crypto refresh: computational algebra · information theory:proving that an attacker’s view on...
TRANSCRIPT
![Page 1: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/1.jpg)
Crypto refresh: Computational AlgebraCryptographic Engineering
Clément PERNET
M2 Cyber Security,UFR-IM2AG, Univ. Grenoble-Alpes
ENSIMAG, Grenoble INP
![Page 2: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/2.jpg)
Outline
Introduction
Computational complexity refresh
Algebra refresh
Arithmetic refresh (computational viewpoint)
Algebra refresh reloaded
![Page 3: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/3.jpg)
Introduction
Assessing the security of a cryptosystem:
Information theory: proving that an attacker’s view on the protocolleaks no information (data is indistinguishable from apure random source)⇒discrete probabilities
Computational complexity: eventhough the attacker knows allinformation required to break the system, it would becomputationnaly unfeasable to compute it.⇒computer algebra⇒complexity analysis⇒complexity theory (reductions)
![Page 4: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/4.jpg)
Outline
Introduction
Computational complexity refresh
Algebra refresh
Arithmetic refresh (computational viewpoint)
Algebra refresh reloaded
![Page 5: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/5.jpg)
Computational complexity
How to guess the consumption of the execution of an algorithm on agiven instance?
I in timeI in space
The cost model (simplifying assumptions)
I Define units: which operation has cost 1, which data stores inspace 1.
I cost only depend on the input size:I uniform across all instancesI worst case analysis
I Asymptotic analysis
=
![Page 6: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/6.jpg)
Computational complexity
How to guess the consumption of the execution of an algorithm on agiven instance?
I in timeI in space
The cost model (simplifying assumptions)
I Define units: which operation has cost 1, which data stores inspace 1.
I cost only depend on the input size:I uniform across all instancesI worst case analysis
I Asymptotic analysis
=
![Page 7: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/7.jpg)
Computational complexity
How to guess the consumption of the execution of an algorithm on agiven instance?
I in timeI in space
The cost model (simplifying assumptions)
I Define units: which operation has cost 1, which data stores inspace 1.
I cost only depend on the input size:I uniform across all instancesI worst case analysis
I Asymptotic analysis
C(n) =
![Page 8: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/8.jpg)
Computational complexity
How to guess the consumption of the execution of an algorithm on agiven instance?
I in timeI in space
The cost model (simplifying assumptions)
I Define units: which operation has cost 1, which data stores inspace 1.
I cost only depend on the input size:I uniform across all instancesI worst case analysis
I Asymptotic analysis
C(n) = O(n2)
![Page 9: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/9.jpg)
Asymptotics refreshLandau notation:
I f (n) = O(g(n)) iff f (n) ≤ Kg(n) ∀ n ≥ n0 for some K > 0 and n0 ≥ 0I f (n) = Ω(g(n)) iff g(n) = O (f (n))
I f (n) = Θ(g(n)) iff f (n) = O (g(n)) and g(n) = O (f (n))
Equivalently, f (n) = O(g(n)) if f (n)/g(n) is bounded by a constant forall n sufficiently large.
Example
2n3 − 3n2 log n + 5n + 12 = Θ(n3)
n + 1 = O(1
1000n)
n log n = O(n2)
n2 + 100000n1.9 = Ω(n2)
(3n + 1) log2 n 6= O(n log n)
2n3 − 3n2 log n + 5n + 12 = Θ(n3)
![Page 10: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/10.jpg)
Asymptotics refreshLandau notation:
I f (n) = O(g(n)) iff f (n) ≤ Kg(n) ∀ n ≥ n0 for some K > 0 and n0 ≥ 0I f (n) = Ω(g(n)) iff g(n) = O (f (n))
I f (n) = Θ(g(n)) iff f (n) = O (g(n)) and g(n) = O (f (n))
Equivalently, f (n) = O(g(n)) if f (n)/g(n) is bounded by a constant forall n sufficiently large.
Example
2n3 − 3n2 log n + 5n + 12 = Θ(n3)
n + 1 = O(1
1000n)
n log n = O(n2)
n2 + 100000n1.9 = Ω(n2)
(3n + 1) log2 n 6= O(n log n)
2n3 − 3n2 log n + 5n + 12 = Θ(n3)
![Page 11: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/11.jpg)
Asymptotics refresh
poly-logarithmic notations (soft-O)
f (n) = O (g(n)) iff f (n) = O (g(n) loge g(n)) for some e > 0
Example
n log n log log n = O (n)
⇒Quasi-linear complexity.
![Page 12: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/12.jpg)
Asymptotics refresh
poly-logarithmic notations (soft-O)
f (n) = O (g(n)) iff f (n) = O (g(n) loge g(n)) for some e > 0
Example
n log n log log n = O (n)
⇒Quasi-linear complexity.
![Page 13: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/13.jpg)
Magnitudes
Linear or Exp time ?
Size of an integer n represented in base 2 : s = dlog2 ne bits.
n = Θ(2s) = Θ(exp(s))
⇒any algorithm working on an integer n with complexity linear in ntakes actually exponential time in the input size.
![Page 14: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/14.jpg)
Orders of magnitude in practice
Nowadays computer are quite fast
Speed of a PC: 3GHz ⇒3× 109 × 4× 2 int64_t mult. per sec.I Video projector is at 3m to the screen: 300 000km/s ⇒10−8sI 240 multiplications done before the light reaches the screen
I Age of the universe : 15 billion × 365× 24× 3600 ≈ 5.1017s ≈ 259sI Number of electrons in the universe : ≈ 1064 ≈ 2213
I Complexities for algorithms working with 128 bit integers
Complexity s s2 s3 s4 n = 2s
Nb of ops 128 16 384 2 · 106 3 · 108 1039
Time on a 2.5Ghz PC 5.3ns 0.68µs 87.4µs 11.2ms 1.42 · 1028s
⇒1.42 · 1028s ≈ 3 · 1010 times the age of the universe !
![Page 15: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/15.jpg)
Orders of magnitude in practice
Nowadays computer are quite fast
Speed of a PC: 3GHz ⇒3× 109 × 4× 2 int64_t mult. per sec.I Video projector is at 3m to the screen: 300 000km/s ⇒10−8sI 240 multiplications done before the light reaches the screen
I Age of the universe : 15 billion × 365× 24× 3600 ≈ 5.1017s ≈ 259s
I Number of electrons in the universe : ≈ 1064 ≈ 2213
I Complexities for algorithms working with 128 bit integers
Complexity s s2 s3 s4 n = 2s
Nb of ops 128 16 384 2 · 106 3 · 108 1039
Time on a 2.5Ghz PC 5.3ns 0.68µs 87.4µs 11.2ms 1.42 · 1028s
⇒1.42 · 1028s ≈ 3 · 1010 times the age of the universe !
![Page 16: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/16.jpg)
Orders of magnitude in practice
Nowadays computer are quite fast
Speed of a PC: 3GHz ⇒3× 109 × 4× 2 int64_t mult. per sec.I Video projector is at 3m to the screen: 300 000km/s ⇒10−8sI 240 multiplications done before the light reaches the screen
I Age of the universe : 15 billion × 365× 24× 3600 ≈ 5.1017s ≈ 259sI Number of electrons in the universe : ≈ 1064 ≈ 2213
I Complexities for algorithms working with 128 bit integers
Complexity s s2 s3 s4 n = 2s
Nb of ops 128 16 384 2 · 106 3 · 108 1039
Time on a 2.5Ghz PC 5.3ns 0.68µs 87.4µs 11.2ms 1.42 · 1028s
⇒1.42 · 1028s ≈ 3 · 1010 times the age of the universe !
![Page 17: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/17.jpg)
Orders of magnitude in practice
Nowadays computer are quite fast
Speed of a PC: 3GHz ⇒3× 109 × 4× 2 int64_t mult. per sec.I Video projector is at 3m to the screen: 300 000km/s ⇒10−8sI 240 multiplications done before the light reaches the screen
I Age of the universe : 15 billion × 365× 24× 3600 ≈ 5.1017s ≈ 259sI Number of electrons in the universe : ≈ 1064 ≈ 2213
I Complexities for algorithms working with 128 bit integers
Complexity s s2 s3 s4 n = 2s
Nb of ops 128 16 384 2 · 106 3 · 108 1039
Time on a 2.5Ghz PC 5.3ns 0.68µs 87.4µs 11.2ms 1.42 · 1028s
⇒1.42 · 1028s ≈ 3 · 1010 times the age of the universe !
![Page 18: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/18.jpg)
Outline
Introduction
Computational complexity refresh
Algebra refresh
Arithmetic refresh (computational viewpoint)
Algebra refresh reloaded
![Page 19: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/19.jpg)
Groups, Rings, Fields
Definition (informally)
A group (G, ∗, 1): is a set G with an associative law ∗ such thatI 1 is a neutral element x ∗ 1 = 1 ∗ x = xI every element of G is invertible: ∀x∃y, xy = yx = 1I Examples: (Z,+, 0); (Q \ 0,×, 1)
A ring (R,+,×, 0, 1) isI a group (R,+, 0)I with an associative law × with neutral element 1.I such that 0× x = 0I Examples: (Z/nZ,+,×, 0, 1); (Z[X],+,×, 0, 1)
A field (F,+,×, 0, 1) isI a ring (F,+,×, 0, 1)I where every element except 0 has an inverse for ×I equivalently such that (F \ 0,×, 1) is a group.I Examples: (Q,+,×, 0, 1); (Z/pZ,+,×, 0, 1) for p
prime
![Page 20: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/20.jpg)
Groups, Rings, Fields
Definition (informally)
A group (G, ∗, 1): is a set G with an associative law ∗ such thatI 1 is a neutral element x ∗ 1 = 1 ∗ x = xI every element of G is invertible: ∀x∃y, xy = yx = 1I Examples: (Z,+, 0); (Q \ 0,×, 1)
A ring (R,+,×, 0, 1) isI a group (R,+, 0)I with an associative law × with neutral element 1.I such that 0× x = 0I Examples: (Z/nZ,+,×, 0, 1); (Z[X],+,×, 0, 1)
A field (F,+,×, 0, 1) isI a ring (F,+,×, 0, 1)I where every element except 0 has an inverse for ×I equivalently such that (F \ 0,×, 1) is a group.I Examples: (Q,+,×, 0, 1); (Z/pZ,+,×, 0, 1) for p
prime
![Page 21: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/21.jpg)
Groups, Rings, Fields
Definition (informally)
A group (G, ∗, 1): is a set G with an associative law ∗ such thatI 1 is a neutral element x ∗ 1 = 1 ∗ x = xI every element of G is invertible: ∀x∃y, xy = yx = 1I Examples: (Z,+, 0); (Q \ 0,×, 1)
A ring (R,+,×, 0, 1) isI a group (R,+, 0)I with an associative law × with neutral element 1.I such that 0× x = 0I Examples: (Z/nZ,+,×, 0, 1); (Z[X],+,×, 0, 1)
A field (F,+,×, 0, 1) isI a ring (F,+,×, 0, 1)I where every element except 0 has an inverse for ×I equivalently such that (F \ 0,×, 1) is a group.I Examples: (Q,+,×, 0, 1); (Z/pZ,+,×, 0, 1) for p
prime
![Page 22: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/22.jpg)
An example of finite ring: Z/nZ
Z/nZ = 0, 1, . . . , n− 1 equiped with addition et mult. modulo n.
I (Z/nZ,+,×, 0, 1) is a ringI not necessarily a field: e.g. n = pq⇒pq = 0 mod n⇒neither p nor q have an inverse mod n
Theorem (Proof in next section)
(Z/nZ,+,×, 0, 1) is a field iff n is prime.
![Page 23: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/23.jpg)
An example of finite ring: Z/nZ
Z/nZ = 0, 1, . . . , n− 1 equiped with addition et mult. modulo n.
I (Z/nZ,+,×, 0, 1) is a ringI not necessarily a field: e.g. n = pq⇒pq = 0 mod n⇒neither p nor q have an inverse mod n
Theorem (Proof in next section)
(Z/nZ,+,×, 0, 1) is a field iff n is prime.
![Page 24: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/24.jpg)
Outline
Introduction
Computational complexity refresh
Algebra refresh
Arithmetic refresh (computational viewpoint)
Algebra refresh reloaded
![Page 25: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/25.jpg)
The ring of integers Z
Fixed precision 32, 64 bits
(24, 53)
: word size integers
uint32_t: [0..232 − 1]
int32_t: [−231 + 1..231 − 1]
uint64_t: [0..264 − 1]
int64_t: [−263 + 1..263 − 1]
Atomic cost:I add, mul, sub: ≈ 1 clock cycle;I div, mod : ≈ 10 clock cycles
Alternatively, one can store integers on floating point types:float: [−223 + 1..223 − 1]
double: [−252 + 1..252 − 1]
⇒faster on most CPUs, but slightly smaller representation capacity
⇒used for small integers; small finite fields/rings, ...
![Page 26: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/26.jpg)
The ring of integers Z
Fixed precision 32, 64 bits (24, 53): word size integers
uint32_t: [0..232 − 1]
int32_t: [−231 + 1..231 − 1]
uint64_t: [0..264 − 1]
int64_t: [−263 + 1..263 − 1]
Atomic cost:I add, mul, sub: ≈ 1 clock cycle;I div, mod : ≈ 10 clock cycles
Alternatively, one can store integers on floating point types:float: [−223 + 1..223 − 1]
double: [−252 + 1..252 − 1]
⇒faster on most CPUs, but slightly smaller representation capacity
⇒used for small integers; small finite fields/rings, ...
![Page 27: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/27.jpg)
The ring of integers Z
Fixed precision 32, 64 bits (24, 53): word size integers
uint32_t: [0..232 − 1]
int32_t: [−231 + 1..231 − 1]
uint64_t: [0..264 − 1]
int64_t: [−263 + 1..263 − 1]
Atomic cost:I add, mul, sub: ≈ 1 clock cycle;I div, mod : ≈ 10 clock cycles
Alternatively, one can store integers on floating point types:float: [−223 + 1..223 − 1]
double: [−252 + 1..252 − 1]
⇒faster on most CPUs, but slightly smaller representation capacity
⇒used for small integers; small finite fields/rings, ...
![Page 28: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/28.jpg)
The ring of integers Z
Multi-precision
I No native hardware supportI Software emulation: C/C++ libraries GMP/MPIR:⇒vectors of 64 bits unsigned words
Basic arithmetic no longer have unit cost: depend on s = log64 nAddition O (s)
Multip.
Classic s < 32 words O(s2)
Karatsuba 32 < s < 256 O(s1.585)
Toom-Cook O(s1.465)
FFT s > 10000 words O(
s log s 4log∗ s)
= O (s)
Division O (M(s)) = O (s)
GCD Euclidean Alg. O(s2)
Fast Euclid. Alg. O (M(s) log s) = O (s)
![Page 29: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/29.jpg)
FFT based integer multiplicationFrom integer to polynomial multiplication
c = a× bdlog2 aedlog2 be∑
i=0
ci(264)i = (
dlog2 ae∑i=0
ai(264)i)× (
dlog2 be∑i=0
bi(264)i)
dA+dB∑i=0
ciXi = (
dA∑i=0
aiXi)× (
dB∑i=0
biXi)
Evaluation-Interpolation
A(X) × B(X) = C(X)↓ ↓ ↑
(A(x1), . . .A(xn)) · (B(x1), . . .B(xn)) = (C(x1), . . .C(xn))
if n ≥ dA + dB + 1
![Page 30: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/30.jpg)
FFT based integer multiplicationFrom integer to polynomial multiplication
c = a× bdlog2 aedlog2 be∑
i=0
ci(264)i = (
dlog2 ae∑i=0
ai(264)i)× (
dlog2 be∑i=0
bi(264)i)
dA+dB∑i=0
ciXi = (
dA∑i=0
aiXi)× (
dB∑i=0
biXi)
Evaluation-Interpolation
A(X) × B(X) = C(X)↓ ↓ ↑
(A(x1), . . .A(xn)) · (B(x1), . . .B(xn)) = (C(x1), . . .C(xn))
if n ≥ dA + dB + 1
![Page 31: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/31.jpg)
FFT based integer multiplication
Polynomial Multiplication
1. Multipoint evaluation of A: (A(x1), . . . ,A(xn))
2. Multipoint evaluation of B: (B(x1), . . . ,B(xn))
3. Pointwise products: C(xi) = A(xi)B(xi)
4. Interpolation of the C(xi) into C(X)
Property
If xi = ξi where ξ is an n-th root of unity, thenI multipoint evaluation can be computed with FFT ⇒O (n log n)
I interpolation is a multipoint evaluation in ξ−1 ⇒O (n log n)
![Page 32: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/32.jpg)
FFT based integer multiplication
Polynomial Multiplication
1. Multipoint evaluation of A: (A(x1), . . . ,A(xn))
2. Multipoint evaluation of B: (B(x1), . . . ,B(xn))
3. Pointwise products: C(xi) = A(xi)B(xi)
4. Interpolation of the C(xi) into C(X)
Property
If xi = ξi where ξ is an n-th root of unity, thenI multipoint evaluation can be computed with FFT ⇒O (n log n)
I interpolation is a multipoint evaluation in ξ−1 ⇒O (n log n)
![Page 33: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/33.jpg)
GCD and Euclidean Algorithm
Definition (GCD = Greatest Common Divisor)
The GCD of a and b is the greatest integer g dividing both a and b
Example
I GCD(12, 16) = 4I GCD(12, 17) = 1 ⇒12 and 17 are coprime
Bezout relationIf g = GCD(a, b), then there exist u, v ∈ Z, coprime such that
g = ua + vb
![Page 34: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/34.jpg)
GCD and Euclidean Algorithm
ProblemGiven a, b ∈ Z, find g = GCD(a, b)
beginr0 = a;r1 = b;while ri 6= 0 do
Compute ri+1 s.t. ri−1 = riqi + ri+1;i = i + 1;
I The last ri 6= 0 is the gcd of a and b
I invariant uia + vib = ri for all i ⇒Bezout coefficients
![Page 35: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/35.jpg)
GCD and Euclidean Algorithm
ProblemGiven a, b ∈ Z, find g = GCD(a, b) and u, v coprime s.t. ua + vb = g
beginr0 = a;r1 = b;u0 = 1, v0 = 0;u1 = 0, v1 = 1;while ri 6= 0 do
Compute ri+1 s.t.ri−1 = riqi + ri+1;ui+1 = ui−1 − qiui;vi+1 = vi−1 − qivi;i = i + 1;
I The last ri 6= 0 is the gcd of a and bI invariant uia + vib = ri for all i ⇒Bezout coefficients
![Page 36: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/36.jpg)
Finite ring and fields: Z/nZ
Integers modulo n
Z/nZ = 0, 1, . . . , n− 1 equiped with addition et mult. modulo n.
I use integer arithmeticI reduce the results mod n
Addition:c = a + b;if (c >= n) c = c - n;
Multiplication:c = a * b;c = c % n; // remainder of c modulo n
Inverse: x−1 mod n exists iff GCD(x, n) = 1
I Bezout relation ux + vn = 1 ⇒x−1 = u mod nI Computed by the Extended Euclidean Algorithm run on (x, n)
![Page 37: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/37.jpg)
Modular Inverse
Computing the modular inverse a−1 mod n
If GCD(a, n) = 1, then uia + vin = 1⇒ua = 1 mod n⇒a−1 = u mod n.
Corollary
Z/pZ is a field iff p is prime
Corollary
All finite fields are either equivalent toI Z/pZ for a prime p orI Z/pZ[X]/(Q) where Q ∈ Z/pZ[X] is irreducible (See P. Karpman
lecture)
![Page 38: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/38.jpg)
The Chinese remainder theoremProblem ( Sunzi Suanjing )
Find n knowing that n mod 3 = 2, n mod 5 = 3, n mod 7 = 2⇒n = 23 + 105k for k ∈ Z.⇒unique integer between 0 and 104
TheoremIf p, q are coprime,
Z/pZ× Z/qZ ≡ Z/(pq)Z.
Isomorphism:
ϕ : Z/pZ× Z/qZ → Z/(pq)Z(x, y) 7→ xq(p−1 mod q) + yp(q−1 mod p)
Theorem (Alternative formulation)If p, q are coprime and x, y are residues modulo p and q. Then ∃!A < pq, suchthat A = x mod p and A = y mod q.
![Page 39: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/39.jpg)
The Chinese remainder theoremProblem ( Sunzi Suanjing )
Find n knowing that n mod 3 = 2, n mod 5 = 3, n mod 7 = 2⇒n = 23 + 105k for k ∈ Z.⇒unique integer between 0 and 104
TheoremIf p, q are coprime,
Z/pZ× Z/qZ ≡ Z/(pq)Z.
Isomorphism:
ϕ : Z/pZ× Z/qZ → Z/(pq)Z(x, y) 7→ xq(p−1 mod q) + yp(q−1 mod p)
Theorem (Alternative formulation)If p, q are coprime and x, y are residues modulo p and q. Then ∃!A < pq, suchthat A = x mod p and A = y mod q.
![Page 40: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/40.jpg)
The Chinese remainder theoremProblem ( Sunzi Suanjing )
Find n knowing that n mod 3 = 2, n mod 5 = 3, n mod 7 = 2⇒n = 23 + 105k for k ∈ Z.⇒unique integer between 0 and 104
TheoremIf p, q are coprime,
Z/pZ× Z/qZ ≡ Z/(pq)Z.
Isomorphism:
ϕ : Z/pZ× Z/qZ → Z/(pq)Z(x, y) 7→ xq(p−1 mod q) + yp(q−1 mod p)
Theorem (Alternative formulation)If p, q are coprime and x, y are residues modulo p and q. Then ∃!A < pq, suchthat A = x mod p and A = y mod q.
![Page 41: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/41.jpg)
The Chinese remainder theoremProblem ( Sunzi Suanjing )
Find n knowing that n mod 3 = 2, n mod 5 = 3, n mod 7 = 2⇒n = 23 + 105k for k ∈ Z.⇒unique integer between 0 and 104
TheoremIf p, q are coprime,
Z/pZ× Z/qZ ≡ Z/(pq)Z.
Isomorphism:
ϕ : Z/pZ× Z/qZ → Z/(pq)Z(x, y) 7→ xq(p−1 mod q) + yp(q−1 mod p)
Theorem (Alternative formulation)If p, q are coprime and x, y are residues modulo p and q. Then ∃!A < pq, suchthat A = x mod p and A = y mod q.
![Page 42: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/42.jpg)
The Chinese remainder theorem
TheoremIf m1, . . . ,mk are pairwise relatively prime,
Z/m1Z× · · · × Z/mkZ ≡ Z/(m1 . . .mk)Z.
Isomorphism:
ϕ : Z/m1Z× · · · × Z/mkZ → Z/(m1 . . .mk)Z(x1, . . . , xk) 7→
∑ki=1 xiΠiYi mod Π
where
Π =∏k
i=1 mi
Πi = Π/mi
Yi = Π−1i mod mi
Theorem (Alternative formulation)
If m1, . . . ,mk are pairwise relatively prime and a1, . . . , ak are residuesmodulo resp. m1, . . . ,mk. Then ∃!A ∈ Z+,A <
∏ki=1 mi, such that
A = ai[mi] for i = 1 . . . k.
![Page 43: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/43.jpg)
Analogy with the polynomials
Evaluate P at a ↔ Reduce P modulo X − a
Polynomials Integers
Evaluation:P mod X − a N mod m
Évaluate P at a “Évaluate” N at m
Interpolation:P =
∑ki=1
∏j6=i(X−aj)∏j6=i(ai−aj)
N =∑k
i=1 ai∏
j 6=i mj(∏
j 6=i mj)−1[mi]
![Page 44: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/44.jpg)
Outline
Introduction
Computational complexity refresh
Algebra refresh
Arithmetic refresh (computational viewpoint)
Algebra refresh reloaded
![Page 45: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/45.jpg)
Multiplicative group of a ring
If (R,+,×, 0, 1) is a ring, not all elements of R are invertible for ×.
Definition (Multiplicative group of a ring R)
The subset of its elements that are invertible for ×. Denoted by R∗
I If F is a field, F∗ = F \ 0I (Z/nZ)∗ = x ∈ Z/nZ s.t. GCD(x, n) = 1
![Page 46: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/46.jpg)
Euler totient function
Definition
I Multiplicative subgroup of Z/nZ: (Z/nZ)∗ = x ∈ Z/nZ,GCD(x, n) = 1I Euler Totient: ϕ(n) = #(Z/nZ)∗
Property
I ϕ(p) = (p− 1) for p primeI ϕ(pk) = (p− 1)pk−1 for p primeI ϕ(mn) = ϕ(m)ϕ(n) for GCD(m, n) = 1
Example: n =∏k
i=1 pαii (prime factor decomposition)
ϕ(n) =
k∏i=1
pαi−1i (pi − 1)
![Page 47: Crypto refresh: Computational Algebra · Information theory:proving that an attacker’s view on the protocol leaks no information (data is indistinguishable from a pure random source))discrete](https://reader030.vdocument.in/reader030/viewer/2022041122/5f371b8a112466585849d884/html5/thumbnails/47.jpg)
Lagrange, Euler, Fermat
Theorem (Lagrange)
For a finite group G and a ∈ G, a|G| = e.
Theorem (Euler)
If GCD(a, n) = 1, then aϕ(n) = 1 mod n.
Theorem (Fermat)
If p is prime, then ap = a mod p ∀a ∈ Z/pZ.