and of her own accord discovered that each number could be given with various different that each number could be given with various different divisions, this leaving no doubt that she was consciously divisions, this leaving no doubt that she was consciously thinking each number. In fact, she did mental arithmetic, thinking each number. In fact, she did mental arithmetic, although unable, like humans, to name the numbers. But although unable, like humans, to name the numbers. But she learned to recognize their spoken names almost she learned to recognize their spoken names almost immediately and was able to remember the sounds of immediately and was able to remember the sounds of the names. Star is unique as a wild bird, who of her own the names. Star is unique as a wild bird, who of her own free will pursued the science of numbers with keen free will pursued the science of numbers with keen interest and astonishing intelligence.interest and astonishing intelligence.
— — Living with BirdsLiving with Birds, Len Howard, Len Howard
IntroductionIntroduction
will now introduce finite fieldswill now introduce finite fields of increasing importance in cryptographyof increasing importance in cryptography
AES, Elliptic Curve, IDEA, Public KeyAES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”concern operations on “numbers”
where what constitutes a “number” and the where what constitutes a “number” and the type of operations varies considerablytype of operations varies considerably
start with concepts of groups, rings, fields start with concepts of groups, rings, fields from abstract algebrafrom abstract algebra
GroupGroup
a set of elements or “numbers”a set of elements or “numbers” with some operation whose result is also with some operation whose result is also
in the set (closure) in the set (closure) obeys:obeys:
associative law:associative law: (a.b).c = a.(b.c)(a.b).c = a.(b.c) has identity has identity ee:: e.a = a.e = ae.a = a.e = a has inverses has inverses aa-1-1:: a.aa.a-1-1 = e = e
if commutative if commutative a.b = b.aa.b = b.a then forms an then forms an abelian groupabelian group
Cyclic GroupCyclic Group
define define exponentiationexponentiation as repeated as repeated application of operatorapplication of operator example:example: aa-3-3 = a.a.a = a.a.a
and let identity be:and let identity be: e=e=aa00
a group is cyclic if every element is a a group is cyclic if every element is a power of some fixed elementpower of some fixed element ie ie b =b = aakk for some for some aa and every and every bb in group in group
aa is said to be a generator of the group is said to be a generator of the group
RingRing
a set of “numbers” a set of “numbers” with two operations (addition and multiplication) with two operations (addition and multiplication)
which form:which form: an abelian group with addition operation an abelian group with addition operation and multiplication:and multiplication:
has closurehas closure is associativeis associative distributive over addition:distributive over addition: a(b+c) = ab + aca(b+c) = ab + ac
if multiplication operation is commutative, it forms if multiplication operation is commutative, it forms a a commutative ringcommutative ring
if if multiplication operation has an identity and no multiplication operation has an identity and no zero divisors, it forms an zero divisors, it forms an integral domainintegral domain
FieldField
a set of numbers a set of numbers with two operations which form:with two operations which form:
abelian group for addition abelian group for addition abelian group for multiplication (ignoring 0) abelian group for multiplication (ignoring 0) ringring
have hierarchy with more axioms/lawshave hierarchy with more axioms/laws group -> ring -> fieldgroup -> ring -> field
Modular ArithmeticModular Arithmetic
define define modulo operatormodulo operator “ “a mod n”a mod n” to be to be remainder when a is divided by nremainder when a is divided by n
use the term use the term congruencecongruence for: for: a = b mod na = b mod n when divided by when divided by n,n, a & b have same remainder a & b have same remainder eg. 100 = 34 mod 11 eg. 100 = 34 mod 11
b is called a b is called a residueresidue of a mod n of a mod n since with integers can always write: since with integers can always write: a = qn + ba = qn + b usually chose smallest positive remainder as residueusually chose smallest positive remainder as residue
• ie. ie. 0 <= b <= n-10 <= b <= n-1 process is known as process is known as modulo reductionmodulo reduction
• eg. -12 mod 7 eg. -12 mod 7 == -5 mod 7 -5 mod 7 == 2 mod 7 2 mod 7 == 9 mod 7 9 mod 7
DivisorsDivisors
say a non-zero number say a non-zero number bb dividesdivides aa if for if for some some mm have have a=mba=mb ( (a,b,ma,b,m all integers) all integers)
that is that is bb divides into divides into aa with no remainder with no remainder denote this denote this b|ab|a and say that and say that bb is a is a divisordivisor of of aa eg. all of 1,2,3,4,6,8,12,24 divide 24 eg. all of 1,2,3,4,6,8,12,24 divide 24
Modular Arithmetic OperationsModular Arithmetic Operations
is 'clock arithmetic'is 'clock arithmetic' uses a finite number of values, and loops uses a finite number of values, and loops
back from either endback from either end modular arithmetic is when do addition & modular arithmetic is when do addition &
multiplication and modulo reduce answermultiplication and modulo reduce answer can do reduction at any point, iecan do reduction at any point, ie
a+b mod n = [a mod n + b mod n] mod na+b mod n = [a mod n + b mod n] mod n
Modular ArithmeticModular Arithmetic
can do modular arithmetic with any group of can do modular arithmetic with any group of integers: integers: ZZnn = {0, 1, … , n-1} = {0, 1, … , n-1}
form a commutative ring for additionform a commutative ring for addition with a multiplicative identitywith a multiplicative identity note some peculiaritiesnote some peculiarities
if if (a+b)(a+b)=(a+c) mod n =(a+c) mod n
thenthen b=c mod n b=c mod n but if but if (a.b)(a.b)=(a.c) mod n =(a.c) mod n
thenthen b=c mod n b=c mod n only ifonly if a a is relatively prime tois relatively prime to n n
Modulo 8 Addition ExampleModulo 8 Addition Example+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6
Greatest Common Divisor (GCD)Greatest Common Divisor (GCD)
a common problem in number theorya common problem in number theory GCD (a,b) of a and b is the largest number GCD (a,b) of a and b is the largest number
that divides evenly into both a and b that divides evenly into both a and b eg GCD(60,24) = 12eg GCD(60,24) = 12
often want often want no common factorsno common factors (except 1) (except 1) and hence numbers are and hence numbers are relatively primerelatively prime eg GCD(8,15) = 1eg GCD(8,15) = 1 hence 8 & 15 are relatively prime hence 8 & 15 are relatively prime
Euclidean AlgorithmEuclidean Algorithm
an efficient way to find the GCD(a,b)an efficient way to find the GCD(a,b) uses theorem that: uses theorem that:
GCD(a,b) = GCD(b, a mod b)GCD(a,b) = GCD(b, a mod b) Euclidean Algorithm to compute GCD(a,b) is: Euclidean Algorithm to compute GCD(a,b) is:
EUCLID(a,b)EUCLID(a,b)1. A 1. A = = a; B a; B = = b b 2. if B = 0 return A = gcd(a, b) 2. if B = 0 return A = gcd(a, b) 3. R = A mod B 3. R = A mod B 4. A = B 4. A = B 5. B 5. B = = R R 6. goto 26. goto 2
Example GCD(1970,1066)Example GCD(1970,1066)
1970 = 1 x 1066 + 904 1970 = 1 x 1066 + 904 gcd(1066, 904)gcd(1066, 904)1066 = 1 x 904 + 162 1066 = 1 x 904 + 162 gcd(904, 162)gcd(904, 162)904 = 5 x 162 + 94 904 = 5 x 162 + 94 gcd(162, 94)gcd(162, 94)162 = 1 x 94 + 68 162 = 1 x 94 + 68 gcd(94, 68)gcd(94, 68)94 = 1 x 68 + 26 94 = 1 x 68 + 26 gcd(68, 26)gcd(68, 26)68 = 2 x 26 + 16 68 = 2 x 26 + 16 gcd(26, 16)gcd(26, 16)26 = 1 x 16 + 10 26 = 1 x 16 + 10 gcd(16, 10)gcd(16, 10)16 = 1 x 10 + 6 16 = 1 x 10 + 6 gcd(10, 6)gcd(10, 6)10 = 1 x 6 + 4 10 = 1 x 6 + 4 gcd(6, 4)gcd(6, 4)6 = 1 x 4 + 2 6 = 1 x 4 + 2 gcd(4, 2)gcd(4, 2)4 = 2 x 2 + 0 4 = 2 x 2 + 0 gcd(2, 0)gcd(2, 0)
Galois FieldsGalois Fields
finite fields play a key role in cryptographyfinite fields play a key role in cryptography can show number of elements in a finite can show number of elements in a finite
field field mustmust be a power of a prime p be a power of a prime pnn
known as Galois fieldsknown as Galois fields denoted GF(pdenoted GF(pnn)) in particular often use the fields:in particular often use the fields:
GF(p)GF(p) GF(2GF(2nn))
Galois Fields GF(p)Galois Fields GF(p)
GF(p) is the set of integers {0,1, … , p-1} GF(p) is the set of integers {0,1, … , p-1} with arithmetic operations modulo prime pwith arithmetic operations modulo prime p
these form a finite fieldthese form a finite field since have multiplicative inversessince have multiplicative inverses
hence arithmetic is “well-behaved” and hence arithmetic is “well-behaved” and can do addition, subtraction, multiplication, can do addition, subtraction, multiplication, and division without leaving the field GF(p)and division without leaving the field GF(p)
GF(7) Multiplication Example GF(7) Multiplication Example
0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1
Finding InversesFinding Inverses
EXTENDED EUCLID(EXTENDED EUCLID(mm, , bb))1.1. (A1, A2, A3)=(1, 0, (A1, A2, A3)=(1, 0, mm); );
(B1, B2, B3)=(0, 1, (B1, B2, B3)=(0, 1, bb))2. if 2. if B3 = 0B3 = 0
return return A3 = gcd(A3 = gcd(mm, , bb); no inverse); no inverse3. if 3. if B3 = 1 B3 = 1
return return B3 = gcd(B3 = gcd(mm, , bb); B2 = ); B2 = bb–1–1 mod mod mm4. 4. Q = A3 div B3Q = A3 div B35. 5. (T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)(T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)6. 6. (A1, A2, A3)=(B1, B2, B3)(A1, A2, A3)=(B1, B2, B3)7. 7. (B1, B2, B3)=(T1, T2, T3)(B1, B2, B3)=(T1, T2, T3)8. goto 8. goto 22
Inverse of 550 in GF(1759)Inverse of 550 in GF(1759)
Q A1 A2 A3 B1 B2 B3
— 1 0 1759 0 1 550
3 0 1 550 1 –3 109
5 1 –3 109 –5 16 5
21 –5 16 5 106 –339 4
1 106 –339 4 –111 355 1
Polynomial ArithmeticPolynomial Arithmetic
can compute using polynomialscan compute using polynomialsff((xx) = a) = annxxnn + a + an-1n-1xxn-1n-1 + … + a + … + a11x + x + aa00 = ∑ a = ∑ aiixxii
• nb. not interested in any specific value of xnb. not interested in any specific value of x• which is known as the indeterminatewhich is known as the indeterminate
several alternatives availableseveral alternatives available ordinary polynomial arithmeticordinary polynomial arithmetic poly arithmetic with coords mod ppoly arithmetic with coords mod p poly arithmetic with coords mod p and poly arithmetic with coords mod p and
polynomials mod m(x)polynomials mod m(x)
Ordinary Polynomial ArithmeticOrdinary Polynomial Arithmetic
add or subtract corresponding coefficientsadd or subtract corresponding coefficients multiply all terms by each othermultiply all terms by each other egeg
let let ff((xx) = ) = xx33 + + xx22 + 2 and + 2 and gg((xx) = ) = xx22 – – x x + 1+ 1ff((xx) + ) + gg((xx) = ) = xx33 + 2 + 2xx22 – – x x + 3+ 3ff((xx) – ) – gg((xx) = ) = xx33 + + x x + 1+ 1ff((xx) x ) x gg((xx) = ) = xx55 + 3 + 3xx22 – 2 – 2x x + 2+ 2
Polynomial Arithmetic with Polynomial Arithmetic with Modulo CoefficientsModulo Coefficients
when computing value of each coefficient when computing value of each coefficient do calculation modulo some valuedo calculation modulo some value forms a polynomial ringforms a polynomial ring
could be modulo any primecould be modulo any prime but we are most interested in mod 2but we are most interested in mod 2
ie all coefficients are 0 or 1ie all coefficients are 0 or 1 eg. let eg. let ff((xx) = ) = xx33 + + xx22 and and gg((xx) = ) = xx22 + + x x + 1+ 1
ff((xx) + ) + gg((xx) = ) = xx33 + + x x + 1+ 1ff((xx) x ) x gg((xx) = ) = xx55 + + xx22
Polynomial DivisionPolynomial Division
can write any polynomial in the form:can write any polynomial in the form: ff((xx) = ) = qq((xx) ) gg((xx) + ) + rr((xx)) can interpret can interpret rr((xx) ) as being a remainderas being a remainder rr((xx) = ) = ff((xx) mod ) mod gg((xx))
if have no remainder say if have no remainder say gg((xx) divides ) divides ff((xx)) if if gg((xx) has no divisors other than itself & 1 ) has no divisors other than itself & 1
say it is say it is irreducibleirreducible (or prime) polynomial (or prime) polynomial arithmetic modulo an irreducible arithmetic modulo an irreducible
polynomial forms a fieldpolynomial forms a field
Polynomial GCDPolynomial GCD
can find greatest common divisor for polyscan find greatest common divisor for polys c(x)c(x) = GCD( = GCD(a(x), b(x)a(x), b(x)) if ) if c(x)c(x) is the poly of greatest is the poly of greatest
degree which divides both degree which divides both a(x), b(x)a(x), b(x) can adapt Euclid’s Algorithm to find it:can adapt Euclid’s Algorithm to find it:
EUCLID[EUCLID[aa((xx)), b, b((xx)])]1. 1. A(A(xx) = ) = aa((xx); B(); B(xx) = ) = bb((xx))2. if 2. if B(B(xx) = 0 ) = 0 return return A(A(xx) = gcd[) = gcd[aa((xx)), b, b((xx)])]3. 3. R(R(xx) = A() = A(xx) mod B() mod B(xx))4. 4. A(A(xx) ¨ B() ¨ B(xx))5. 5. B(B(xx) ¨ R() ¨ R(xx))6. goto 6. goto 22
Modular Polynomial Modular Polynomial ArithmeticArithmetic
can compute in field GF(2can compute in field GF(2nn) ) polynomials with coefficients modulo 2polynomials with coefficients modulo 2 whose degree is less than nwhose degree is less than n hence must reduce modulo an irreducible poly hence must reduce modulo an irreducible poly
of degree n (for multiplication only)of degree n (for multiplication only) form a finite fieldform a finite field can always find an inversecan always find an inverse
can extend Euclid’s Inverse algorithm to findcan extend Euclid’s Inverse algorithm to find
Example GF(2Example GF(233))
Computational Computational ConsiderationsConsiderations
since coefficients are 0 or 1, can represent since coefficients are 0 or 1, can represent any such polynomial as a bit stringany such polynomial as a bit string
addition becomes XOR of these bit stringsaddition becomes XOR of these bit strings multiplication is shift & XORmultiplication is shift & XOR
cf long-hand multiplicationcf long-hand multiplication modulo reduction done by repeatedly modulo reduction done by repeatedly
substituting highest power with remainder substituting highest power with remainder of irreducible poly (also shift & XOR)of irreducible poly (also shift & XOR)
Computational ExampleComputational Example
in in GF(2GF(233) have ) have (x(x22+1) is 101+1) is 10122 & (x & (x22+x+1) is 111+x+1) is 11122
so addition isso addition is (x(x22+1) + (x+1) + (x22+x+1) = x +x+1) = x 101 XOR 111 = 010101 XOR 111 = 01022
and multiplication isand multiplication is (x+1).(x(x+1).(x22+1) = x.(x+1) = x.(x22+1) + 1.(x+1) + 1.(x22+1) +1)
= x= x33+x+x+x+x22+1 = x+1 = x33+x+x22+x+1 +x+1 011.101 = (101)<<1 XOR (101)<<0 = 011.101 = (101)<<1 XOR (101)<<0 =
1010 XOR 101 = 11111010 XOR 101 = 111122 polynomial modulo reduction (get q(x) & r(x)) ispolynomial modulo reduction (get q(x) & r(x)) is
(x(x33+x+x22+x+1 ) mod (x+x+1 ) mod (x33+x+1) = 1.(x+x+1) = 1.(x33+x+1) + (x+x+1) + (x22) = x) = x22
1111 mod 1011 = 1111 XOR 1011 = 01001111 mod 1011 = 1111 XOR 1011 = 010022
Using a GeneratorUsing a Generator
equivalent definition of a finite fieldequivalent definition of a finite field a a generatorgenerator g is an element whose g is an element whose
powers generate all non-zero elementspowers generate all non-zero elements in F have 0, gin F have 0, g00, g, g11, …, g, …, gq-2q-2
can create generator from can create generator from rootroot of the of the irreducible polynomialirreducible polynomial
then implement multiplication by adding then implement multiplication by adding exponents of generatorexponents of generator
SummarySummary
have considered:have considered: concept of groups, rings, fieldsconcept of groups, rings, fields modular arithmetic with integersmodular arithmetic with integers Euclid’s algorithm for GCDEuclid’s algorithm for GCD finite fields GF(p)finite fields GF(p) polynomial arithmetic in general and in GF(2polynomial arithmetic in general and in GF(2nn) )
![Crypt of Cthulhu #38 (1987.Cryptic)[CosmicJukebox] of Cthulhu/Misc/Crypt of Cthulhu/Crypt of... · Eastertide1986/5 foundinLovecraft'scellargallery: Alockedportfolio,boundintanned](https://img.pdfslide.us/doc/110x75/5b975f8609d3f27e758c8cfe/crypt-of-cthulhu-38-1987crypticcosmicjukebox-of-cthulhumisccrypt-of-cthulhucrypt.jpg)
