In the intervening years there have been great advances and changes in the subject which have caused me to revisit much of the material in this book. Those who wish to obtain references to the literature should consult one of the books mentioned in the further reading sections.
Mathematical Background
Modular Arithmetic, Groups, Finite Fields and Probability
Chapter Goals
Modular Arithmetic
An abelian group is called cyclic if there is a special element, called the generator, from which every other element can be obtained either by repeated application of the group operation or by use of the inverse operation. Any negative integer can be obtained from a positive integer using the additive inverse operator, such as senderxto−x.
Finite Fields
Such an isomorphism exists for every two finite fields of the same order, although we will not show it here. Therefore, the previous statement says that the fixed field of the Frobenius map is the prime fieldFp.
Basic Algorithms
Chinese Remainder Theorem: The General Case: We now turn to the general case of CRT where we consider more than two equations at once. The Jacobi symbol can be calculated using a method similar to the Legendre symbol using the identity derived from the law of quadratic reciprocity.
Probability
Let X and Y be two random variables, where p(X =x) is the probability that X takes the value x and p(Y =y) the probability that Y takes the value y. To understand why this is called the birthday paradox, consider the probability of two people in a room having the same birthday.
Big Numbers
Chapter Summary
Square elements modulo a prime can be detected using the Legendre symbol; square roots can be efficiently calculated using Shanks' Algorithm. Square elements and square roots modulo a composite can be determined efficiently as long as one knows the factorization of the modulus.
Further Reading
The birthday paradox allows us to estimate how quickly collisions occur when repeatedly sampling from a finite space.
Primality Testing and Factoring
Prime Numbers
Miller–Rabin test: Due to the existence of Carmichael numbers, the Fermat test is usually avoided. AKS Algorithm: The Miller–Rabin test is a randomized primality testing algorithm that runs in polynomial time.
The Factoring and Factoring-Related Problems
In all these games, we define the advantage of a specific opponent A as a function of the time the opponent spends trying to solve the input problem. Instead of using the above definition of advantage (i.e. the probability of the opponent winning the game), we use the definition.
Basic Factoring Algorithms
Basically, an even number is one that is easy to factor by trial division; the following definition makes this more precise. Sometimes we say that the number is just smooth if boundBis is small compared to N.
Modern Factoring Algorithms
Each relation is encoded into the matrix as a row, modulo two, which in our example becomes Fortunately, the matrix is very, very sparse, so the inventory will not be that large.
Number Field Sieve
This is done by constructing a graph and using an algorithm which calculates a basis for the set of cycles in the graph. The number field sieve will use arithmetic on the number fields K1 and K2 given by K1=Q(θ1) and K2=Q(θ2).
Discrete Logarithms
- The DLP, DHP and DDH Problems
- Pohlig–Hellman
- Baby-Step/Giant-Step Method
- Pollard-Type Methods
- Sub-exponential Methods for Finite Fields
We first show how to reduce the solution of the Diffie–Hellman problem to the discrete logarithm problem. The only problem is that we have not shown how to solve the discrete logarithm problem in Cpe. Determinationx11: We are already in a cyclic group of prime order, so we apply our oracle to the discrete logarithm problem.
Elliptic Curves
- Introduction
- The Group Law
- Elliptic Curves over Finite Fields
- Projective Coordinates
- Point Compression
- Choosing an Elliptic Curve
Elliptic Curve Discrete Logarithm Problem (ECDLP): For a positive integer mwe, let [m] denote the multiplication by mmap from the curve itself. In this case there is a simple computable map from the discrete logarithm problem of the elliptic curve to the discrete logarithm problem in the finite field with Pqt. Therefore, in this case, we get a sub-exponential method for solving the problem of the discrete logarithm of the elliptic curve.
Lattices
Lattices and Lattice Reduction
Although the value of γn is only known for 1 ≤ n≤ 8, for "random lattices" the first minimum, and hence Hemite's constantγn, can be approximated by appealing to the Gaussian heuristic, which states that we have a "random lattice ". A similar effect can be achieved using grids by applying the LLL algorithm to the grid generated by the columns of the matrix. To define a basis B for Λq(A) we can take the column Hermite Normal Form (HNF) of the 3×5 matrix.
Coppersmith’s Theorem
The properties of the example above hold in general; namely, if qi is prime and slightly greater than n, then we have Δ(Λq(A)) =qm−n and Δ(Λ⊥q(A)) =qn. We look for a linear combination of the above six polynomials so that the resulting polynomial has small coefficients. Lattice base reduction often allows us to find the shortest non-zero vector in a given lattice, so lattice reduction allows us to solve the shortest vector problem.
Implementation Issues
Introduction
Exponentiation Algorithms
This is because it works by reading each bit of the binary representation of the exponent in turn, starting with the least significant bit and working up to the most significant bit. Window exponentiation methods: Most of the time it is faster to perform a squaring operation than a general multiplication. Generalizations to any group: Note that all the above windowing algorithms apply to exponentiation in any abelian group and not just integers modulo n.
Special Exponentiation Methods
Therefore, we can use these algorithms to compute on a finite field or to compute [d]P on an elliptic curve; in the latter case we call this point multiplication rather than empowerment. An advantage with elliptic curve variants is that negation comes for free, given P it is easy to compute P-. Since the binary representation of 11 and 7 is given by 1011 and 111, our set of exponents is given.
Multi-precision Arithmetic
Virtually all of the public key systems we'll consider will use arithmetic modulo some other number. The following is the image of the normal to Montgomery representation of the integers 1, 2, and 3. Note that since we reduce modulob in the first line of the for loop, we can perform this initial multiplication using a simple word multiplication algorithm.
Finite Field Arithmetic
Often, however, one uses a lookup table for multiplication of polynomials of degree less than eight, i.e. then multiplication of polynomials of greater degree is reduced to multiplication of polynomials of degree less than eight by using a variant of the school's standard long multiplication algorithm. Once reduced to the case of multiplying two polynomials of degree less than eight, we resort to using our lookup table to perform the polynomial multiplication.
Historical Ciphers
- Introduction
- Shift Cipher
- Substitution Cipher
- Vigen` ere Cipher
- A Permutation Cipher
We will show how to break the shift cipher using the statistics of the underlying language. Applying a statistical technique to the shift cipher is also instructive for how statistics of the underlying plaintext can arise in the resulting ciphertext. Despite this, we can break substitution ciphers using statistics of the underlying plaintext language, just as we did for the shift cipher.
The Enigma Machine
Introduction
Machines used towards the end of the war had a greater number of rotors, selected from a larger set. Note that the order of the rotors in the machine is important, so are the number of ways to select the rotors. If two permutations, with the same support, consist only of disjoint transpositions, their product contains an even number of disjoint cycles of the same length.
An Equation for the Enigma
The stepping of the second and third rotors is probably the hardest part to understand when you first look at an Enigma machine, but this one has a relatively simple description when you look at it in a mathematical way. Based on the above description of the key, we want to derive the permutation j, which represents, forj= 0,1,2,. We must always use γj to represent the inner rotor part of the Enigma machine, therefore.
Determining the Plugboard Given the Rotor Settings
In the above example of encrypting the first sentences of A Tale of Two Cities, we have that the first ciphertext letter H must map to the plaintext letter I. However, using the above technique, assuming that gri='A', we will at some point out a contradiction. For all occurrences of A in the plaintext m, calculate the frequency of the corresponding letter in the approximate plaintext m.
Double Encryption of Message Keys
In this case, the resulting letter in the message will behave randomly (assuming that γj acts as a random variable). Knowledge ofj for Some js: If we know the value of the permutation j for the values ej ∈ S, then we have the following equation. Proceeding in this way, we can calculate a permutation representation of the three products as follows:
Determining the Internal Rotor Wirings
We now assume that no stepping of the second rotor occurs during the first six encryptions under the day setting. If a step did occur in the second rotor, the above permutations would probably not have the same cycle structure. We let ˆE1 denote the Enigma machine with rotors given by ˆρˆ2,ρˆ3and reflector ˆ, but with ring settings the same as in the target machineE (we know the ring settings of E since we have the day key).
Determining the Day Settings
The Germans Make It Harder
Now assuming a given rotor order, let's say the rightmost rotor is rotor I, the middle one is rotor II, and the leftmost rotor is rotor III, then we remove all those headers that could have had a stepping motion from the center rotor in the first six ciphers. We'll take the first letter of the next message header, TLCXYUXYC, in this case T, and we'll take the labeled sheet. The offset is calculated by taking the leftmost square of the new sheet and placing it on top of the square (r,c) of the first sheet where.
Known Plaintext Attack and the Bombes
In the following, we present the basic operation of Bomba in terms of a modern computer; but note that in practice this is not very effective. If indeed the configuration is correct, then the set bit also corresponds to the correct setting of the registerl plug and the single bit set in the registers. This is due to the additional two-letter component in the One menu graph.
Ciphertext Only Attack
So we can conclude that, apart from a possibly incorrect setting of the second ring, we have the correct Enigma setting for this day. We cycle through all 60·263 possible values for the rotors and the rotor positions, with ring settings equal to A, A, A. For the top 300 or so values, we then cycle through all possible values for the ringsr1andr2. note that the third ring plays no part in the process) and we set the rotor start positions to p1 = p1+r1+i1,.
Information-Theoretic Security
- Introduction
- Probability and Ciphers
- Entropy
- Spurious Keys and Unicity Distance
So in our previous example, the ciphertext does reveal a lot of information about the plaintext. This means the probability that the plaintext is m, given that we know the ciphertext is c, is the same as the probability that it is m without seeing c. The entropy in the ciphertext is the amount of uncertainty you have about the underlying plaintext.
Historical Stream Ciphers
- Introduction to Symmetric Ciphers A symmetric cipher works using the following two transformations
- Stream Cipher Basics
- The Lorenz Cipher
- Breaking the Lorenz Cipher’s Wheels
- Breaking a Lorenz Cipher Message
Once done, we can take the first column as the value of the (Δχ(1)) sequence and the first row as the value of the (Δχ(2))t sequence. From these Δχ sequences we can then determine possible values for the internal state of the χ registers. By constructing enough of the μ(2)t stream as above (say, a few hundred bits), this allows us to determine the value of the μ(1) register almost exactly.
