Sebery J.Cryptography.An introduction to computer security.1989
.pdfAlgebraic Structures in Computing |
31 |
If some additional conditions are imposed on the homomorphism, it is called:
{ Epimorphism { the image of the homomorphism covers the whole set H or f (G) = H.
{ Monomorphism { there is the inverse mapping f 1 : H ! G such that
8a2G
{ Isomorphism { monomorphism with f (G) = H.
A ring is an algebraic structure with the set S and two operations addition + and multiplication , i.e. R = hS;+; i such that
R1. For each pair a; b 2 S, a + b and a b belong to S. R2. hS; +i is an additive Abelian group.
R3. Multiplication operation is associative, i.e. for any a; b; c 2 S
(a b) c = a (b c):
R4. Multiplication operation is distributive with respect to addition, i.e. for any three elements a; b; c 2 S,
a(b + c) = ab + ac and (a + b)c = ac + bc:
Let p; q be two odd primes and the modulus N = pq. The set ZN = f0; 1; : : : ; N 1g with addition and multiplication modulo N is a ring. It is easy to check that hZN ; +i is an Abelian group. Multiplication is associative and also is distributive with respect to addition. The ring ZN describes algebraic structure of the well-known Rivest-Shamir-Adleman public-key cryptosystem. Using the CRT, any element a 2 ZN can be equivalently represented as a vector
a (a1; a2) with a1 a mod p and a2 a mod q:
Note that all elements a 2 ZN whose vector components are di erent from zero a1 6= 0 and a2 6= 0 do have additive and multiplicative inverses. Under multiplication, the set of these elements forms a nite group ZN of order '(N). The group is cyclic and any element generates a subgroup of order which divides '(N). Elements with one component zero do not have multiplicative inverses. The collection of all elements (0 mod p; a2 mod q) includes the set of all multiples of p, i.e. fip j i = 0;1; : : : ; q 1g. The other set of multiples is fiq j i = 0; 1; : : : ; p 1g. Those two sets have special properties: they are closed under addition and any product of their elements by an arbitrary element of ZN falls back into the sets. The sets are called ideals.
32 2 BACKGROUND THEORY
More formally, an ideal in a ring R is a nonempty subset I (I R) such that
I1. For any pair of elements a; b 2 I, (a+b) 2 I { ideal is closed under addition. I2. For any a 2 I and any b 2 R, both ab and ba belong to I.
The ring ZN (N = pq, p and q primes) contains two ideals: I1 = fip j i = 0; 1; : : : ; q 1g and I2 = fiq j i = 0; 1; : : : ; p 1g.
As not all elements of rings have multiplicative inverses, computations that involve division may not be possible unless special care is exercised. To make sure that all nonzero elements have their multiplicative inverses, computations should be done in rings with division. Commutative rings with division are called elds.
A eld F = hS; +; i is a set S with two operations: addition and multiplication with the following properties:
F1. hS;+; i is a commutative ring { it satis es all the conditions for rings and in addition multiplication is commutative, i.e. for all a; b 2 S, ab = ba.
F2. There is an identity element 1 with respect to multiplication, i.e. for all a 2 S, there is e = 1 2 S such that a 1 = 1 a = a.
F3. Any nonzero element a 2 S has its unique inverse and a a 1 = a 1 a = 1.
ZN = hf0; 1; : : : ; N 1g; +; i is a eld if N is prime. Some other important |
|
elds can be constructed using polynomials. |
|
2.2.2 Polynomial Arithmetic |
|
Let F be a eld. Consider a function f : F ! F of the form: |
|
f (x) = a0 + a1x + : : : + anxn |
(2.14) |
where ai 2 F for i = 0; 1; : : : ; n. Any function which can be written in the form (2.14) is called a polynomial. Any polynomial f(x) 6= 0 has its degree { the highest power of x. For the polynomial (2.14) its degree is equal to n or in other words deg f(x) = n. Two polynomials p(x) = a0 + a1x + : : : + anxn and q(x) = b0 + b1x + : : : + bmxm can be added and subtracted
p(x) q(x) = (a0 b0) + (a1 b1)x + : : : |
|
+ (am bm)xm + am+1xm+1 + : : : + anxn |
(2.15) |
where n > m. Their product is also a polynomial and
Algebraic Structures in Computing |
33 |
p(x)q(x) = a0b0 + (a0b1 + a1b0 )x + : : : + anbmxn+m
|
n m |
|
|
= |
X X |
aibjxi+j: |
(2.16) |
|
i=0 j=0
It is easy to verify that the collection of all polynomials over the eld F with polynomial addition (2.15) and multiplication (2.16) create a commutative ring F [x].
Theorem 10. (Division Algorithm) Let a(x) = a0 +a1x+: : :+anxn and b(x) = b0 + b1x + : : : + bmxm be two polynomials from F [x] (n > m). Then we can nd two polynomials q(x) and r(x) such that
a(x) = q(x) b(x) + r(x); |
(2.17) |
where q(x) is a quotient and r(x) is a remainder whose degree is smaller than m.
Proof. We apply induction on the degrees n and m.
1.n < m, then clearly a(x) = 0 b(x) + a(x).
2.n m, then
a(x) = a~(x) + |
an |
x |
n m |
b(x): |
(2.18) |
bm |
|
||||
|
|
|
|
|
The degree of a~(x) is smaller then n and equal to k. Assume that Expression (2.17) is true for any k > m. From this assumption we can draw the conclusion that
a~(x) = q1(x)b(x) + r1(x):
By putting the above expression for a~(x) into the Equation (2.18), we obtain the nal result (2.17).
ut
This algorithm is an extension of the division algorithm for integers. The algorithm works for polynomials if the coeÆcients have multiplicative inverses { the coeÆcient anbm1 in Equation (2.18) has to exist. That is why polynomial
coeÆcients have to be from a eld.
Consider the ring Z7[x]. The division of a(x) = 2x4 + x2 + 5x + 3 by b(x) = 4x2 + 3 proceeds as follows:
34 2 BACKGROUND THEORY
2x4 + x2 +5x +3 = 4x2 + 3 = 4x2 + 6
2x4 5x2 |
|
3x2 |
+5x +3 |
3x2 |
4 |
|
5x +6 |
So nally, 2x4 + x2 + 5x + 3 = (4x2 + 3)(4x2 + 6) + (5x + 6).
A polynomial a(x) is irreducible over a eld F if for all polynomials b(x) 2 F [x] with deg b(x) < deg a(x), the following holds:
a(x) = q(x)b(x) + r(x)
where deg r(x) < deg b(x) and r(x) 6= 0. All reducible polynomials have two or
more nontrivial factor polynomials or simply factors. Any irreducible polynomial p(x) = p0 + p1x + : : : pnxn 2 F [x] can be represented as p(x) = a p0(x) where a 2 F . We can normalize p(x) so its leading coeÆcient pn = 1. This can be done by dividing the polynomial by the leading coeÆcient. Such polynomial is called monic. In polynomial arithmetic, there is also the unique factorization theorem which is equivalent to the fundamental theorem of arithmetic. It says that every polynomial over a eld F can be uniquely represented as a product of a constant (an element of the eld F ) and monic irreducible polynomials. Thus notions such as the greatest common divisor and the least common multiple can be extended for polynomials. The Euclid algorithm can be easily modi ed to generate the gcd of two polynomials.
Euclid algorithm { nds the greatest common divisor of two polynomials a(x); b(x) 2 F [x].
E1. Initialize r0(x) = a(x) and r1(x) = b(x).
E2. Compute the following sequence of equations:
r0(x) = q1(x)r1(x) + r2(x) |
|
r1(x) = q2(x)r2(x) + r3(x) |
|
. |
|
. |
(2.19) |
. |
|
rk 3(x) = qk 2(x)rk 2(x) + rk 1 (x) |
|
rk 2(x) = qk 1(x)rk 1(x) + rk(x) |
|
|
6 |
until there is a step for which rk(x) = 0 while rk 1(x) = 0 (deg ri(x) > |
|
deg ri+1(x) for all i = 2; : : : ; k). |
|
Algebraic Structures in Computing |
35 |
E3. The greatest common divisor is equal to rk 1(x).
Let p(x) = p0 +p1x+: : : pnxn 2 F[x] be a polynomial. Then two polynomials a(x); b(x) 2 F [x] are congruent modulo p(x) or
a(x) b(x) (mod p(x))
if p(x) j (a(x) b(x)). For instance, consider Z5[x], 3x3 + 2x + 4 4x + 4 mod x2 + 1 as 3x3 + 2x + 4 (4x + 4) = 3x3 + 3x = 3x(x2 + 1). Most
properties discussed for congruences modulo N hold for congruences modulo p(x) including the Chinese Remainder Theorem.
Assume that p(x) 2 F [x] is an irreducible polynomial over eld F with deg p(x) = n. A set of residues modulo p(x) is a set F[x]=p(x) of all polynomials whose degree is smaller than the degree of p(x). The set of residues also includes all elements of the eld F . It is easy to check that the set of residues (modulo irreducible polynomial p(x)) with polynomial addition and multiplication modulo p(x) is a eld. The only point that needs some elaboration is the existence of multiplicative inverses. Let a(x); b(x) 2 F [x]=p(x). Consider that a(x) and p(x) are given, and we would like to nd b(x) = a 1(x) such that
a(x) b(x) 1 (mod p(x)):
We apply the Euclid algorithm (2.19) for r0(x) = p(x) and r1(x) = a(x). At each step we express ri(x) as multiple of a(x) modulo p(x). Therefore r0(x) = 0, r1(x) = a(x), r2(x) = q1(x)a(x) = m1(x)a(x), r3(x) = (1 + q1q2)a(x) = m2(x)a(x) and so on. This leads us to a version of the Euclid algorithm that computes the inverse elements.
Euclid algorithm { nds the inverse of a(x) modulo p(x) (p(x) irreducible).
E1. Initialize; r0(x) = p(x) and r1(x) = a(x).
E2. Compute the following sequence of equations:
r0(x) = q1(x)r1(x) + r2(x)
) r2(x) q1(x)a(x) = m1(x)a(x) (mod p(x)) r1(x) = q2(x)r2(x) + r3(x)
. ) r3(x) = r1(x) q2(x)r2(x) = m2(x)a(x)
.
.
2 F [x] is
(2.20)
362 BACKGROUND THEORY
rk 3(x) = qk 2(x)rk 2(x) + rk 1 (x)
) rk 1(x) = rk 3(x) qk 2(x)rk 2(x) = mk 4(x)a(x) rk 2(x) = qk 1(x)rk 1(x) + rk(x)
until there is a step for which rk(x) = 0 while rk 1(x) = c 2 F (deg ri(x) >
deg ri+1(x) for i = 2; : : : ; k).
E3. The inverse is equal to c 1(mk 4(x) qk 2(x)mk 3(x)).
The eld de ned over the set of residues F [x]=p(x) with the addition and multiplication modulo p(x), where p(x) is irreducible, is called a Galois eld. If the eld F is ZN (N is prime) then the corresponding Galois eld over ZN [x]=p(x) is denoted GF (Nn) (n = deg p(x)). Note that GF (N) is the eld of coeÆcients with addition and multiplication modulo N.
2.2.3 Computing in Galois Fields
Many cryptographic designs extensively use binary Galois elds GF (2n). Consider an example that shows how computations can be done in GF (23) with an irreducible polynomial p(x) = x3 + x + 1 2 Z2[x] (in binary Galois elds all polynomials are monic).
The Galois eld GF (23) has the following elements: 0, 1, x, x+ 1, x2, x2 + 1, x2 + x, x2 + x + 1. Zero is equivalent to any multiple of p(x) = x3 + x + 1. This fact is equivalent to x3 = x + 1. This equation can be used to reduce any polynomial of degree higher than or equal to 3 to a polynomial of degree at most 2. For instance, (x2 + 1)2 is equal to x4 + 1 and using the fact that x3 = x + 1, we have
x4 + 1 = x x3 + 1 = x (x + 1) + 1 = x2 + x + 1:
To do computations in the eld, it suÆces to build up two tables, one for addition and the other for multiplication (Table 2.2).
All nonzero elements of GF (2n) under multiplication modulo p(x) (p(x) is an irreducible polynomial of degree n) constitute a cyclic group with 2n 1 elements. The Euler totient function can also be extended for polynomials and '(p(x)) = 2n 1. There is a polynomial version of Fermat's theorem which states that
8a2GF (2n);a6=0 a'(p(x)) 1 (mod p(x)):
Thus exponentiation can be used to nd multiplicative inverses in GF (2n) as
|
|
|
|
|
|
|
|
|
Algebraic Structures in Computing |
37 |
|
|
|
|
|
|
|
|
|
|
|||
|
+ |
0 |
1 |
010 011 |
100 101 |
110 111 |
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
0 |
0 |
1 |
010 011 |
100 101 |
110 111 |
|
|
|||
|
1 |
1 |
0 |
011 010 |
101 100 |
111 110 |
|
|
|||
x = 010 |
010 011 |
0 |
1 |
110 111 |
100 101 |
|
|
||||
x + 1 |
= 011 |
011 010 |
1 |
0 |
111 110 |
101 100 |
|
|
|||
x2 |
= 100 |
100 101 |
110 111 |
0 |
1 |
010 011 |
|
|
|||
x2 + 1 |
= 101 |
101 100 |
111 110 |
1 |
0 |
011 010 |
|
|
|||
x2 + x |
= 110 |
110 111 |
100 101 |
010 011 |
0 |
1 |
|
|
|||
x2 + x + 1 |
= 111 |
111 110 |
101 100 |
011 010 |
1 |
0 |
|
|
|||
|
|
|
|
|
|
|
|
|
|
||
|
|
1 |
010 |
011 100 |
101 110 |
111 |
|
|
|
||
|
1 |
1 |
010 |
011 100 |
101 110 |
111 |
|
|
|
||
x = 010 |
010 100 |
110 011 |
1 |
111 |
110 |
|
|
|
|||
x + 1 |
= 011 |
011 110 |
101 111 |
100 |
1 |
010 |
|
|
|
||
x2 |
= 100 |
100 011 |
111 110 |
010 101 |
1 |
|
|
|
|||
x2 + 1 |
= 101 |
101 |
1 |
100 010 |
111 011 |
110 |
|
|
|
||
x2 + x |
= 110 |
110 111 |
1 |
101 |
011 010 |
100 |
|
|
|
||
x2 + x + 1 |
= 111 |
111 101 |
010 |
1 |
110 100 |
011 |
|
|
|
||
Table 2.2. The addition and multiplication tables for GF (23).
8a2GF (2n);a6=0 a 1 a'(p(x)) 1 a2n 2 (mod p(x)):
Any nonzero element of GF (2n) generates a cyclic group whose order j divides (2n 1) or in other words j j (2n 1). If for some reason, one would like all nonzero elements (di erent from 1) to generate the whole cyclic group, then it is enough to select a eld for which 2n 1 is a Mersenne prime.
GF (23) has its totient function '(x3 + x + 1) = 7 and seven is a Mersenne prime. Therefore there should be no surprise to learn that any nonzero element (di erent from 1) in GF (23) generates the whole set of nonzero elements of
the eld. Let (x + 1) be a tested element. We have the following sequence of powers; (x + 1)2 = x2 + 1, (x + 1)3 = x2, (x + 1)4 = x2 + x + 1, (x + 1)5 = x, (x + 1)6 = x2 + x, (x + 1)7 = 1.
Computations in GF (2n) are often desirable for the following reasons:
1.Algorithms for computation in GF (2n) are usually more eÆcient than their counterparts in GF (N). There is also the other side of the coin: crypto-
graphic designs based on integer arithmetic in GF (N) are usually more secure than their equivalents based on polynomial arithmetic in GF (2n) when both elds have similar sizes.
382 BACKGROUND THEORY
2.Polynomial arithmetic in GF (2n) is more eÆcient as nothing is carried and there is no need to divide by the modulus in order to perform addition or subtraction. For example the C language o ers bit-by-bit Exclusive-Or
(XOR) operation which provides a very fast implementation of addition in GF (2n).
3.The cost of the hardware depends on choice of modulus. For instance, we can use trinomials p(x) = xk + x + 1 as the modulus to speed up multiplication as the string involved in the operation contains mostly zeros.
2.3 Complexity of Computing
Evaluating the security of cryptographic designs is in general a diÆcult business. It is not unusual to nd out that the security evaluation has been upheld by a statement \as the design is based on the well-known intractable problem, a successful attack will be equivalent to showing an algorithm that solves all instances of the problem in polynomial time." Cryptanalysis is a part of cryptology whose ultimate goal is to demonstrate the existence of a polynomial-time algorithm that enables the computation of some of the secret elements of the design. In this section we present the basic results of Complexity Theory and discuss their applicability in cryptography and cryptanalysis.
2.3.1 Asymptotic Behavior of Functions
Assume that there are two algorithms that can be applied to solve a numerical task. To select a better algorithm we need to know how the eÆciency of algorithms can be measured. One of the measurements is the so-called time complexity function. It describes how many steps (time intervals) are necessary to perform before the algorithm generates the result for an instance of length n. Time complexity functions are usually compared using their asymptotic behavior.
Let f(n) and g(n) be two functions whose rates of growth are to be compared. The following notations are commonly used.
{\Little o" notation { the function f(n) is little oh of g(n) when the quotient of f(n) by g(n) converges to zero or
f (n) = o(g(n)) if lim |
f (n) |
= 0 |
(2.21) |
n!1 |
g(n) |
|
|
Complexity of Computing |
39 |
For instance, 3n3 = o(7n4) and 2 = o(n).
{ \Big O" notation { the function f(n) is big oh of g(n) or
f (n) = O(g(n))
if there is a constant C 3n7 + n3 = O(n7).
(2.22)
2 R such that limn!1 jf(n) j < C. The function
g(n)
{notation { the function f(n) = (g(n)) i g(n) = O(f (n)). For instance, 3x4 = (x4) but also x5 = (x4), x6 = (x4), and x7 = (x4).
{notation { the function f (n) is theta of g(n) if there is a pair of positive nonzero constants c1; c2 such that
c1g(n) < f(n) < c2g(n)
for all big enough n. For example, 3x8 + x5 + 1 = (x8).
{ notation { the function f(n) is asymptotically equal to or f(n) g(n) if
lim f(n) = 1:
n!1 g(n)
For instance, 4x2 + 3 4x2 + 3x + 3.
Consider the problem of multiplying of two n n matrices. As the resulting product matrix contains n2 elements and each element involves n multiplication, we can say we can multiply two matrices in time O(n3). Strassen showed that it is possible to multiply matrices quicker in time O(n2:81). On the other hand, we cannot multiply matrices quicker than n2 as 2n2 entries of matrices have to be read from the input. So multiplication of two matrices can be performed in time (n2). Or in other words, any algorithm for matrix multiplications has to take at least n2 steps. More details about the asymptotic notations together with an extensive discussion can be found in the book by Brassard and Bratley [60].
2.3.2 Hierarchy of Functions
Consider two algorithms. The rst runs in time given by the polynomial f1(n) = na where n is an input length, and a is a xed positive integer. The second has its time complexity function f2(n) = 2n. Consider the following question. Is there any integer N 2 N such that:
8n N 9a2N na 2n ?
40 2 BACKGROUND THEORY
In order to answer the question, take the equality na = 2n. As n 2 N, the equality can be rewritten as
a = |
n |
: |
|
|
|
|
log n |
|
|
||||
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
The function |
|
n |
|
! 1 |
|
|
|
log2 n grows to in nity as n |
. So there is an integer N such |
||||
that for all n > N, na < 2n. |
|
|
||||
So even for large exponents a, the rate of growth of polynomials is negli-
gible to the rate of exponential functions. For instance, assume we have two algorithms. The rst runs in polynomial time f1(n) = n1000, the second in ex-
ponential time f2(n) = 20:001n. Of course, the second algorithm is much more
eÆcient than the rst for small n. But, for n > 225, the situation changes and the polynomial-time algorithm is more eÆcient as it requires 225000 steps while the exponential one needs 232000 steps. This example is unrealistic but
illustrates what we mean by asymptotic behavior of functions.
In general, we can introduce a hierarchy of functions depending on their rates of growth [530].
1.Logarithmic functions { slow growing functions. A typical representative of the class is f(n) = log2 n.
2.Polynomial functions { functions of the form f(n) = na where a is a constant (a 2 N).
3.Subexponential functions { functions from the following set
ff(n) j f(n) = (na) for all a 2 N and
f(n) = o((1 + ")n)for all " 2 R; " > 0g:
A function f (n) = 2p(log(n)) is a typical example of a member of this class, where p(x) is a polynomial.
4.Exponential functions { a function f(n) is exponential if there is a constant
a 2 N such that f(n) = (an) and there is another constant b 2 N such that f(n) = O(bn). The function f (n) = 2n is a typical representative of this class.
5.Super-exponential functions { all functions whose rate of growth is higher
than for previous classes, i.e. f(n) is super-exponential if every exponential function g(n) = o(f(n)). Examples of such functions include n! and 2n2 .