Вы находитесь на странице: 1из 92

ALGEBRAIC STRUCTURES

Thecombinationofthesetandtheoperationsthatare
appliedtotheelementsofthesetiscalledanalgebraic
structure.

4.1
4.2
Group

A group (G) is a set of elements with a binary operation ()


that satisfies four properties (or axioms). A commutative
group satisfies an extra property, commutativity:

4.3
Group

4.4
4.5
ExamplesofGroups

Theintegersunderaddition

G=Z=theintegers={-3,-2,-1,0,1,2}

thegroupoperatoris+,ordinaryaddition

theintegersareclosedunderaddition
theidentityis0
theinverseofxis-x
theintegersareassociative
theintegersarecommutative(sothegroupisabelian)
Examples of Groups

Thenon-zerorationals undermultiplication

G = Q -{0} = {a/b} a,b non-zero integers

the group operator is *, ordinary multiplication

If a/b, c/d are in Q-{0}, then a/b * c/d = (ac/bd) is in Q-{0}


the identity is 1
the inverse of a/b is b/a
the rationals are associative
the rationals are commutative (so the group is abelian)
Examples of Groups

Thenon-zeroreals undermultiplication

G = R -{0}

the group operator is *, ordinary multiplication

If a, b are in R-{0}, then ab is in R-{0}


the identity is 1
the inverse of a is 1/a
the reals are associative
the reals are commutative (so the group is abelian)
Examples of Groups

TheintegersmodNunderaddition
+
G = Z N = the integers modulo N = {0 N-1}

the group operator is +, modular addition

theintegersmoduloNareclosedunderaddition
theidentityis0
theinverseofxis-x
additionisassociative
additioniscommutative(sothegroupisabelian)
Examples of Groups

The integers mod p under multiplication


*
G = Z p = the non-zero integers modulo p = {1 p-1}

the group operator is *, modular multiplication

the integers modulo p are closed under multiplication: this is so


because if GCD(x, p) =1 and GCD(y,p) = 1 then GCD(xy,p) = 1
the identity is 1
the inverse of x is from Euclids algorithm: ux + vp = 1 =
-1
GCD(x,p) -1 so p-2
x =u
also x = u = x
multiplication is associative
multiplication is commutative (so the group is abelian)
Examples of Groups

*
Z N : the multiplicative group mod N
*
G = Z N = the positive integers modulo N relatively prime to N

the group operator is *, modular multiplication

the integers modulo N are closed under multiplication: this is so


because if GCD(x, N) =1 and GCD(y,N) = 1 then GCD(xy,N) = 1
the identity is 1
the inverse of x is from Euclids algorithm: uxfN1
+ vN = 1 =
-1
GCD(x,N) so x = u (= x )
multiplication is associative
multiplication is commutative (so the group is abelian)
The set of residue integers with the addition operator,
G = < Zn , +>,
is a commutative group.

4.12
The set of residue integers with the addition operator,
G = < Zn , +>,
is a commutative group.

The set Zn* with the multiplication operator, G = <Zn*, >, is also
an abelian group.

Define a set G = < {a, b, c, d}, > and the operation as shown in
Table

4.13
permutation group: The set is the set of all permutations, and the
operation is composition: applying one permutation after another.

Composition of permutation

4.14
Table Operation table for permutation group

4.15
a set of permutations with the composition operation is a
group.

This implies that using two permutations one after


another cannot strengthen the security of a cipher,
because we can always find a permutation that can do the
same job because of the closure property.

4.16
Examples of a non-abelian group

GL(2), 2 by 2 non-singular real matrices


under matrix multiplication

a b
GL(2) = {[ ], ad-bc
c d }
=0

if A and B are non-singular, so is AB


the identity is I = [ ] 10
01

-1
a b = /(ad-bc)
d -b
[ ] c d [ ]-c a
matrix multiplication is associative
matrix multiplication is not commutative
4.18
Subgroups

(H,@) is a subgroup of (G,@) if:

H is a subset of G
(H,@) is a group
Example

Subgroups

Let G = Z*7 = {1,2,3,4,5,6} = the multiplicative group modulo 7


Let H = {1,2,4} (mod 7) a subset of G

Note:
1. H is closed under multiplication modulo 7
2. 1 is still the identity
3. 1 is 1 inverse, 2 and 4 are inverses of each other
4. associativity still applies
5. commutativity still applies

H is a subgroup of G
Example

Subgroups

LetG=R-{0}=thenon-zeroreals undermultiplication
LetH=Q-{0}=thenon-zerorationals undermultiplication

HisasubsetofGandG,Haregroups

HisasubgroupofG
Is the group H = <Z10, +> a subgroup of the group G = <Z12, +>?

Solution
The answer is no. Although H is a subset of G, the operations
defined for these two groups are different. The operation in H is
addition modulo 10; the operation in G is addition modulo 12.

4.22
CyclicSubgroups
If a subgroup of a group can be generated using the power
of an element, the subgroup is called the cyclic subgroup.

4.23
Four cyclic subgroups can be made from the group G = <Z6, +>.
They are H1 = <{0}, +>, H2 = <{0, 2, 4}, +>, H3 = <{0, 3}, +>, and
H4 = G.

4.24
Three cyclic subgroups can be made from the group
G = <Z10, >. G has only four elements: 1, 3, 7, and 9. The cyclic
subgroups are H1 = <{1}, >, H2 = <{1, 9}, >, and H3 = G.

4.25
Cyclic Groups

A cyclic group is a group that is its own cyclic subgroup.

4.26
Three cyclic subgroups can be made from the group
G = <Z10, >. G has only four elements: 1, 3, 7, and 9. The cyclic
subgroups are H1 = <{1}, >, H2 = <{1, 9}, >, and H3 = G.

a. The group G = <Z6, +> is a cyclic group with two generators,


g = 1 and g = 5.

b. The group G = <Z10,


> is a cyclic group with two generators,
g = 3 and g = 7.

4.27
LagrangesTheorem
Assume that G is a group, and H is a subgroup of G. If the
order of G and H are |G| and |H|, respectively, then, based on
this theorem, |H| divides |G|.

OrderofanElement
The order of an element is the order of the cyclic group it
generates.

4.28
a. In the group G = <Z6, +>, the orders of the elements are:
ord(0) = 1, ord(1) = 6, ord(2) = 3, ord(3) = 2, ord(4) = 3,
ord(5) = 6.

b. In the group G = <Z10*, >, the orders of the elements are:


ord(1) = 1, ord(3) = 4, ord(7) = 4, ord(9) = 2.

4.29
4.30
4.31
4.32
4.33
4.34
4.35
4.36
4.37
4.38
4.39
Chineseremaindertheorem(anotherversion)
N n1n2 nk (thenumbersni arepairwisecoprime)
Thereisaone-to-onecorrespondence :

ZN
Z n1 Z nk also,Z N* Z n*1 Z n*2
A a1 , ,ak ,whereA Z N andai A mod ni
A ?
? a1 , ,ak
One-to-onecorrespondence :
ZN Z n1 Z nk

A a1 , ,ak
OperationsinZ N canbeperformedindividuallyineachZ ni .
A a1 , ,ak
If
B b1 , ,bk
then
A B a1 b1 , ,ak bk
A B a1 b1 , ,ak bk
A B a1 b1 , ,ak bk ifB Z N*

mod N mod n1 modnk
Example:Chineseremaindertheorem

Supposewewanttocompute8 11inZ15 .
Z15 Z 3 Z 5 Z15* Z 3* Z 5*
8 (2, 3) 8mod 3, 8mod 5
11 (2, 1) 11mod 3, 11mod 5
8 11 (2 2, 3 1) (1, 3).
x (1, 3)
x 1mod 3
Solve x 13
x 3mod 5
ImportantProblems
gcd( a, b),

a k mod n,

a 1 mod n

CanbedoneinO (log3 n )time.


Howtocomputea 1 mod n ?
Computea 1 inZ n*.
a 1 existsifandonlyif gcd( a, n ) 1.
UseextendedEuclideanalgorithmtofindx, y
suchthatax ny gcd( a , n ) 1
ax 1(becauseny 0inZ n )
a 1 x.
Note:everycomputationisreducedmodulon.
Example
1
Compute15 mod 47.
47 15 3 2 (divide47by15;remainder 2)
15 2 7 1(divide15by2;remainder 1)
1 15 2 7( mod 47)
15 ( 47 15 3) 7( mod 47)
15 22 47 7( mod 47)
15 22( mod 47)
151 mod 47 22
TheRSACryptosystem
ByRivest, Shamir & AdlemanofMITin1977.
Bestknownandmostwidelyusedpublic-keyscheme.
Basedontheassumedone-waypropertyofmodular
powering:
f : x x e mod n (easy)
f 1 : y e
y mod n (hard)

46
IdeabehindRSA
ItworksingroupZ n* .
RSA
Encryption(easy):x xe
RSA 1 e
Decryption(hard):x x
e d
Lookingforatrapdoor:( x ) x.
Ifd isanumbersuchthated 1mod ( n ), then
ed k ( n ) 1forsomek , and
(n) k
e d
( x ) x ed
x ( n ) k 1
x x 1 x x.
Setting up an RSA Cryptosystem

RSAcryptosystemsetup:
Chooseapairofpublic/privatekeys:(PU,PR).
Publishthepublic(encryption)key.
Keepsecrettheprivate(decryption)key.

48
RSAKeySetup
Selecttwolargeprimesp andq atrandom.
Computen pq.Note: ( n ) ( p 1)( q 1).
Selectanencryptionkeye satisfying1 e ( n )and
gcd( e, ( n )) 1.(i.e.,e Z* ( n ) , e 1.)
Computethedescryptionkey:d e 1 mod ( n ).
ed 1 mod ( n ).
d istheinverseofe mod (n ).
Publickey:PU ( n, e).Privatekey:PR ( n, d ).
Important:p, q, and ( n )mustbekeptsecret.
RSAEncryptionandDecryption
SupposeBobistosendasecretmessagem toAlice.
Toencrypt,Bobwill
obtainAlice'spublickeyPU Alice {e, n}.
encryptm asc m e mod n.

*
Note:m Z .
n

Todecrypttheciphertextc, Alicewillcompute
m c d mod n, usingherprivatekeyPRAlice {d , n}.
WhatkeywillAliceusetoencryptherreplytoBob?
WhyRSAWorks
ThesettigofRSAisthegroup Z n* , :
PlaintextsandciphertextsareelementsinZ n*.
Recall:Z n* x : 0 x n, gcd( x, n ) 1.
Z n* has ( n )elements.(ThegroupZ n* hasorder (n ).)
Ingroup Z n* , ,foranyx Z n* ,wehavex ( n ) 1.
Wehavechosene, d suchthated 1 mod ( n ), i.e.,
ed k ( n ) 1forsomepositiveintegerk .
e d (n) k
Forx Z , x
*
n x ed
x k ( n ) 1
x x x.
RSAExample:KeySetup
Selecttwoprimes:p 17, q 11.
Computethemodulusn pq 187.
Compute (n) ( p 1)(q 1) 160.
Selecte between0and160suchthat gcd(e,160) 1.
Lete 7.
1 1
Computed e mod (n) 7 mod160 23
(usingextendedEuclid'salgorithm).
Publickey:PU (e, n) (7, 187).
Privatekey:PR (d , n) (23, 187).
RSAExample:Encryption&Decryption
Supposem 88.
Encryption:c m e mod n 887 mod187 11.
Decryption:m c d mod n 1123 mod187 88.
Whencomputing1123 mod187, wedonotfirst
compute1123 andthenreduceitmodulo187.
Rather,whenconmputing1123 ,reducetheintermediate
resultsmodulo187whenevertheygetbiggerthan187.
Algorithm:Square-and-Multiply(x,c,n)
Comment:computex c mod n, wherec ck ck 1 c0 inbinary.
z 1
fori k downto0do
z z 2 modn
ifci 1

thenz z x modn
i.e.,
z z xci
modn

return(z )

Note:Attheendofiterationi,z x ck ...ci .
Example:1123 mod187
23 10111b
z 1
z z 2 11mod187 11(squareandmultiply)
z z 2 mod187 121(square)
z z 2 11mod187 44(squareandmultiply)
z z 2 11mod187 165(squareandmultiply)
z z 2 11mod187 88(squareandmultiply)
EncryptionKeye
Tospeedupencryption,smallvaluesareusually
usedfore.

Popularchoicesare3, 17 24 1, 65537 216 1.


Popularchoicesare3,
Thesevalueshaveonlytwo1'sintheirbinary
representation.

Thereisaninterestingattackonsmalle.
Lowencryptionexponentattack
Amessagem senttoe userswhoemploythesame
encryptionexponente isnotprotectedbyRSA.
Say,e 3, andBobsendsamessagem tothree
receipientsencryptedas:
c1 m 3 mod n1 ,c 2 m 3 mod n2 ,c 3 m 3 mod n3.
Eveinterceptsthethreeciphertexts,andrecoversm:
m 3 c1 mod n1 ,m 3 c2 mod n2 ,m 3 c 3 mod n3.
ByCRT,m 3 c mod n1n2 n3 forsomec n1n2 n3.
Also,m 3 n1n2n3 .So,m 3 c, andm 3 c .
DecryptionKeyd
Onemaybetemptedtouseasmalld tospeedup
decryption.
Unfortunately,thatisrisky.

Wiener'sattack:Ifd n1/4 /3andp q 2 p,


thenthedecryptionexponentd canbecomputed
from( n, e).(Theconditionp q 2 p oftenholds
inpractice.)
CRTcanbeusedtospeedupdecryptionbyfourtimes.
SpeedingupDecryptionbyCRT
Multiplyingtwonumbersofk bitstakesO (k 2 )time.
n pq.n 1024-2058bits.p, q halfthesize.
Decryption:c d mod n.
Insteadofcomputingc d mod n directly,we
computec1 c mod p andc2 c mod q

d d
computem1 c1 mod p andm2 c2 mod q
x m1 mod p
recovertheplaintextbysolving
x m2 mod q
SecurityofRSA
FourcategoriesofattacksonRSA:
brute-forcekeysearch
infeasiblegiventhelargekeyspace
mathematicalattacks
timingattacks
chosenciphertextattacks
MathematicalAttacks
Factorn intopq.Then (n ) ( p 1)( q 1)and
d e 1 mod ( n )canbecalculatedeasily.
Determine ( n )directly.Equivalenttofactoringn.
Knowing (n )willenableustofactorn bysolving
n pq

( n ) ( p 1)( q 1)
Determined directly.Thebestknownalgorithmsare
notfasterthanthoseforfactoringn.
IntegerFactorization
Adifficultproblem,butmoreandmoreefficient
algorithmshavebeendeveloped.

In1977,RSAchallengedresearcherstodecodea
ciphertexencryptedwithakey(n)of129digits
(428bits).Prize:$100.Wouldtakequadrillion
yearsusingbestalgorithmsofthattime.
In1991,RSAputforwardmorechallenges,withprizes,
toencourageresearchonfactorization.
RSANumbers
EachRSAnumberisasemiprime.(Anumberis
semiprimeifitistheproductoftwoprimes.)
Therearetwolabelingschemes.
bythenumberofdecimaldigits:
RSA-100,...,RSA-500,RSA-617.
bythenumberofbits:
RSA-576,640,704,768,896,1024,1536,2048.
RSANumberswhichhavebeenfactored
RSA-100(332bits),1991,7MIPS-year,QuadraticSieve.
RSA-110(365bits),1992,75MIPS-year,QS.
RSA-120(398bits),1993,830MIPS-year,QS.
RSA-129(428bits),1994,5000MIPS-year,QS.
RSA-130(
RSA-130(4431
31bits),1996,1000MIPS-year,GNFS.
RSA-140(465bits),1999,2000MIPS-year,GNFS.
RSA-155(512bits),1999,8000MIPS-year,GNFS.
RSA-160(530bits),2003,LatticeSieve.
RSA-576(174digits),2003,LatticeSieve.
RSA-640(193digits),2005,LatticeSieve.
RSA-200(663bits),2005,LatticeSieve.
RSA-200=
27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
65
Ring

A ring, R = <{}, , >, is an algebraic structure with two


operations.

4.66
The set Z with two operations, addition and
multiplication, is a commutative ring.

We show it by R = <Z, +, >.

Addition satisfies all of the five properties;

multiplication satisfies only three properties.

4.67
Field

A field, denoted by F = <{}, , > is a commutative ring


in which the second operation satisfies all five properties
defined for the first operation except that the identity of
the first operation has no inverse.

4.68
Finite Fields

Galois showed that for a field to be finite, the number of


elements should be pn, where p is a prime and n is a positive
integer.

A Galois field, GF(pn), is a finite field with pn elements.

4.69
GF(p) Fields

When n = 1, we have GF(p) field.

This field can be the set Zp, {0, 1, , p 1}, with two
arithmetic operations.

4.70
A very common field in this category is GF(2) with the set
{0, 1} and two operations, addition and multiplication

GF(2) field

4.71
We can define GF(5) on the set Z5 (5 is a prime) with
addition and multiplication operators

4.72
Summary

4.73
GF(2n) FIELDS

4.74
Let us define a GF(22) field in which the set has four 2-bit
words: {00, 01, 10, 11}.

We can redefine addition and multiplication for this field in


such a way that all properties of these operations are
satisfied.

4.75
Polynomials

A polynomial of degree n 1 is an expression


of the form

where xi is called the ith term and ai is called coefficient of


the ith term.

4.76
Representation of an 8-bit word by a polynomial

We can represent the 8-bit word (10011001) using a polynomials.

4.77
To find the 8-bit word related to the polynomial x5 + x2 + x,
we first supply the omitted terms. Since n = 8, it means the
polynomial is of degree 7.

The expanded polynomial is

This is related to the 8-bit word 00100110.

4.78
GF(2n) Fields

Polynomials representing n-bit words use two fields: GF(2) and


GF(2n).

4.79
Modulus
For the sets of polynomials in GF(2n), a group of
polynomials of degree n is defined as the modulus.

Such polynomials are referred to as irreducible


polynomials.

4.80
Addition and subtraction operations on polynomials
are the same operation.

(x5 + x2 + x) (x3 + x2 + 1) in GF(28).

4.81
In the previous example, x5 + x2 + x is 00100110 and x3 + x2
+ 1 is 00001101.

Using XOR, the result is 00101011 or in polynomial


notation x5 + x3 + x + 1.

4.82
Multiplication

1. The coefficient multiplication is done in GF(2).


2. The multiplying xi by xj results in xi+j.

3. The multiplication may create terms with degree more


than n 1, which means the result needs to be reduced using
a modulus polynomial.

4.83
(x5 + x2 + x) (x7 + x4 + x3 + x2 + x) in GF(28) with irreducible
polynomial (x8 + x4 + x3 + x + 1).

Solution

To find the final result, divide the polynomial of degree 12 by the


polynomial of degree 8 (the modulus) and keep only the
remainder.

4.84
Polynomial division with coefficients in GF(2)

4.85
In GF (24), find the inverse of (x2 + 1) modulo (x4 + x + 1).

Solution
Using Euclidean algorithm the answer is (x3 + x + 1)

4.86
In GF(28), find the inverse of (x5) modulo (x8 + x4 + x3 + x + 1).

Solution
The answer is (x5 + x4 + x3 + x)

4.87
Using a Generator

Sometimes it is easier to define the elements of the


GF(2n) field using a generator.

4.88
Generate the elements of the field GF(24) using the irreducible
polynomial (x) = x4 + x + 1.

Solution
The elements 0, g0, g1, g2, and g3 can be easily generated, because
they are the 4-bit representations of 0, 1, x2, and x3.

Elements g4 through g14, which represent x4 though x14 need to be


divided by the irreducible polynomial.

To avoid the polynomial division, the relation (g) = g4 + g + 1 = 0


can be used.

4.89
4.90
The following show the results of addition and subtraction
operations:

4.91
The following show the result of multiplication and division
operations:.

4.92