|
| 1 | +\documentclass[psamsfonts]{amsart} |
| 2 | + |
| 3 | +%-------Packages--------- |
| 4 | +\usepackage{amssymb,amsfonts} |
| 5 | +\usepackage{enumerate} |
| 6 | +\usepackage[margin=1in]{geometry} |
| 7 | +\usepackage{amsthm} |
| 8 | +\usepackage{theorem} |
| 9 | +\usepackage{verbatim} |
| 10 | + |
| 11 | +\bibliographystyle{plain} |
| 12 | + |
| 13 | +\voffset = -10pt |
| 14 | +\headheight = 0pt |
| 15 | +\topmargin = -20pt |
| 16 | +\textheight = 690pt |
| 17 | + |
| 18 | +%--------Meta Data: Fill in your info------ |
| 19 | +\title{6.857 \\ |
| 20 | +Network and Computer Security \\ |
| 21 | +Lecture 12: Finite Group Theory} |
| 22 | + |
| 23 | +\author{Lecturer: Ronald Rivest\\ |
| 24 | +Scribe: John Wang} |
| 25 | + |
| 26 | +\begin{document} |
| 27 | + |
| 28 | +\maketitle |
| 29 | + |
| 30 | +\section{Group Theory} |
| 31 | + |
| 32 | +\subsection{Orders of Elts} |
| 33 | + |
| 34 | +The most common group we see in cryptography is $Z_{p}^* = \{1,2, \ldots, p-1 \}$. This is a pretty group, very simple, and nice to work with. We say that $order_{n}(a)$ is the order of $a$ modulo $n$, where $a \in Z_{n}^*$. The order is the smallest $t > 0$ such that $a^t \equiv 1 \mod n$. |
| 35 | + |
| 36 | +Fermat's Little Theorem: If $p$ is prime, then $\forall a \in Z_{p}^*$ we have $a^{p-1} \equiv 1 \pmod{p}$. |
| 37 | + |
| 38 | +Euler's Theorem: For all $n$ and forall $a \in Z_{n}^*$, we have $a^{\phi(n)} \equiv 1 \pmod{n}$, where $\phi(n)$ is the cardinality of the group so $\phi(n) = |\{a; 1 \leq a \leq n; gcd(a,n) = 1 \} |$. |
| 39 | + |
| 40 | +For example: $Z_{10}^* = \{1, 3, 7, 9\}$. This is a multiplicative group, and $\phi(10) = 4$. Just to check, we have $3^{4} \equiv 1 \pmod{10}$. |
| 41 | + |
| 42 | +Notice that the order of $a$ mod $n$ is the length of the periodicity of $a^{i}$ for $i = \{1,2,3,\ldots\}$. We notice that $order_{n}(a) | |Z_{n}^*|$ so that the order always divides the size of the group. |
| 43 | + |
| 44 | +\subsection{Generators} |
| 45 | + |
| 46 | +Notation: define $<a> = \{a^i, i \geq 1 \}$. We have $order_{n}(a) = |<a>|$. |
| 47 | + |
| 48 | +Definition: If $order_{n}(g) = |Z_{n}^*|$, then $g$ is called the generator of $Z_{n}^*$. In other words $<g> = Z_{n}^*$. |
| 49 | + |
| 50 | +Theorem: $Z_{n}^*$ has a generator (i.e. $Z_{n}^*$ is cyclic) if and only $n = 2,4, p^m, 2p^m$ for prime $p$ and $m \geq 1$. |
| 51 | + |
| 52 | +Theorem: If $p$ is prime, then the number of generators mod $p$ is $\phi(p-1)$. For example $p = 11$ then $|Z_{p}^*| = 10$, and we have $\phi(10) = 4$. |
| 53 | + |
| 54 | +Theorem: If $p$ is prime and $g$ is a generator modulo $p$, then $g^{x} \equiv y \pmod{p}$ has a unique solution for $0 \leq x < p -1$ for each $y \in _Z_p^*$. We call $x$ the discrete logairthm of $y$, base $g$ modulo $p$. |
| 55 | + |
| 56 | +The discrete logarithm problem is the problem of computing $x$ from $y$ given some $p$ and $g$. It is assumed that this is hard, no one has found an algorithm which solves this problem quickly. |
| 57 | + |
| 58 | +\subsection{Generate and Test} |
| 59 | + |
| 60 | +Randomly pick $g$ in $Z_{p}^*$ and test its order. If the order is $p-1$, then $g$ is the generator. Fermat's Little Theorem implies that $g^{p-1} = 1 \pmod{p}$ and $g^{d} \not \equiv 1 \pmod{p}$ for $d$ which is a divisor of $p-1$. |
| 61 | + |
| 62 | +Assume we factored $p-1 = q_1^{e_1} q_2^{e_2} \ldots q_k^{e_k}$. Check that $g^{(p-1)/q} \not \equiv 1 \pmod{p}$ for each $q | (p-1)$. |
| 63 | + |
| 64 | +\section{Public Keys} |
| 65 | + |
| 66 | +Idea: Pick a large ``random'' $p$ such that we know the factorization of $p-1$. This is because factoring $p-1$ is hard. |
| 67 | + |
| 68 | +If $p$ and $q$ are both primes and $p = 2q+1$, then $p$ is called a safe prime and $q$ is called a Sophie Germain prime. The factorization of $p-1$ is just $2q+1-1$ so that factorization is $p-1 = 2 \times q$. To get pairing, we find $q$ first which is a prime, then let $p = 2q + 1$ and we test $p$ for primality. |
| 69 | + |
| 70 | +Theorem: If $p$ is a safe prime $p = 2q+1$ ($p-1 = 2-q$) then for all $a \in Z_p^*$ we have $order(a) \in \{1, 2, q, 2q\}$. |
| 71 | + |
| 72 | +To test of $g$ is a generator we know that we check if $g^{p-1} \equiv 1 \pmod{p}$ and $g^2 \not \equiv 1 \pmod{p}$ and $g^q \not \equiv 1 \pmod{p}$, which implies that $order_p(g) = p-1$ and so $g$ is a generator. |
| 73 | + |
| 74 | +If $p = 2q + 1$ and so $p$ is a safe prime then the number of generators mod $p$ is $\phi(p-1) = q-1$. |
| 75 | + |
| 76 | +Find large random prime $q$. Let $p = 2q + 1$ and test $p$ for primality. If not, loop and pick new $q$, otherwise output $p,q,g$. We can find $g$ by picking $g \in Z_{p}^*$ and test for $g$ being a generator. Since there are a lot of generators, we've got high probability of getting a generator. |
| 77 | + |
| 78 | +\subsection{Common Public Key Setup} |
| 79 | + |
| 80 | +We have $p$ prime and $g$ generator of $Z_{p}^*$ which are published. Alice chooses $x$ where $0 \leq x < p-1$ as her secret key. Publishes $g^{x} \equiv y \pmod{p}$ as her public key. Secrecy of $x$ depends on difficulty of computing $x = \log_{g,p} (y)$ (discrete logarithm problem). |
| 81 | + |
| 82 | +\end{document} |
0 commit comments