Kaisa Nyberg Email: kaisa dot nyberg at aalto dot fi Department of Computer Science Aalto University School of Science
Lecture 1: Arrangements Course contents Finite Groups and Rings Euclid s Algorithm 2/24
Course agenda Course page: https://mycourses.aalto.fi/course/view.php?id=8905 12 lectures (in English), weeks 37 49 (excl. week 43) Mon 12:15 14:00 Room T2 First lecture Sep 7, last lecture Nov 30, no lecture Oct 20 (week 43) Course grade = your exam result. Must pass programming assignments to pass the course. Per department policy, student feedback is an obligatory part of this course. Instructions will be provided. Upcoming exams: Wed 16.12.15 09:00-12:00 Thu 18.02.16 13:00-16:00 Informal prerequisites Discrete mathematics, Linear algebra, C programming 3/24
Exercises 6 exercise sessions biweekly: Wed 12:15 14:00 2534 2535 (TUAS building) Thu 10:15 12:00 T3 (T-building) Thu 12:15 14:00 T3 (T-building) Optional but highly recommended. Receive up to 6 exam bonus points. Dates of first sessions: Week 38 Teachers: Professor and Dr. Kaitai Liang 4/24
Programming assignments Implementation is a great way to learn how stuff works. 2 assignments in C language: AES Authenticated encryption We use MyCourses for handling the assignments Must complete both assignments to pass. Assignments are individual work, not group work. Late submissions not accepted. Period. Assistant: Dr. Kimmo Järvinen 5/24
How to fail this course and risk academic suspension Give your code to another student; or Take (any part of) another student s code, and optionally, Change the variable names or Change the formatting or Move blocks of code around, and Submit it as your code. Moral of the story Write your own code and don t share any of it. 6/24
Textbooks This course does not strictly follow a single textbook A recommended textbook for additional reading C. Paar, J. Pelzl: Understanding Cryptography, Springer 2010 Good, comprehensive, and free references include: Menezes, van Oorschot, Vanstone, Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/ Smart, Cryptography, An Introduction, http://www.cs.bris.ac.uk/~nigel/crypto_book/ If you want (more) pointers to material, please ask! 7/24
Course contents Roughly symmetric crypto, then asymmetric crypto First half: Mathematical background (algebra, groups, rings, fields, polynomial rings) Classical cryptography (substitution, Vigenère, Playfair, Hill) Block ciphers (DES, AES, modes of operation) LFSRs, Stream ciphers (A5/1, SNOW 2.0, Trivium) Hash functions (MD5, SHA-1) Second half: Number theory (CRT, Euler s Thm, fast exponentiation) Public key cryptography (RSA, DSA, encryption, key agreement, signatures) Authentication (HMAC, protocols, PKI) Protocols (TLS, IPSec, SSH) (option) Side-channel attacks (power analysis, timing attacks)(option) 8/24
Operations on sets An operation on a set S is a function f : S S S. This implies closure. The operation can be given as a look-up table called the Cayley table. 9/24
Operations on bit-words In how many ways can you operate on bit-words of length 8? Bitwise... Not bitwise... modular arithmetic 10/24
Monoids A monoid (M, ) exhibits 1. Associativity (a b) c = a (b c) for all a, b, c M. 2. Identity There exists e M such that a e = e a = a for all a M. Example. Bit-words of length 8 with bitwise and operation form a monoid. 11/24
Groups A group (G, ) satisfies 1. (G, ) is a monoid. 2. Inverses For all a G there exists b G such that a b = b a = e. If a b = b a for all a, b G then (G, ) is a commutative or abelian group. Example. Bit-words of length m, that is, non-negative integers less than 2 m with multiplication modulo 2 m and identity e = 1, is a monoid, but not a group. Non-zero elements exist which do not have multiplicative inverses: There is no integer x such that 0 x < 2 8 and 4x = 1 (mod 2 8 ). 12/24
Another group example Take G ( as all possible ) permutations ( ) of {1, 2, 3} ( ) 1 2 3 1 2 3 1 2 3 π 1 = π 1 2 3 2 = π 1 3 2 3 = ( ) ( ) ( 2 3 1 ) 1 2 3 1 2 3 1 2 3 π 4 = π 3 1 2 5 = π 3 2 1 6 = 2 1 3 and as function composition. Then π i π j for all i, j = 1, 2, 3, 4, 5, 6 is j\i 1 2 3 4 5 6 1 π 1 π 2 π 3 π 4 π 5 π 6 2 π 2 π 1 π 5 π 6 π 3 π 4 3 π 3 π 6 π 4 π 1 π 2 π 5 4 π 4 π 5 π 1 π 3 π 6 π 2 5 π 5 π 4 π 6 π 2 π 1 π 3 6 π 6 π 3 π 2 π 5 π 4 π 1 This is the Cayley table of the. The group (G, ) is not commutative. 13/24
Rings A ring (R, +, ) satisfies 1. (R, +) is a commutative group with identity 0. 2. (R, ) is a monoid with identity 1. 3. Distributivity a (b + c) = a b + a c and (a + b) c = a c + b c for all a, b, c R. Ring example The set R = {0, 1,..., 2 m 2, 2 m 1} with + as addition modulo 2 m and as multiplication modulo 2 m is a finite ring called the ring of integers modulo 2 m denoted Z 2 m. a Z 2 m has a multiplicative inverse if and only if a is odd. 14/24
Prime numbers Q: Why is 2 the oddest of all primes? A: Because it is even. An integer n 2 is said to be prime if its only positive divisors are 1 and n. Otherwise, n is called composite. If p is prime, the set {0, 1,..., p 2, p 1} with + as addition modulo p and as multiplication modulo p is a prime field called the field of integers modulo p denoted Z p. All non-zero elements in Z p have inverses in Z p, that is, Z p \ {0} with multiplication is a group. 15/24
Euclid s algorithm extended and variants D. Knuth, TAOCP vol 2: We might call Euclid s method the granddaddy of all algorithms, because it is the oldest nontrivial algorithm that has survived to the present day. Appeared in Euclid s Elements (300 BC). Simply gcd(n, a) = gcd(a, n mod a) (applied recursively). Can be applied in numerous settings. We are mostly interested in rings like Z n and the polynomial ring Z 2 [x] to be discussed later. Extended version expresses the GCD of the two operands as a linear combination of said operands. 16/24
Table-based approach The following produces equations nx i + ay i = r i. Set r 0 = n, r 1 = a, x 0 = y 1 = 1, x 1 = y 0 = 0 For i 2: ri 2 q i = r i 1 r i = r i 2 q i r i 1 x i = x i 2 q i x i 1 y i = y i 2 q i y i 1 until r i+1 = 0 holds. This is essentially the same method from the previous slide. 17/24
Table-based approach: integer example n = 257 and a = 94 i q r x y --+-------------- 0 257 1 0 1 94 0 1 18/24
Table-based approach: integer example n = 257 and a = 94 i q r x y --+-------------- 0 257 1 0 1 94 0 1 2 2 69 1-2 <-- 19/24
Table-based approach: integer example n = 257 and a = 94 i q r x y --+-------------- 0 257 1 0 1 94 0 1 2 2 69 1-2 3 1 25-1 3 <-- 20/24
Table-based approach: integer example n = 257 and a = 94 i q r x y --+-------------- 0 257 1 0 1 94 0 1 2 2 69 1-2 3 1 25-1 3 4 2 19 3-8 5 1 6-4 11 6 3 1 15-41 7 6 0 <-- 21/24
Computing inverses Use the EEA to compute multiplicative inverses. Examples: Take a Z 2 m odd so gcd(2 m, a) = 1. EEA yields x, y such that 2 m x + ay = 1. Then ay = 1 mod 2 m so b 1 = y mod 2 m. Take a Z p. p is prime so gcd(p, a) = 1. EEA yields x, y such that px + ay = 1. Then ay = 1 mod p so a 1 = y. It s generally useful in any commutative ring. 22/24
Inversion examples From the previously computed linear combination examples: Take 94 Z 257 : ( 41) 94 + 15 257 = 1 gives 94 1 mod 257 = 41 = 216 (mod 257). Note 257 is prime. The multiplicative group Z 257 gives an interesting operation on bit-words of length 8. This operation becomes well defined, when you consider the bit-words as integers. The all-zero word is considered as integer 256. 23/24
Supplementary reading Understanding cryptography Section 1.4 pp. 13 17 Handbook of applied cryptography Sections 2.5 24/24