Вы находитесь на странице: 1из 92

# ALGEBRAIC STRUCTURES

Thecombinationofthesetandtheoperationsthatare
appliedtotheelementsofthesetiscalledanalgebraic
structure.

4.1
4.2
Group

## A group (G) is a set of elements with a binary operation ()

that satisfies four properties (or axioms). A commutative
group satisfies an extra property, commutativity:

4.3
Group

4.4
4.5
ExamplesofGroups

G=Z=theintegers={-3,-2,-1,0,1,2}

theidentityis0
theinverseofxis-x
theintegersareassociative
theintegersarecommutative(sothegroupisabelian)
Examples of Groups

Thenon-zerorationals undermultiplication

## If a/b, c/d are in Q-{0}, then a/b * c/d = (ac/bd) is in Q-{0}

the identity is 1
the inverse of a/b is b/a
the rationals are associative
the rationals are commutative (so the group is abelian)
Examples of Groups

Thenon-zeroreals undermultiplication

G = R -{0}

## If a, b are in R-{0}, then ab is in R-{0}

the identity is 1
the inverse of a is 1/a
the reals are associative
the reals are commutative (so the group is abelian)
Examples of Groups

+
G = Z N = the integers modulo N = {0 N-1}

## the group operator is +, modular addition

theidentityis0
theinverseofxis-x
Examples of Groups

## The integers mod p under multiplication

*
G = Z p = the non-zero integers modulo p = {1 p-1}

## the integers modulo p are closed under multiplication: this is so

because if GCD(x, p) =1 and GCD(y,p) = 1 then GCD(xy,p) = 1
the identity is 1
the inverse of x is from Euclids algorithm: ux + vp = 1 =
-1
GCD(x,p) -1 so p-2
x =u
also x = u = x
multiplication is associative
multiplication is commutative (so the group is abelian)
Examples of Groups

*
Z N : the multiplicative group mod N
*
G = Z N = the positive integers modulo N relatively prime to N

## the integers modulo N are closed under multiplication: this is so

because if GCD(x, N) =1 and GCD(y,N) = 1 then GCD(xy,N) = 1
the identity is 1
the inverse of x is from Euclids algorithm: uxfN1
+ vN = 1 =
-1
GCD(x,N) so x = u (= x )
multiplication is associative
multiplication is commutative (so the group is abelian)
The set of residue integers with the addition operator,
G = < Zn , +>,
is a commutative group.

4.12
The set of residue integers with the addition operator,
G = < Zn , +>,
is a commutative group.

The set Zn* with the multiplication operator, G = <Zn*, >, is also
an abelian group.

Define a set G = < {a, b, c, d}, > and the operation as shown in
Table

4.13
permutation group: The set is the set of all permutations, and the
operation is composition: applying one permutation after another.

Composition of permutation

4.14
Table Operation table for permutation group

4.15
a set of permutations with the composition operation is a
group.

## This implies that using two permutations one after

another cannot strengthen the security of a cipher,
because we can always find a permutation that can do the
same job because of the closure property.

4.16
Examples of a non-abelian group

## GL(2), 2 by 2 non-singular real matrices

under matrix multiplication

a b
c d }
=0

## if A and B are non-singular, so is AB

the identity is I = [ ] 10
01

-1
d -b
[ ] c d [ ]-c a
matrix multiplication is associative
matrix multiplication is not commutative
4.18
Subgroups

## (H,@) is a subgroup of (G,@) if:

H is a subset of G
(H,@) is a group
Example

Subgroups

## Let G = Z*7 = {1,2,3,4,5,6} = the multiplicative group modulo 7

Let H = {1,2,4} (mod 7) a subset of G

Note:
1. H is closed under multiplication modulo 7
2. 1 is still the identity
3. 1 is 1 inverse, 2 and 4 are inverses of each other
4. associativity still applies
5. commutativity still applies

H is a subgroup of G
Example

Subgroups

LetG=R-{0}=thenon-zeroreals undermultiplication
LetH=Q-{0}=thenon-zerorationals undermultiplication

HisasubsetofGandG,Haregroups

HisasubgroupofG
Is the group H = <Z10, +> a subgroup of the group G = <Z12, +>?

Solution
The answer is no. Although H is a subset of G, the operations
defined for these two groups are different. The operation in H is

4.22
CyclicSubgroups
If a subgroup of a group can be generated using the power
of an element, the subgroup is called the cyclic subgroup.

4.23
Four cyclic subgroups can be made from the group G = <Z6, +>.
They are H1 = <{0}, +>, H2 = <{0, 2, 4}, +>, H3 = <{0, 3}, +>, and
H4 = G.

4.24
Three cyclic subgroups can be made from the group
G = <Z10, >. G has only four elements: 1, 3, 7, and 9. The cyclic
subgroups are H1 = <{1}, >, H2 = <{1, 9}, >, and H3 = G.

4.25
Cyclic Groups

## A cyclic group is a group that is its own cyclic subgroup.

4.26
Three cyclic subgroups can be made from the group
G = <Z10, >. G has only four elements: 1, 3, 7, and 9. The cyclic
subgroups are H1 = <{1}, >, H2 = <{1, 9}, >, and H3 = G.

g = 1 and g = 5.

## b. The group G = <Z10,

> is a cyclic group with two generators,
g = 3 and g = 7.

4.27
LagrangesTheorem
Assume that G is a group, and H is a subgroup of G. If the
order of G and H are |G| and |H|, respectively, then, based on
this theorem, |H| divides |G|.

OrderofanElement
The order of an element is the order of the cyclic group it
generates.

4.28
a. In the group G = <Z6, +>, the orders of the elements are:
ord(0) = 1, ord(1) = 6, ord(2) = 3, ord(3) = 2, ord(4) = 3,
ord(5) = 6.

## b. In the group G = <Z10*, >, the orders of the elements are:

ord(1) = 1, ord(3) = 4, ord(7) = 4, ord(9) = 2.

4.29
4.30
4.31
4.32
4.33
4.34
4.35
4.36
4.37
4.38
4.39
Chineseremaindertheorem(anotherversion)
N n1n2 nk (thenumbersni arepairwisecoprime)
Thereisaone-to-onecorrespondence :

ZN
Z n1 Z nk also,Z N* Z n*1 Z n*2
A a1 , ,ak ,whereA Z N andai A mod ni
A ?
? a1 , ,ak
One-to-onecorrespondence :
ZN Z n1 Z nk

A a1 , ,ak
OperationsinZ N canbeperformedindividuallyineachZ ni .
A a1 , ,ak
If
B b1 , ,bk
then
A B a1 b1 , ,ak bk
A B a1 b1 , ,ak bk
A B a1 b1 , ,ak bk ifB Z N*

mod N mod n1 modnk
Example:Chineseremaindertheorem

Supposewewanttocompute8 11inZ15 .
Z15 Z 3 Z 5 Z15* Z 3* Z 5*
8 (2, 3) 8mod 3, 8mod 5
11 (2, 1) 11mod 3, 11mod 5
8 11 (2 2, 3 1) (1, 3).
x (1, 3)
x 1mod 3
Solve x 13
x 3mod 5
ImportantProblems
gcd( a, b),

a k mod n,

a 1 mod n

## CanbedoneinO (log3 n )time.

Howtocomputea 1 mod n ?
Computea 1 inZ n*.
a 1 existsifandonlyif gcd( a, n ) 1.
UseextendedEuclideanalgorithmtofindx, y
suchthatax ny gcd( a , n ) 1
ax 1(becauseny 0inZ n )
a 1 x.
Note:everycomputationisreducedmodulon.
Example
1
Compute15 mod 47.
47 15 3 2 (divide47by15;remainder 2)
15 2 7 1(divide15by2;remainder 1)
1 15 2 7( mod 47)
15 ( 47 15 3) 7( mod 47)
15 22 47 7( mod 47)
15 22( mod 47)
151 mod 47 22
TheRSACryptosystem
Bestknownandmostwidelyusedpublic-keyscheme.
Basedontheassumedone-waypropertyofmodular
powering:
f : x x e mod n (easy)
f 1 : y e
y mod n (hard)

46
IdeabehindRSA
ItworksingroupZ n* .
RSA
Encryption(easy):x xe
RSA 1 e
Decryption(hard):x x
e d
Lookingforatrapdoor:( x ) x.
Ifd isanumbersuchthated 1mod ( n ), then
ed k ( n ) 1forsomek , and
(n) k
e d
( x ) x ed
x ( n ) k 1
x x 1 x x.
Setting up an RSA Cryptosystem

RSAcryptosystemsetup:
Chooseapairofpublic/privatekeys:(PU,PR).
Publishthepublic(encryption)key.
Keepsecrettheprivate(decryption)key.

48
RSAKeySetup
Selecttwolargeprimesp andq atrandom.
Computen pq.Note: ( n ) ( p 1)( q 1).
Selectanencryptionkeye satisfying1 e ( n )and
gcd( e, ( n )) 1.(i.e.,e Z* ( n ) , e 1.)
Computethedescryptionkey:d e 1 mod ( n ).
ed 1 mod ( n ).
d istheinverseofe mod (n ).
Publickey:PU ( n, e).Privatekey:PR ( n, d ).
Important:p, q, and ( n )mustbekeptsecret.
RSAEncryptionandDecryption
SupposeBobistosendasecretmessagem toAlice.
Toencrypt,Bobwill
obtainAlice'spublickeyPU Alice {e, n}.
encryptm asc m e mod n.

*
Note:m Z .
n

Todecrypttheciphertextc, Alicewillcompute
m c d mod n, usingherprivatekeyPRAlice {d , n}.
WhyRSAWorks
ThesettigofRSAisthegroup Z n* , :
PlaintextsandciphertextsareelementsinZ n*.
Recall:Z n* x : 0 x n, gcd( x, n ) 1.
Z n* has ( n )elements.(ThegroupZ n* hasorder (n ).)
Ingroup Z n* , ,foranyx Z n* ,wehavex ( n ) 1.
Wehavechosene, d suchthated 1 mod ( n ), i.e.,
ed k ( n ) 1forsomepositiveintegerk .
e d (n) k
Forx Z , x
*
n x ed
x k ( n ) 1
x x x.
RSAExample:KeySetup
Selecttwoprimes:p 17, q 11.
Computethemodulusn pq 187.
Compute (n) ( p 1)(q 1) 160.
Selecte between0and160suchthat gcd(e,160) 1.
Lete 7.
1 1
Computed e mod (n) 7 mod160 23
(usingextendedEuclid'salgorithm).
Publickey:PU (e, n) (7, 187).
Privatekey:PR (d , n) (23, 187).
RSAExample:Encryption&Decryption
Supposem 88.
Encryption:c m e mod n 887 mod187 11.
Decryption:m c d mod n 1123 mod187 88.
Whencomputing1123 mod187, wedonotfirst
compute1123 andthenreduceitmodulo187.
Rather,whenconmputing1123 ,reducetheintermediate
resultsmodulo187whenevertheygetbiggerthan187.
Algorithm:Square-and-Multiply(x,c,n)
Comment:computex c mod n, wherec ck ck 1 c0 inbinary.
z 1
fori k downto0do
z z 2 modn
ifci 1

thenz z x modn
i.e.,
z z xci
modn

return(z )

Note:Attheendofiterationi,z x ck ...ci .
Example:1123 mod187
23 10111b
z 1
z z 2 11mod187 11(squareandmultiply)
z z 2 mod187 121(square)
z z 2 11mod187 44(squareandmultiply)
z z 2 11mod187 165(squareandmultiply)
z z 2 11mod187 88(squareandmultiply)
EncryptionKeye
Tospeedupencryption,smallvaluesareusually
usedfore.

## Popularchoicesare3, 17 24 1, 65537 216 1.

Popularchoicesare3,
Thesevalueshaveonlytwo1'sintheirbinary
representation.

Thereisaninterestingattackonsmalle.
Lowencryptionexponentattack
Amessagem senttoe userswhoemploythesame
encryptionexponente isnotprotectedbyRSA.
Say,e 3, andBobsendsamessagem tothree
receipientsencryptedas:
c1 m 3 mod n1 ,c 2 m 3 mod n2 ,c 3 m 3 mod n3.
Eveinterceptsthethreeciphertexts,andrecoversm:
m 3 c1 mod n1 ,m 3 c2 mod n2 ,m 3 c 3 mod n3.
ByCRT,m 3 c mod n1n2 n3 forsomec n1n2 n3.
Also,m 3 n1n2n3 .So,m 3 c, andm 3 c .
DecryptionKeyd
Onemaybetemptedtouseasmalld tospeedup
decryption.
Unfortunately,thatisrisky.

## Wiener'sattack:Ifd n1/4 /3andp q 2 p,

thenthedecryptionexponentd canbecomputed
from( n, e).(Theconditionp q 2 p oftenholds
inpractice.)
CRTcanbeusedtospeedupdecryptionbyfourtimes.
SpeedingupDecryptionbyCRT
Multiplyingtwonumbersofk bitstakesO (k 2 )time.
n pq.n 1024-2058bits.p, q halfthesize.
Decryption:c d mod n.
computec1 c mod p andc2 c mod q

d d
computem1 c1 mod p andm2 c2 mod q
x m1 mod p
recovertheplaintextbysolving
x m2 mod q
SecurityofRSA
FourcategoriesofattacksonRSA:
brute-forcekeysearch
infeasiblegiventhelargekeyspace
mathematicalattacks
timingattacks
chosenciphertextattacks
MathematicalAttacks
Factorn intopq.Then (n ) ( p 1)( q 1)and
d e 1 mod ( n )canbecalculatedeasily.
Determine ( n )directly.Equivalenttofactoringn.
Knowing (n )willenableustofactorn bysolving
n pq

( n ) ( p 1)( q 1)
Determined directly.Thebestknownalgorithmsare
notfasterthanthoseforfactoringn.
IntegerFactorization
algorithmshavebeendeveloped.

In1977,RSAchallengedresearcherstodecodea
ciphertexencryptedwithakey(n)of129digits
yearsusingbestalgorithmsofthattime.
In1991,RSAputforwardmorechallenges,withprizes,
toencourageresearchonfactorization.
RSANumbers
EachRSAnumberisasemiprime.(Anumberis
semiprimeifitistheproductoftwoprimes.)
Therearetwolabelingschemes.
bythenumberofdecimaldigits:
RSA-100,...,RSA-500,RSA-617.
bythenumberofbits:
RSA-576,640,704,768,896,1024,1536,2048.
RSANumberswhichhavebeenfactored
RSA-110(365bits),1992,75MIPS-year,QS.
RSA-120(398bits),1993,830MIPS-year,QS.
RSA-129(428bits),1994,5000MIPS-year,QS.
RSA-130(
RSA-130(4431
31bits),1996,1000MIPS-year,GNFS.
RSA-140(465bits),1999,2000MIPS-year,GNFS.
RSA-155(512bits),1999,8000MIPS-year,GNFS.
RSA-160(530bits),2003,LatticeSieve.
RSA-576(174digits),2003,LatticeSieve.
RSA-640(193digits),2005,LatticeSieve.
RSA-200(663bits),2005,LatticeSieve.
RSA-200=
27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
65
Ring

## A ring, R = <{}, , >, is an algebraic structure with two

operations.

4.66
The set Z with two operations, addition and
multiplication, is a commutative ring.

4.67
Field

## A field, denoted by F = <{}, , > is a commutative ring

in which the second operation satisfies all five properties
defined for the first operation except that the identity of
the first operation has no inverse.

4.68
Finite Fields

## Galois showed that for a field to be finite, the number of

elements should be pn, where p is a prime and n is a positive
integer.

4.69
GF(p) Fields

## When n = 1, we have GF(p) field.

This field can be the set Zp, {0, 1, , p 1}, with two
arithmetic operations.

4.70
A very common field in this category is GF(2) with the set
{0, 1} and two operations, addition and multiplication

GF(2) field

4.71
We can define GF(5) on the set Z5 (5 is a prime) with

4.72
Summary

4.73
GF(2n) FIELDS

4.74
Let us define a GF(22) field in which the set has four 2-bit
words: {00, 01, 10, 11}.

## We can redefine addition and multiplication for this field in

such a way that all properties of these operations are
satisfied.

4.75
Polynomials

of the form

## where xi is called the ith term and ai is called coefficient of

the ith term.

4.76
Representation of an 8-bit word by a polynomial

## We can represent the 8-bit word (10011001) using a polynomials.

4.77
To find the 8-bit word related to the polynomial x5 + x2 + x,
we first supply the omitted terms. Since n = 8, it means the
polynomial is of degree 7.

4.78
GF(2n) Fields

## Polynomials representing n-bit words use two fields: GF(2) and

GF(2n).

4.79
Modulus
For the sets of polynomials in GF(2n), a group of
polynomials of degree n is defined as the modulus.

## Such polynomials are referred to as irreducible

polynomials.

4.80
Addition and subtraction operations on polynomials
are the same operation.

## (x5 + x2 + x) (x3 + x2 + 1) in GF(28).

4.81
In the previous example, x5 + x2 + x is 00100110 and x3 + x2
+ 1 is 00001101.

## Using XOR, the result is 00101011 or in polynomial

notation x5 + x3 + x + 1.

4.82
Multiplication

## 1. The coefficient multiplication is done in GF(2).

2. The multiplying xi by xj results in xi+j.

## 3. The multiplication may create terms with degree more

than n 1, which means the result needs to be reduced using
a modulus polynomial.

4.83
(x5 + x2 + x) (x7 + x4 + x3 + x2 + x) in GF(28) with irreducible
polynomial (x8 + x4 + x3 + x + 1).

Solution

## To find the final result, divide the polynomial of degree 12 by the

polynomial of degree 8 (the modulus) and keep only the
remainder.

4.84
Polynomial division with coefficients in GF(2)

4.85
In GF (24), find the inverse of (x2 + 1) modulo (x4 + x + 1).

Solution
Using Euclidean algorithm the answer is (x3 + x + 1)

4.86
In GF(28), find the inverse of (x5) modulo (x8 + x4 + x3 + x + 1).

Solution
The answer is (x5 + x4 + x3 + x)

4.87
Using a Generator

## Sometimes it is easier to define the elements of the

GF(2n) field using a generator.

4.88
Generate the elements of the field GF(24) using the irreducible
polynomial (x) = x4 + x + 1.

Solution
The elements 0, g0, g1, g2, and g3 can be easily generated, because
they are the 4-bit representations of 0, 1, x2, and x3.

## Elements g4 through g14, which represent x4 though x14 need to be

divided by the irreducible polynomial.

## To avoid the polynomial division, the relation (g) = g4 + g + 1 = 0

can be used.

4.89
4.90
The following show the results of addition and subtraction
operations:

4.91
The following show the result of multiplication and division
operations:.

4.92