Lecture 014

Alice and Bob: read their histroy

Ada's Lecture

Cryptography Application

sharing secret key via public communication
online voting system
digital signature
computation on encrypted data
zero-knowledge proof

$\mathbb{Z}_N = \{0, 1, ..., N - 1\}$ is a good universe for addition / subtraction $\mathbb{Z}_N^* = \{A \in \mathbb{Z}_N | \text{gcd}(A, N) = 1\}$ is a good universe for multiplication / division

$\mathbb{Z}_N^*$ is closed under multiplication
Multiplication table permutation property: every row and column is a permutation of the elements $\mathbb{Z}_N^*$
$\varphi(N) = |\mathbb{Z}_N^*|$
when $N$ is prime $P$ , then $\varphi(P) = P - 1$
when $P, Q$ distinct primes, then $\varphi(QP) = (P - 1)(Q - 1)$
there always exists a generator in $\mathbb{Z}_P^*$ where $P$ is a prime
Euler's Theorem: in a universe $\mathbb{Z}_N^*$ , all number in $\mathbb{Z}_N^*$ with power equal to $\varphi(N)$ is 1 ( $(\forall A \in \mathbb{Z}_N^*)(A^{\varphi(N)} = 1)$ ) and repeat a circle.
- Exponent lives in $\mathbb{Z}_{\varphi(N)}$ because: we want exponent to have multiplicative inverse and result of exponentiation repeats after $\varphi(N)$

$\text{isPrime}$ :

$O(n^6)$ time, deterministic, result from 2002
$O(n^2)$ time, Monte Carlo, result from 1975, Miller-Rabin

$\text{randomPrime}$ :

Prime Number Theorem: about $\frac{1}{n}$ fraction of n-bit numbers are prime.
Assuming $\text{isPrime} \in O(n^2)$ , then $\text{randomPrime} \in O(n^3)$
No known deterministic method to solve this problem

Private-Key Cryptography

Sender:

$M$ : PICK original message
$K_A$ : PICK encryption key

Public:

$C$ : encrypted message
$Enc$ : encryption algorithm
$Dec$ : decryption algorithm

Receiver:

$K_B$ : OBTAIN decryption key
$M$ : CALCULATE decrypted message

Variations:

number shifting: only 24 possible keys
number mapping: frequency analysis
Enigma: turing machine

One-time pad:

Encryption: $C = M \oplus K$ (bitwise or with one-time padding for every bit)
Encryption: $M = C \oplus K$ ( $C \oplus K = (M \oplus K) \oplus K = M \oplus (K \oplus K) = M$ )
perfectly secure: $(\forall M)(K \text{ uniformly random} \implies C \text{ uniformly random})$ (Shannon's Thorem: $|K| < |M| \implies \text{ adversary can learn some information about } M \text{ given unlimited computational power}$ )
padding length: has to be size of message
one-time: given $\begin{cases} C_1 = M_1 \oplus K\\ C_2 = M_2 \oplus K\\ \end{cases}$ , then $C_1 \oplus C_2 = M_1 \oplus M_2$ reveals some information

Secret Key Sharing

Sender:

$P$ : PICK modular universe (must be prime)
$G$ : PICK for base (must be generator)
$R_1$ : PICK exponent
$G^{R_1R_2}$ : CALCULATE secret key

Public:

$P$ : modular universe
$G$ : generator for base
$G^{R_1}$ : half key 1
$G^{R_2}$ : half key 2

Receiver:

$R_2$ : PICK exponent
$G^{R_1R_2}$ : CALCULATE secret key

Process:

Sender pick a public prime universe $N = P$
Sender pick a public generator for base $B = G \in \mathbb{Z}_P^*$ (every $\mathbb{Z}_P^*$ has a generator $G$ ) to ensure the exponentiated space is the whole universe
Sender send above information to Receiver
Sender pick a secret exponent $R_1 \in \mathbb{Z}_{\varphi(P)}^*$
Sender send $G^{R_1}$
Receiver pick a secret exponent $R_2 \in \mathbb{Z}_{\varphi(P)}^*$
Receiver send $G^{R_2}$
Both compute $G^{R_1R_2}$ and let it be secret.

Breaking Encryption: solving distinct log problem (obtaining $R_1$ from $G^{R_1}$ and $R_2$ from $G^{R_2}$ ) - proving is as hard as deciding $P \text{ v.s. } NP$

DH Assumption: Hard to compute $G^{R_1R_2}$ form $P, G, G^{R_1}, G^{R_2}$
Decisional DF Assumption: You learn no info about $G^{R_1R_2}$ - so universe need to be picked carefully

Public-Key Cryptography (RSA)

Sender:

$M$ : PICK message (must be $M \in \mathbb{Z}_{N}^*$ )

Public:

$N$ (public key): universe (must be $N = PQ$ )
$E$ (public key): exponent (must be $E \in \mathbb{Z}_{\varphi(N)}$ to have inverse)
$C$ : encrypted message

Receiver:

$P, Q$ : PICK two distinct prime for universe (must be distinct primes, otherwise $\varphi(N)$ can be discover and $E^{-1}$ can be calculated. If not distinct, calculate square root $P = \sqrt{N}$ can be efficiently done)
$N = PQ$ : CALCULATE universe (must be $N = PQ$ )
$\varphi(N) = (P - 1)(Q - 1)$ : CALCULATE exponent universe
$E$ : PICK exponent (must be $E \in \mathbb{Z}_{\varphi(N)}$ to have inverse)
$E^{-1}$ (private key): CALCULATE exponent inverse with Extended Euclid Algorithm with $\varphi(N)$ (remember to make the result positive)

Process:

Receiver pick universe $N = PQ$ (must be composit)
Receiver compute $\varphi(N) = (P - 1)(Q - 1)$
Receiver pick exponent $E \in \mathbb{Z}_{\varphi(N)}$
Receiver calculate inverse $E^{-1} = \text{Euclid}(E, \varphi(N))$
Receiver publish $N, E$
Sender encrypt $C = M^E \mod N$ and send to receiver
Receiver calculate $M = CE^{-1}$

Breaking Encryption: solving distinct root problem

to compute $M$ from $M^E \mod N$
to compute $\varphi(N)$ from $N$
to factor $P, Q$ from $N$ to obtain $\varphi(N) = (P - 1)(Q - 1)$
to pick $M \notin \mathbb{Z}_N^*$ (there are only $PQ - (P - 1)(Q - 1) = PQ - (PQ - P - Q + 1) = P + Q - 1$ many such $M$ in the pool of $PQ$ possible space) and do Euclid's algorithm on $M, N$ to reveal $P, Q$ .

Modular Arithmetic

Complexity in Continuous Space:

Addition: grade school
Subtraction: grade school
Multiplication: grade school
Division: grade school (output remainder)
Exponentiation: exponential time, cannot write it down
Logarithm:
- linear search: polynomial time
Root:
- linear search: exponential time
- binary search: polynomial time

Modular Complexity: finite set $\mathbb{Z}_N = \{0, 1, 2, ..., N - 1\}$

Addition (polynomial time): $A +_N B = (A + B) \mod N$
- $(A + B) \mod N = (A \mod N) +_N (B \mod N)$
Subtraction (polynomial time): $B +_N -B = 0$ (additive inverse)
Multiplication (polynomial time): $A \cdot_N B = (A \cdot B) \mod N$
- $(A \cdot B) \mod N = (A \mod N) \cdot_N (B \mod N)$
- property: every row is distinct permutation
Division (polynomial time Euler's Algorithm): $B \cdot_N B^{-1} = 1$ (multiplicative inverse)
- $0^{-1}$ is undefined
- $(\exists A^{-1} \in \mathbb{Z}_N) \iff \text{gcd}(A, N) = 1$
- define $\mathbb{Z}^*_N = \{A \in \mathbb{Z}_N | \text{gcd}(A, N) = 1\} \subseteq \mathbb{Z}_N$ ( $\varphi(N) = |\mathbb{Z}^*_N|$ )
- For $P$ is a prime number, $\varphi(P) = P - 1$ (by removing row/col containing $a, b$ such that $ab = 0$ )
- Connection between $\mathbb{Z}_N$ and $\mathbb{Z}^*_N$
- For $P, Q$ distinct prime, $\varphi(PQ) = (P - 1)(Q - 1)$
- property: every row of $\mathbb{Z}^*_N$ is distinct permutation
Exponentiation(polynomial time):
- Generator
- Euler's Theorem: for any $A \in \mathbb{Z}_{N'}^*, A^{\varphi(N)} = 1$
  Euler's Theorem
  - proof: $k = \varphi(m)$ product each row of $A$ can be written as $(AB_1)(AB_2)...(AB_k) = A^k(B_1B_2...B_k)$ or $(B_1B_2...B_k)$ since every row is permutation of $Z_m^*$
- When exponentiating in $\mathbb{Z_N^*}$ , $a^b \mod k \equiv (a \mod k)^{(b \mod \varphi(k))}$
Root(no poly time known)
Log(no poly time known)

Modular Division Algorithm:

Check existence of $B^{-1}$ (checking $\text{gcd}(B, N) = 1$ ): Euclid's Algorithm
Compute $B^{-1}$ : Extension of Euclid's Algorithm
miix: integral linear combination where constants are integers $\text{gcd}(A, B) = kA + lB$ ( $\text{gcd}(A, B)$ is a mix of $A$ and $B$ )
if we find $1 = kB + lN$ , $B^{-1} = k$ by $lN \equiv 0 \mod N$

Modular Exponentiation Algorithm: repeatedly square and mode Modular Log Algorithm: no known poly-time algorithm Modular Root Algorithm: no known poly-time algorithm

Sutner's Lecture

Modular Arithmetic

Modular Numbers

Euclidean Algorithm ( $O(k^2)$ for mods and remainders, $O(k^3)$ worst when inputs are two consecutive Fibonacci numbers): $gcd(x, y) = gcd(y, x \mod y)$

There are better GCD algorithms (Lehmer's Algorithm) that has roughly $O(n \log n)$ complexity. See: stackoverflow

Extended Euclidean Algorithm: $gcd(a, b) = x \cdot a + y \cdot b$

Diophantine Equation: $a \cdot x + b \cdot y = c$ for solution of variable $x, y$ . Such solution is not unique, when $(x_0, y_0)$ is a solution $(x_0 + tb/d, y_0 - ta/d)$ is also a solution

Lattice: $\langle{\mathbb{N}}, |\rangle$ - a partial order where any two elements have a join (supremum: least common multiple) and a meet (infimum: greatest common divisor)

Modular Arithmetic

Theorem: Given polynomial $p(x) = ax^3 + bx^2 + cx + d$ , if $p(0), p(1)$ odd, then $(\forall x \in \mathbb{R}(p(x) \neq 0))$

Proof: $x \mod 2 = k \implies x^n \mod 2 = k$ for $n \geq 1$ . We have either $p(x) = a \times even + b \times even + c \times even + odd = odd$ or $p(x) = a \times odd + b \times odd + c \times odd + odd = odd$

Arithmetic of remainders

$(x + y) \mod m = ((x \mod m) + (y \mod m)) \mod m$
$(xy) \mod m = ((x \mod m) \cdot (y \mod m)) \mod m$

We define arithmetic on equivalence classes of space $\mathbb{Z}_m$ :

$[x]_{\mathbb{Z}_m} +_{\mathbb{Z}_m} [y]_{\mathbb{Z}_m} = [x+y]_{\mathbb{Z}_m}$
$[x]_{\mathbb{Z}_m} \cdot_{\mathbb{Z}_m} [y]_{\mathbb{Z}_m} = [x \cdot y]_{\mathbb{Z}_m}$
Notation of $_{\mathbb{Z}_m}$ is a lot, therefore we think $\mathbb{Z}_m = \{0, 1, ..., m-1\} \subseteq \mathbb{Z}$

It is hard to solve even quadratic modular equations.

simplifies: $ab \equiv ac (\mod m) \implies b \equiv c (\mod (m/gcd(a, m)))$ (we can drop $a$ when $a, m$ are coprime)
Inhomogeneous Equation 1: $ax \equiv 1 (\mod m)$ has a solution iff $a, m$ are coprime. The solution is unique in modulo $m$ if exists.
Inhomogeneous Equation 2: $ax \equiv c (\mod m)$ has a solution iff $gcd(a, m) | c$ . Also, the number of solutions is $gcd(a, m)$
also when $p$ is prime, $\mathbb{Z}_p^* = \{1, 2, ..., p - 1\}$ , then we can solve all $ax = b (\mod p)$ when $a \not\equiv 0 (\mod p)$
- Wilson's Theorem: $p$ is prime iff $(p - 1)! \equiv -1 (\mod p)$ (proof:
  Wilson's Theorem Proof
  
  )
- Fermat's Little Theorem: if $p$ is prime and coprime to $a$ , then $a^{p - 1} \equiv 1 (\mod p)$ (proof:
  Fermat's Little Theorem Proof
  
  )
- Fermat's Theorem Interpretation 1: power $p-1$ of any number $n$ such that $n \not\| p-1$ is in $1 \mod p$
- Fermat's Theorem Interpretation 2: power $p$ of any number $n$ is in $n \mod p$
- Fermat's Theorem Application: reduce exponent space to $\mathbb{Z}_{\varphi(P)}$

Multiplicative Inverse

multiplicative inverse: $x$ in $ax = 1 (\mod m)$ is multiplicative inverse of $a$ . ( $x = a^{-1}$ ) !Multiplicative Inverse Chart](imgs/2021-11-18-22-48-39.png)
$\mathbb{Z}_m^* = \{a \in \mathbb{Z}_m | gcd(a, m) = 1\}$ is multiplicative subgroup of $Z_m$
- When $p$ is prime: $\mathbb{Z}_p^* = \{1, 2, ..., p-1\}$ , therefore, we can always solve $ax \equiv b (\mod p)$ for $x$ when $a \neq 0$ .
Euler's Totient Function: cardinality of $Z_m^*$ is $\varphi(m)$
Potential value of cardinality
- Decomposition: for $p$ prime, $\varphi(p) = p - 1$ , $\varphi(p^k) = (p - 1)p^{k-1}$
- Multiplicative: for $m, n$ coprime, $\varphi(mn) = \varphi(m) \varphi(n)$ (we can compute $\varphi(n)$ if we know the prime factorization of $n$ )
- combining two lemma for $n = p_1^{e_1}p_2^{e_2}...p_k^{e_k}$ , we get $\varphi(n) = (p_1 - 1)p_1^{e_1 - 1}(p_2 - 1)p_2^{e_2 - 1}...(p_k - 1)p_k^{e_k - 1}$

Orbit (Power) of Modulo: $\langle{a}\rangle = \{a^k | k \geq 0\}$

multiplicative order: in prime modulo orbit, $a^k \equiv 1$ such that $k < m - 1$ , then $k | m - 1$ . The least value of $k$ such that $k > 0$ is called "multiplicative order" of $a$ .
multiplicative generator: for prime modulo, there exists $a$ in orbit such that $\langle{a}\rangle = \mathbb{Z}_m^*$

Orbits for m = 25, a > 1, element 1 colored black

Chinese Remainder

Solving System of Equation $a_1 x \equiv b_i (\mod m_i)$

since we need $gcd(a_i, m_i) | b_i$ , we can reduce equation to $a_i'x \equiv b_i' (\mod m_i')$ where $a_i', m_i'$ are coprime. This is equivalent to $x \equiv c_i (\mod m_i')$ for some $c_i$
for coprime moduli of $x \equiv a_i (\mod m_i)$ for $n = 1, 2$
CRT Example by Table Lookup
EEA Extended Euclidean Algorithm
CRT Example by finding cofactors

Chinese Remainder Theorem: Let $m_i, i = 1, ..., n$ be pairwise coprime, then $x \equiv a_i (\mod m_i)$ have a unique solution in $\mathbb{Z}_m$ : $m = m_1m_2...m_n$ . (for $n > 2$ , repeat)

Better Method for $n > 2$ :
CRT For n > 2
Decompose $\mathbb{Z}_m$ into $\mathbb{Z}_{p_1^{e_1}} \times \mathbb{Z}_{p_2^{e_2}} \times ... \times \mathbb{Z}_{p_k^{e_k}}$ where $m = \prod p_i^{e_i}$ is prime decomposition.

Youtube Lecture

Addition, Multiplication: wheel level Multiplication: wheel level Exponentiation: change base in sector does not affect output setctor

Prime wheel: any number raise to $p-1$ sector -> on $1$ sector Non-Prime wheel: prime divisor of $m$ sector, as well as other composit in first ring sector, will not contain prime number

p1 * p2 = filling up all non-prime number in prime sector
p1 * p1 = filling up non-prime number in $1$ sector

Euler: got to be 1 when exponent phi exponent cycles, to the 1, 2, 3, 4..., repeat there are generator to the 1, 2, 3, 4 each with new number

there exist a generator in prime universe

Table of Content