products of small primes in cryptology, coding and theoretical computer science
DESCRIPTION
Products of Small Primes in Cryptology, Coding and Theoretical Computer Science. David Naccache ENS. Gödel Numbering. In 1930, Kurt Gödel proved that : - PowerPoint PPT PresentationTRANSCRIPT
Products of Small Primes in Cryptology, Coding and
Theoretical Computer Science
David NaccacheENS
Gödel Numbering
• In 1930, Kurt Gödel proved that :
“In any consistent formalization of mathematics that is sufficiently strong to define the concept of natural numbers, one can construct a statement that can be neither proved nor disproved within that system”.
This is Gödel’s famous incompleteness theorem
Gödel’s Theorem
• Very much simplified, the proof of this theorem is the following. Encode (assign a positive integer to) each propositional calculus symbol:
Logical symbols Encoding (integers 12) Meaning¬ 1 not 2 for all 3 if, then⋀ 4 and⋁ 5 or( 6) 7… …
For Integers > 10• Predicates symbols are encoded by multiples of 3
Symbol Encoding P 12Q 15R 18• Variables are encoded by integers 1 mod 3
Symbol Encoding x 13y 16z 19• Propositional symbols are encoded by integers 2 mod 3
Symbol Encoding E 14F 17G 20
Gödel’s NumberingArithmetical statements are assigned unique Gödel numbers.
This is based on a simple code which essentially reads
prime1character[1] prime2
character[2] …
For example the statement x, P(x)
Becomes 22 316 512 76 1116 137=
14259844433335185664666562849653536301757812500
Because character[]=2, character[x]=16, character[P]=12, character[(]= 6, character[x]=16, character[)]=7
We say that 142…2500 is the Gödel Number (GN) of x, P(x)
This Lecture Is AboutApplications of Gödel’s way of encoding information:
prime1character[1] prime2
character[2] …
Back to Gödel’s TheoremSequences of statements are also assigned Gödel numbers.
e.g. if :a=GN(x,P(x)), b=GN(x,¬P(x)),
c=GN( x,¬Q(x)^P(x))
Then the sequence of statements:
x,P(x) x,¬P(x) x,¬Q(x)^P(x)
gets the GN 2a 3b 5c, which we will call d.
The proof of the incompleteness theorem depends on the fact that, in formal arithmetic, some statement sequences logically entail (prove) other statements.
Gödel’s TheoremFor example it might be shown that a, b, and c together, (i.e. d), prove e.
Because this is a demonstrable relationship between numbers it is entitled to its own symbol, for example R. R(v,x) would then mean "x proves v". In the case where x and v are Gödel numbers e and d we would say R(e,d).
Put more simply: R(e,d) means “the sequence of statements which GN is d is the proof of the statement which GN is e.”
Gödel’s PunchlineThe punchline is that we can write the statement x,¬R(v,x) which means: no proposition of type v can be proved
The Gödel number for this statement would be
22 316 51 718 116 1312 1716 197
but we will just call it r.
Now if we consider the statement x,¬R(r,x) we will realise that it says: no proposition that says 'no proposition of type v can be proved' can be proved.
This collapses into the statement this proposition cannot be proved, which is inconsistent, because if it is provable then it is not provable, and vice versa.
ciphertext
public key
secret key
message
encryptionalgorithm
decryptionalgorithm
More Than Forty Years Pass…
Diffie and Hellman invent public-key cryptography.
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new revolutionary manner to create a unique pair of physical objects.
Diffie-Hellman Key Exchange
In reality, Diffie and Hellman provided a mathematical analogy to the protocol that we have just illustrated.
Their solution is based on the assumption that the following problem (known as the Discrete Logarithm Problem) is hard:
Given g, a, p find x such that gx = a mod p
pick random x pick random ycompute a=gx mod p compute b=gy mod psend a
send bcompute k=bx mod p compute k=ay mod p
Discrete Log “Gödel” Encryption
Generate a public large prime integer p, select a large secret s and publish the public keys v1,…,vk where vi
s = pi mod p
where pi stands for the ith prime (p1=2, p2=3, p3=5,…)
To encrypt a message m (whose bits we denote m[1],…,m[k]) the sender computes the ciphertext:
c= v1m[1]… vk
m[k] mod p
c is decrypted by computing d=cs mod p = p1m[1]…
pkm[k]
and factoring the result over the integers to determine m.
Discrete Log “Gödel” Encryption
For this to work we need to have that p1… pk<p
The security of this cryptosystem is based on the hardness of the discrete logarithm problem:
Generate and public large prime p, select a large secret s and publish the public keys v1,…,vk where vi
s = pi mod p
where pi stands for the ith prime (p1=2, p2=3, p3=5,…)
Discrete Logarithm Problem:
Given g, a, p find x such that gx = a mod p
A Toy Example
As We Are In an ECC Conference
We must say something about ECs.
As We Are In an ECC Conference
We must say something about ECs.
Can the previous encryption scheme run on an EC?
As We Are In an ECC Conference
We must say something about ECs.
Can the previous encryption scheme run on an EC?
Answer is yes, but only in theory…
As We Are In an ECC Conference
We must say something about ECs.
Can the previous encryption scheme run on an EC?
Answer is yes, but only in theory…
We might use, instead of small primes, small rational points on an EC. Publish s pi as public keys.
As We Are In an ECC Conference
We must say something about ECs.
Can the previous encryption scheme run on an EC?
Answer is yes, but only in theory…
We might use, instead of small primes, small rational points on an EC. Publish s pi as public keys.
As we get the ciphertext and multiply it over the curve by the inverse of s how do we see which rational points are in there?!
Use height and projective coordinates!
As We Are In an ECC Conference
Get ciphertext multiply by inverse of s and attempt to subtract each rational point from the result.
Height decreases good guessHeight increases bad guess
Problem We do not know ECs with enough independent small rational points on them. World record is 28.
Meaning that we could “encode” 28 message bits in a 10000 bit ciphertext (plaintext too small to be secure).
This can be improved slightly by using signed rational points (bandwidth improves to 28 log2 3).
We can also shoot for low density message encoding - which allows to stuff more bits into the ciphertext using only 28 points but the price of ciphertext size explosion.
Any more elegant ideas to make this fly?
“Gödel” Error-CorrectionGödel’s encoding can also be used for error correction.
In a very inefficient but yet rather curious way…
Before we proceed a few reminders about error correcting codes.
Ideal Communication
eH l l o
Ideal Communication
eH l l o
Ideal Communication
eH l l o
Ideal Communication
eH l l o
Real Communication
eH l l o
Real Communication
eH l l o
Real Communication
eH l l o
Real Communication
eH l l !
Real Communication
eH l l !
Real Communication
eH l l !
?!!
Real Communication
Real Communication
Error Correcting Codes
eH l l o
encodingalgorithm
z4 % J 9d s
Error Correcting Codes
z4 % J 9d s
Error Correcting Codes
z4 % J 9d s
Error Correcting Codes
z4 % J 9d s
Error Correcting Codes
zt % J xd s
Error Correcting Codes
zt % J xd s
Error Correcting Codes
zt % J xd s
Error Correcting Codes
decodingalgorithm
zt % J xd s
eH l l o
Error Correcting CodesA bit of terminology.
The number of errors correctable by a code is called the code’s correction capacity (denoted t).
The ratio between the length of the encoded message and the original message (in our example 1.4=7/5) is called the code’s expansion rate (denoted r).
“Gödel” Error CorrectionGenerate a large prime p, here again pi stands for the ith prime (p1=2, p2=3, p3=5,…)
To encode a message m (whose bits we denote m[1],…,m[k]) the sender computes:
c = p1m[1]… pk
m[k] mod p
While the couple {c,m} is sent over the noisy channel, we start by assuming that errors occurred only in m.
Upon reception of {c,m’} the receiver can compute
c’ = p1m’[1]… pk
m’[k] mod p
And divide-out all the common (unflipped bits) of m and m’
Let d=c/c’ mod p
“Gödel” Error CorrectionWe now use the extended Euclidean algorithm to write d as a modular ratio of two integers A, B of size p
Let s=A/B mod p
Now, if there hasn’t been too many errors, A and B factor over the integers into products of small primes.
“Gödel” Error CorrectionWe now use the extended Euclidean algorithm to write d as a modular ratio of two integers A, B of size p
Let s=A/B mod p
Now, if there hasn’t been too many errors, A and B factor over the integers into products of small primes.
The primes present in A encode the bits set to 1 in m and reset to 0 in m’. The primes present in B encode the bits equal to 0 in m that flipped into 1 in m’.
Parameter SizesTo correct t errors in a k-bit message the size of p should be:
2pk2t< p <4pk
2t
We simply bound the worst case where all errors affect the end of the message. Now using the fact that pkk log k we get that
log2 p 2t log(k log k) / log 2
Which gives a simple relation - allowing to instantiate the code given a desired t and k.
Remember…While the couple {c,m} is sent over the noisy channel, we start by assuming that errors occurred only in m.
What if c gets corrupted, or if both c and m get corrupted?
Protecting cThe solution consists in repeating the procedure recursively by sending not only c (that we will denote now c(m) given that it is a function of m) but:
m, c(m), c(c(m)),… c(c(c(…c(m)…)))
As after each application of c a smaller prime p will be used the size of the successive nested c-s decreases.
Assuming that no errors occurred in the last c(c(c(…c(m)…))) the decoding procedure runs backwards until errors in m are corrected.
It remains to correct u=c(c(c(…c(m)…))) against errors.
But since u is small it suffices to replicate it 2t+1 times and use a majority vote to spot the errors in u.
Variants- In the paper (available on line) - we propose a more efficient variant (better expansion rate) but where with negligibly little probability the receiver might not be able to correct errors.
-Instead of nesting c-s one can transmit {m,RM(c)} where RM stands for a classic Reed-Muller code (for instance).
The receiver then corrects the errors in RM(c), recovers c and proceeds as we previously described.
For some {t,k} values sending {m,RM(c)} happens to be more economic than sending RM(m).
{m, RM(c)} versus RM(m)
For some {t,k} values sending {m,RM(c)} happens to be more economic than sending RM(m). e.g to protect against 31 errors a 5812 bit message, Reed Muller will transmit 8192 bits.
Sending {m,RM(c)} costs only 7860 bits.
{m, RM(c)} versus RM(m)In general the sending of {m,RM(c)} will be more economic for long messages over not too noisy channels.
RM(m) will perform better than {m,RM(c)} as noise increases or message size decreases.
The comparison to Reed-Muller is just illustrative (other error- correcting codes can be benchmarked here as well).
Comparing Permuted Objects
Products of small primes were also exploited in the literature to determine, in a very constrained space, if a list of integers L1 contains exactly the same elements as list L2.
The comparison algorithm is probabilistic and very simple.
As a ConclusionWe have seen in this lecture that the simple message encoding format devised by Gödel can give birth to:
p1m[1] p2
m[2] …
As a ConclusionWe have seen in this lecture that the simple message encoding format devised by Gödel can give birth to:
p1m[1] p2
m[2] …
a proof of the incompleteness theorem
As a ConclusionWe have seen in this lecture that the simple message encoding format devised by Gödel can give birth to:
p1m[1] p2
m[2] …
a proof of the incompleteness theorem
public key cryptosystems
As a ConclusionWe have seen in this lecture that the simple message encoding format devised by Gödel can give birth to:
p1m[1] p2
m[2] …
An ingredient in the proof of the incompleteness theorem
public key cryptosystems
error correctingschemes
As a ConclusionThe “small prime factors” theme (a.k.a. smoothness) is also useful for attacking schemes (index calculus algorithms).We didn’t overview this in this lecture.
p1m[1] p2
m[2] …
Desmedt-Odlyzko attackon RSA
factoringalgorithms
discrete logalgorithms
Point counting on elliptic curves(Schoof’s algorithm)