Computationally-minded individuals are especially welcome! The class will be driven by applications and examples. Homework: Homework is due on Wednesdays. Be sure to show your work and explain how you got your answer.
Correct but incomplete answers will only receive partial credit. Some of the problems may require you to consult the textthis is an intentional effort to encourage you to read the required and recommended books throughout the course.
Front Matter Pages i-xi. Pages Congruences and Residue Class Rings. Dlxmler: General Topology. Driver: Why Math? Edgar: Measure, Topology, and Fractal Geometry. Elaydi: An Introduction to Difference Equations. Estep: Practical Analysis in One Variable. Exner: An Accompaniment to Higher Mathematics. Exner: Inside Calculus. Fischer: Intermediate Real Analysis. Fleming: Functions of Several Variables.
Foulds: Combinatorial Optimization for Undergraduates. Foulds: Optimization Techniques: An Introduction. RSA was factored by a team of researchers in Germany and other countries in December, Introduction to cryptography I Johannes Buchmann.
ISBNX hard cover: alk. Coding theory. B83 '. German edition: Einfurung in die Kryptographie II. Use in connection with any form of information storage and retrieval, ele ctronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
Vll V Contents 2. Residue Class Ring. Division in the Residue Class Ring. Fermat's Little Theorem Fast Exponentiation. Polynomials over Fields. Construction of Finite Fields. Encryption 3. DES Algorithm. An Example. Security of DES Exercises. Prime Number Generation 7. I have updated the discussion of the security of encryption and signature schemes and the state ofthe art in factoring and computing discrete logarithms.
I have added descriptions of time-memory trade of attacks and algebraic attacks on block ciphers, the Advanced Encryption Standard AES , the Secure Hash Algorithm SHA-l , secret sharing schemes, and undeniable and blind signatures. I have also corrected the errors that have been reported to me. I thank the readers of the first edition for all comments and suggestions.
Modern cryptograpic techniques have many uses, such as to digitally sign documents, for access control, to implement electronic money, and for copyright protection. Because of these important uses it is necessary that users be able to estimate the efficiency and security of cryptographic techniques. It is not sufficient for them to know only how the techniques work. This book is written for readers who want to learn about modern cryptographic algorithms and their mathematical foundation but who do not have the necessary mathematical background.
It is my goal to explain the basic techniques of modern cryptography, including the necessary mathematical results from linear algebra, algebra , number theory, and probability theory.
I only assume basic mathematical knowledge. The book is based on courses in cryptography that I have been teaching at the Technical University Darmstadt, since I thank all students who attended the courses and who read the manuscript carefully for their interest and support. In this chapter we present important properties of integers and describe fundamental algorithms. The rational numbers are denoted by Q and the real numbers by lit Clearly, we have NeZ c Q c lit Real numbers including integers and rational numbers can be added and multiplied.
We assume that this is known. We use the following rules. If the product of two real numbers is zero, then at least one factor is zero so it is impossible that both factors are non-zero but the product is zero.
Integers Real numbers can be compared. For example, J2 is less than 2 but greater than 1. If a real number a is less than another real number fJ, then we write a fJ. If Y is another real number, then a , and g. Hence, Laj is the greatest integer, which is less than or equal to a. Example 1. In this chapter, lower case italic letters denote integers. Divisibility 1. We also say that n is divisible by a. If a is not a divisor of n, then we write a,.
We prove a few simple rules. Theorem 1. If a I band b ::f. Suppose that a I band b I a. If a ::f. It shows that division with remainder of integers is possible.
Integers Theorem 1. If a is replaced by a mod b, then we say that a is reduced modulo b. Representation of Integers In books, integers are writte n in decimal expansion. On com puters, b in ary expansion is used. More generally , integers can be represented using th e so-called g-adic expansion, wh ich is explained in th is section. For a set M, let M k be th e set of all sequences oflen gth k with entries from M.
If a can be represented as in 1. We first prove the uniqueness. If there is a representation as in 1. Its elements are called digits. Instead of aI, When writing the hexadecimal expansion, we use instead of the digits 10, 11,. This is applied in the next example. Integers Example 1. For 1 i k, let bl,i, bZ,i, b3,il b4,i be the bit-string of length 4, which represents hi i. Then bl ,1 1bZ,I, b3,11 b4,I, bl ,z, Therefore, is the binary expansion of n.
The length of the binary expansion of a positive integer is also referred to as its binary length. The binary length of 0 is defined to be 1. The binary length of an integer is defined to be the binary length of its absolute value. It is denoted by size a or size a. To simplify such estimates, we introduce the 0- and the Q-notation. Cost of Addition, Multiplication, and Division with Remainder 7 This means that almost always f nl, " " nk :s Cg nl, " " nk.
To estimate the running time of such applications, we must study how long such operations take. This is described in detail in and .
Here, we only use a naive model, which, however, yields reasonable estimates. Let a and b be positive integers, which are given by their binary representations.
Let m be the binary length of a and let n be the binary length of m. Integers We assume that the addition of two bits takes time 0 1. We use the school method also for multiplication. For each I, we write a such that the rightmost bit of a is below the current 1. Then this a is added to the previous result. Any such addition takes time Oem , and O n additions are necessary. The computation takes time O mn. In , the algorithm of Schonhage and Strassen is explained, which can multiply two n-bit numbers in time O n log n log log n.
In practice, this algorithm is less efficient than the school method for operands that have fewer than 10, bits. We also use the school method to divide a by b with remainder. We divide a with remainder by b. Let k be the binary length of the quotient. This takes time 1. Greatest Common Divisor 9 O kn. We therefore obtain the following bounds, which will be used henceforth: Let a and b be integers.
Multiplying a and b requires time O size a size b. Dividing a with remainder by b requires time O size b size q , where q is the quotient. We make the notion of "efficiency" more precise. Suppose an algorithm receives as input integers ZI,. We say that the algorithm has polynomial running time if there are nonnegative integers el ,..
Observe, however, that in order for the algorithm to be efficient in practice, the exponents ei and the O-constant must be small. Definition 1. It is called thegreatest common divisor gcd f. Jf a and b. By Theorem 1. Therefore, among the common divisors of a and b there is a unique greatest.
Hence, th e greatest common divisor of two numbers is never negative. The greatest common divisor of and 20 is The greatest common divisor of - 20 and is 2. The greatest common divisor of 12 and 0 is The greatest common divisor of integers al , " " ai, k 2: 1 is defined as follows.
If at least one of the aj is nonzero, then gcd al,. If all the aj are zero, then we set gcd al ,. Next, we present an important way of representing a greatest common divisor.
We need the following notation. If aI ,. This is the set of all integer linear combinations of the aj. It therefore also contains all integer multiples of 1. Hence, this set is Z. The next theorem shows that the result in the previous example was not an accident. Let g be the smallest positive integer in I. Th see this, choose a nonzero element c in I. Corollary 1. Integers Since gcd a, b divides itself, the assertion follows immediately from Corollary 1.
The greatest common divisor of a and b is a nonnegative common divisor of a and b. Moreover, by Corollary 1. Therefore, every common divisor of a and b is a divisor ofgcd a , b. This shows that there exists a common divisor of a and b that is divisible by any common divisor Proof ofaandb. Conversely, let g be a nonnegative divisor of a and b that is divisible by every common divisor of a and b.
If a or b is nonzero, then by Theorem 1. The fact that both problems admit efficient solutions is crucial for many cryptographic systems. In the next sections we present and analyze the euclidean algorithm, which solves both problems. It is based on the following theorem. We prove the second assertion. Therefore, the greatest common divisor of a and b divides the greatest common divisor of Ibl and a mod Ibl and vice versa.
Since both greatest common divisors are nonnegative, the assertion follows from Theorem 1. From Theorem 1. First, the euclidean algorithm replaces a by lal and b by Ibl.
This has no effect in our example. As long as b is nonzero, the algorithm replaces a by band b by a mod b. Figure 1. We prove the correctness of the euclidean algorithm. Integers Proof To prov e th at th e euclidean algorithm terminates and yields gcd a, b , we introduce some notation that will also be used later.
Also, after the kth iteration of the While-loop , we have It follows from Theorem 1. But this follows from th e fact that by 1. This concludes the correctness proof for th e euclidean algorithm. This is important for cry ptographic applicati ons. To pro ve th e efficiency, we estimate th e number of iterations required by the euclidean algorithm.
Then n is the number of iterations, whi ch the euclidean algorith m requires to compute gcd a, b. Furthermore, let 1. Euclidean Algorithm k rk qk 1 0 35 2 2 30 1 3 5 15 4 0 6 n of iterations, we prove the following auxiliary result.
To estimate the number Lemma 1. J5 I2. We now prove 1. Then Lemma 1. In this section, we extend the euclidean algorithm in such a way that it also determines such coefficients x and y. As in Section 1. The required coefficients are Example 1. Then the values ri, qk, Xk, and Yk are listed in the following table. The pseudocode of the extended euclidean algorithm can be found in Figure 1.
Integers II We also update the coefficients x and y. We use the matrices 1 k n, 1. We have l 1. Exercise 1. Prove the following assertions: 1. There are int egers XI , The greatest common divisor of aI , , ak is the uniquely determined nonnegative common divisor of aI,.. Integers Exercise 1. Compare this computation with the computation in Exercise 1. Prove that the modified euclidean algorithm from Exercise 1.
It works as follows. Write the list of integers 2,3 ,4,5,. Exercises 27 2,3,. If i is still in the list, delete all proper multiples in the list. The numbers remaining in the list are the prime numbers :5 C. Prove the correctness of this algorithm.
Write a program that implements it. We also discuss algorithms for finite abelian groups. These techniques are of great importance in cryptographic algorithms. In th is chapter, m is a positive integer and lowercase italic letters denote integers. Example 2. It can be easily verified that congruence modulo m is an equivalence relation on the integers.
This means that 1. Lemma 2. When divided by m, both a and b leave the same remainder. The equivalence class of a consists of all integers that are obtained from a by adding integer multiples of m; Le. This equivalence class is called the residue class of a mod m. The residue class of 0 mod 2 is the set of all even integers. The residue class of 1 mod 2 is the set of all odd integers. It has m elements, since 0, 1, 2,.
Vallin, MathDL, January, I enjoy reading this book. The original text grew out of several courses on cryptography given by the author at the Technical University Darmstadt; it is aimed at readers who want to learn about modern cryptographic techniques and its mathematical foundations …. As compared with the first edition the number of exercises has almost been doubled and some material … has been added. Only valid for books with an ebook version. Springer Reference Works are not included.