Encryption with matrix comes from the classical
\(Vigen\grave{e}re\) password. Let
\(X=\{a_{1}, a_{2}, \ldots , a_{N}\}\) be a plaintext alphabet of
N characters, we replace the characters in
\(\mathbb {Z}_{N}\) and
X with numerical values, where
\(\mathbb {Z}_{N}\) is the remaining class ring of
\({{\,\mathrm{mod}\,}}N\). Let
\(P=\mathbb {Z}_{N}^{k}\) be the plaintext space,
\(x=x_{1}x_{2}\cdots x_{k} \in P\) is called a plaintext unit or a plaintext message of length
k. Let
\(M_{k}(\mathbb {Z}_{N})\) be a
k-order full matrix ring over
\(\mathbb {Z}_{N}\),
\(A\in M_{k}(\mathbb {Z}_{N})\) is a invertible matrix of order
k,
\(b=b_{1}b_{2}\cdots b_{k} \in \mathbb {Z}_{N}^{k}\) is a given directional quantity, each plaintext unit
\(x=x_{1}x_{2}\cdots x_{k}\) in
P is encrypted by affine transformation (
A,
b):
$$\begin{aligned} \left( \begin{array}{cccc} x_{1}^{'}\\ x_{2}^{'}\\ \vdots \\ x_{k}^{'} \end{array}\right) = A \left( \begin{array}{cccc} x_{1}\\ x_{2}\\ \vdots \\ x_{k} \end{array}\right) +\left( \begin{array}{cccc} b_{1}\\ b_{2}\\ \vdots \\ b_{k} \end{array}\right) . \end{aligned}$$
(4.32)
where
\(x=x_{1}x_{2}\cdots x_{k} \) is clear text,
\(x^{'}=x_{1}^{'}x_{2}^{'}\cdots x_{k} ^{'}\) is cryptosystemtext. The decryption algorithm is:
$$\begin{aligned} \left( \begin{array}{cccc} x_{1}\\ x_{2}\\ \vdots \\ x_{k} \end{array}\right) = A^{-1} \left( \begin{array}{cccc} x_{1}^{'}\\ x_{2}^{'}\\ \vdots \\ x_{k}^{'} \end{array}\right) -A^{-1}\left( \begin{array}{cccc} b_{1}\\ b_{2}\\ \vdots \\ b_{k} \end{array}\right) . \end{aligned}$$
(4.33)
Because affine transformation (
A,
b) is a 1–1 correspondence on
\(\mathbb {Z}_{N}^{k}\longrightarrow \mathbb {Z}_{N}^{k}\), its inverse transformation is
\((A^{-1}, -A^{-1}b)\); therefore, using affine transformation (
A,
b), we obtain the so-called high-order affine cryptosystem. This cryptosystem was first proposed by mathematician Lester hill in American Mathematics monthly in 1929, so it is also called Hill cryptosystem.
Hill cryptosystem divides the plaintext into a group of k characters and then encrypts each plaintext unit in turn by using k-order affine transformation (A, b) on \(\mathbb {Z}_{N}\). The advantage of this password is that it hides the statistical characteristics of a single character (such as 26 letters in English), which can better resist the statistical analysis of the occurrence frequency of characters, and has strong ability to resist cryptosystemtext only attacks. However, on the basis of mastering a large amount of plaintext, it is not difficult to find the key (A, b), so the hill password is not strong against the attack of known plaintext.
The mathematical principles used by Hill cryptosystem are the following two conclusions.
From the above lemma, any group element
\((A, b)\in G_{k}\) of affine transformation group will form a Hill cryptosystem. If we select
n group elements
\((A_{1}, b_{1}), (A_{2}, b_{2})\),
\(\ldots \),
\((A_{n}, b_{n})\) in
\(G_{k}\) and let
$$\begin{aligned} (A, b)=\prod _{i=1}^{n}(A_{i}, b_{i}). \end{aligned}$$
Using (
A,
b) to encrypt, we get a more complex Hill cryptosystem.
If \(k=1\), first-order affine cryptosystem \(x^{'} \equiv ax+b ({{\,\mathrm{mod}\,}}N)\), where \((a, N)=1\), contains many famous classical passwords, especially when \(a=1\), \(b=3\), \(N=26\), \(x^{'}=x+3({{\,\mathrm{mod}\,}}26)\) is the famous Caesar code in history.
Next, we analyze the computational complexity of affine cryptography. We have the following Lemma.
4.7.2 RSA
In 1976, two mathematicians from Stanford University, Diffie and Hellman, put forward a new idea of cryptosystem design. In short, the encryption algorithm and decryption algorithm are designed based on the principle of asymmetry. We can use the following schematic diagram to illustrate
$$\begin{aligned} P\xrightarrow {f}C\xrightarrow {f^{-1}}P, \end{aligned}$$
(4.35)
where
P is the plaintext space,
C is the cryptosystemtext space,
f encryption algorithm and
\(f^{-1}\) decryption algorithm. If
f and
\(f^{-1}\) are the same algorithm, such as the involution operation in binary system, or the encryption algorithm
f can easily deduce the decryption algorithm
\(f^{-1}\). For example, the matrix encryption algorithm mentioned in the previous section (the matrix order is very small), which is called symmetric cryptosystem. The essence of symmetric cryptosystem is that the encryption key and decryption key have the same confidentiality importance. Diffie and Hellman proposed that if
\(f \ne f^{-1}\) and
f are encryption algorithms that are easy to implement, while
\(f^{-1}\) is a decryption algorithm that is very difficult to calculate, the key can be divided into encryption key and decryption key. Even if the encryption key is made public to the public, the security of decryption key will not be affected. This encryption algorithm
f is called asymmetric or trapdoor one-way function. The password using asymmetric
f is called asymmetric password or public key cryptosystem. Due to the bold innovation of Diffie and Hellman, cryptography has ushered in a new era—the era of public key cryptography. Its basic feature is that passwords change from few users to many users, which greatly improves the efficiency and social value of passwords.
How to design asymmetric encryption algorithm? Rivest, Shamir and Adleman jointly put forward the first secure and practical one-way encryption algorithm, which is called RSA algorithm in academic circles. This public key cryptosystem has been widely used in cryptographic design and has become an international standard algorithm. In addition to its simplicity and practicality, its security completely depends on the difficulty of large prime factorization of huge integers.
Let
p,
q be two large and relatively safe prime numbers, assume
$$\begin{aligned} 10^{300}<p,q, ~~~\text {its binary digits}~ k>1024 \text {bits}. \end{aligned}$$
(4.36)
Let
\(n=pq\),
\(\varphi (n)\) be an Euler function, then
$$\begin{aligned} \varphi (n)=(p-1)(q-1)=n+1-p-q. \end{aligned}$$
Randomly select a positive integer
e to satisfy
$$\begin{aligned} 1<e< \varphi (n), (e, \varphi (n))=1. \end{aligned}$$
(4.37)
The large prime numbers
p and
q and
e satisfying formula (
4.37) are randomly generated. The so-called random generation is to randomly select the
p,
q and
e with the help of the computer random number generator (or pseudo-random number generator), and its computational complexity is
After randomly selecting
p,
q,
\(n=pq\), and
e, because
\((e, \varphi (n))=1\), then exist
\(d=e^{-1} {{\,\mathrm{mod}\,}}\varphi (n)\), that is
$$\begin{aligned} de \equiv 1 ({{\,\mathrm{mod}\,}}\varphi (n)), 1< d< \varphi (n). \end{aligned}$$
(4.38)
By Lemma
1.5 of chapter
1, calculate the number
\(\text {Time} (d)=O( \log ^{3}\varphi (n))=O( \log ^{3}n)\) of bit operations required for
\(d=e^{-1} {{\,\mathrm{mod}\,}}\varphi (n)\). By Lemma
4.4, we have
The key mathematical principle used in RSA cryptographic design is the generalized Euler congruence theorem.
\(n \ge 1\) is a positive integer,
\((m,n)=1\), from Euler theorem, it can be seen that
$$\begin{aligned} m^{\varphi (n)} \equiv 1 ({{\,\mathrm{mod}\,}}n), \Longrightarrow m^{\varphi (n)+1} \equiv m ({{\,\mathrm{mod}\,}}n) . \end{aligned}$$
(4.39)
We will prove that under the condition that
n is a positive integer without square factor, there is formula (
4.39) for all positive integers
m, whether
\((m, n)=1\) or
\((m, n)>1\).
With the above preparations, the workflow of RSA password can be divided into the following three steps:
(1)
Suppose A is a user of RSA, and A randomly generates two huge prime numbers \(p=p(A)\), \(q=q(A)\), \(n=n(A)\), where \(n=pq, \varphi (n)=(p-1)(q-1)\). Then randomly generate positive integers \(e=e(A)\), satisfies \(1< e < \varphi (n), (e, \varphi (n))=1\), calculated \(d\equiv e^{-1} ({{\,\mathrm{mod}\,}}\varphi (n))\), and \(1<d < \varphi (n)\). User A destroys two prime numbers p and q, and only keeps three numbers n, e, d, after publishing \(P_{e}=(n,e)\) as public key, he has private key \(P_{d}=(n,d)\) and keeps it strictly confidential.
(2)
User
B of another RSA sends encrypted information to user
A using the known public key (
n,
e) of user
A.
B selects
\(P=\mathbb {Z}_{n}\) as the plaintext space and encrypts each
\(m \in \mathbb {Z}_{n}\). The encryption algorithm
\(c=f(m)\) is defined as
$$\begin{aligned} c=f(m) \equiv m ^{e}({{\,\mathrm{mod}\,}}n) ,~ 1 \le c \le n. \end{aligned}$$
(4.41)
where
c is cryptosystemtext.
(3)
After receiving the cryptosystemtext
c sent by user
B, user
A decrypts it with its own private key (
n,
d). Decryption algorithm
\(f^{-1}\) is defined as:
$$\begin{aligned} m=f^{-1}(c)\equiv c ^{d}({{\,\mathrm{mod}\,}}n) ,~ 1 \le m \le n. \end{aligned}$$
(4.42)
User
A gets the plaintext
m sent by user
B. so far, RSA cryptosystem completes encryption and decryption.
The correctness and uniqueness of RSA password are guaranteed by the following Lemma.
Another very important application of RSA is for digital signature. From the workflow of RSA password, it can be seen that the encryption algorithm defined in formula (
4.41) is based on the public key
\((n_{A}, e_{A})\) of user
A, and we denote
f as
\(f_{A}\) and the decryption algorithm defined in formula (
4.42) as
\(f_{A}^{-1}\). The workflow of RSA digital signature is: User
A sends his digital signature to user
B, that is,
A sends an encrypted message to
B. Let
\(P_{e}(A)=(n_{A}, e_{A})\) be the public key of
A and
\(P_{d}(A)=(n_{A}, d_{A})\) the private key of
A. Similarly,
\(P_{e}(B)=(n_{B}, e_{B})\) is the public key of
B and
\(P_{d}(B)=(n_{B}, d_{B})\) is the private key of
B. Then the digital signature sent by user
A to user
B is
$$\begin{aligned} {\left\{ \begin{aligned}&f_{B} f_{A}^{-1}(m), ~\text {if}~ n_{A}< n_{B}\\&f_{A}^{-1}f_{B}(m), ~\text {if}~ n_{A}> n_{B}. \end{aligned} \right. } \end{aligned}$$
(4.43)
where
\(m \in \mathbb {Z}_{n_{A}}\) is the digital signature published by user
A. After receiving the above digital signature of user
A, user
B adopts the following two different digital verification according to the two cases of
\(n_{A}< n_{B}\) and
\(n_{A}> n_{B}\), formula (
4.43) is the real signature of user
A.
(i)
If
\(n_{A}< n_{B}\), user
B first decrypts with his private key
\(f_{B}^{-1}=(n_{B}, d_{B})\) and then decrypts with user
A’s public key
\(f_{A}=(n_{A}, e_{A})\), the verification is as follows
$$\begin{aligned} f_{A}f_{B}^{-1}(f_{B} f_{A}^{-1}(m))=f_{A} f_{A}^{-1}(m)=m. \end{aligned}$$
(ii)
If
\(n_{A}> n_{B}\), user
B uses user
A’s public key
\(f_{A}=(n_{A}, e_{A})\) first, then decrypt and verify with your own private key
\(f_{B}^{-1}=(n_{B}, d_{B})\)$$\begin{aligned} f_{B}^{-1} f_{A}(f_{A}^{-1}f_{B} (m))= f_{B}^{-1}f_{B}(m)=m. \end{aligned}$$
The security of RSA is the difficulty of large prime factorization based on
n. When all users select the large prime numbers
p and
q, let
\(n=pq\), then destroy
p and
q, only (
n,
e) and its own secret (
n,
d) key information are retained, even if (
n,
e) is published to the public, outsiders only know
n and do not know
\(\varphi (n)\), so they cannot obtain the information of private key (
n,
d). Because the calculation of
\(\varphi (n)\) must rely on the prime factorization of
n, from the product formula of Euler, it is not difficult to see
$$\begin{aligned} \varphi (n)=n \prod _{p|n}{(1- \frac{1}{p})}. \end{aligned}$$
Because we have very little knowledge of prime numbers, we have not found a general term formula to give an infinite number of prime numbers, so it is undoubtedly a difficult problem to judge whether a huge integer
n is prime, not to mention the prime factorization of
n.
4.7.3 Discrete Logarithm
Let
G be a finite group and
\(b,y \in G\) be two group elements of
G, let
t be the minimum positive integer satisfying
\(b^{t}=1\),
t is called the order of
b, denote as
\(t=o(b)\). If there is one
x,
\(1 \le x \le o(b)\) such that
\(y=b^{x}\),
x is called the discrete logarithm of
y under base
b. Known
\(b \in G\),
\(0\le x \le o(b)\), it’s easy to calculate
\(y=b^{x}\). Conversely, for any group element
y, it is very difficult to find the discrete logarithm of
y under base
b. Therefore, using discrete logarithm to encrypt has become the most mainstream encryption algorithm in public key cryptosystem, including the famous ElGamal cryptosystem and elliptic curve cryptosystem. ElGamal cryptosystem uses the discrete logarithm on the multiplication group formed by all
\(\mathbb {F}_{q}^{*}\) of nonzero elements in finite field
\(\mathbb {F}_{q}\). Elliptic curve cryptography uses the discrete logarithm algorithm of Mordell group on elliptic curve. Here we mainly discuss ElGamal cryptography, and elliptic curve cryptography is discussed in Chap.
6. We first prove several basic conclusions in finite field.
Based on the above basic conclusions about finite fields, we introduce two methods for solving discrete logarithms. The first is the Silver–Pohlig–Hellman smoothing method, and the second is the so-called exponential integration method.
Silver–Pohlig–Hellman
Let
\(\mathbb {F}_{q}\) be a
q-element finite field,
b is the generator, that is
\(\mathbb {F}_{q}^{*}=<b>\),
$$\begin{aligned} o(b)=|\mathbb {F}_{q}^{*}|=q-1=p_{1}^{\alpha _{1}}p_{2}^{\alpha _{2}} \cdots p_{s}^{\alpha _{s}}, \end{aligned}$$
(4.46)
where
\(p_{i}\) is a different prime number.
p for each prime factor of
\(q-1\),
\(p|q-1\), if
p is relatively “small", the positive integer
\(q-1\) is called a smooth positive integer. Under the condition that
\(q-1\) is smooth, for each prime factor
p, calculate all
p-th unit roots
\(r_{p,j}\) in
\(\mathbb {F}_{q}^{*}\), where
$$\begin{aligned} r_{p,j}=b^{\frac{j(q-1)}{p}},~ 1\le j \le p. \end{aligned}$$
(4.47)
Denote
\(R(p)=\{r_{p,j}|1\le j \le p\}\) is the root of
p p subunits in
\(\mathbb {F}_{q}^{*}\), then in
\(\mathbb {F}_{q}^{*}\), we get a unit root table
R.
$$\begin{aligned} \text {unit root table}~R=\{R(p_{1}), R(p_{2}), \ldots , R(p_{s})\}. \end{aligned}$$
(4.48)
Now let’s look at the calculation method of discrete logarithm in
\(\mathbb {F}_{q}^{*}\). Let
\(y \in \mathbb {F}_{q}^{*}\), the discrete logarithm of
y under base
b is
m, that is
\(y =b^{m}\). When
y and
b are given, the value of
m is desired
\((1 \le m \le q-1)\), by the prime factor decomposition of
\(q-1\) of formula (
4.46), if for each
\(p_{i}^{\alpha _{i}}(1 \le i \le s)\), the minimum nonnegative residue of
m under
\({{\,\mathrm{mod}\,}}p_{i}^{\alpha _{i}}\) is
\(m_{i}=m {{\,\mathrm{mod}\,}}p_{i}^{\alpha _{i}} \), according to the Chinese remainder theorem, there is a unique
\(m {{\,\mathrm{mod}\,}}q-1\) such that
$$\begin{aligned} m\equiv m_{i}({{\,\mathrm{mod}\,}}(p_{i}^{\alpha _{i}})), \forall ~i, 1 \le i \le s. \end{aligned}$$
Therefore, the discrete logarithm
m of
y is determined. Now the question is: let
\(p^{\alpha }|| q-1\), we determine
\(m {{\,\mathrm{mod}\,}}p^{\alpha }\). Let
$$\begin{aligned} m{{\,\mathrm{mod}\,}}p^{\alpha }=m_{0}+m_{1}p+m_{2}p^{2}+\cdots +m_{\alpha -1}p^{\alpha -1}, 0 \le m_{i} <p \end{aligned}$$
A is the minimum nonnegative residue of
m \({{\,\mathrm{mod}\,}}p^{\alpha }\), let’s determine each
\(m_{i}\). First, we calculate
\(m_{0}\). Because
\(y=b^{m}\), so
$$\begin{aligned} y^{\frac{q-1}{p}}=b^{\frac{m(q-1)}{p}}=b^{\frac{m_{0}(q-1)}{p}}. \end{aligned}$$
That is,
\(y^{\frac{q-1}{p}}\) is a unit root in
\(\mathbb {F}_{q}^{*}\), compare the unit root table
R in
\(\mathbb {F}_{q}^{*}\), then we have
\(m_{0}=j, 1\le j \le p\), which determines
\(m_{0}\). Next, calculate
\(m_{1}\), let
\(y_{1}=\frac{y}{b^{m_{0}}}=b^{m-m_{0}}\), therefore, the discrete logarithm of
\(y_{1}\) is
\(m-m_{0}\), and
$$\begin{aligned} m-m_{0}\equiv m_{1}p+m_{2}p^{2}+\cdots +m_{\alpha -1}p^{\alpha -1}( {{\,\mathrm{mod}\,}}p^{\alpha }), \end{aligned}$$
so
$$\begin{aligned} y_{1}^{\frac{q-1}{p^{2}}}=b^{\frac{(m-m_{0})(q-1)}{p^{2}}}=b^{\frac{m_{1}(q-1)}{p}}. \end{aligned}$$
in other words,
\(y_{1}^{\frac{q-1}{p^{2}}}\) is a
p subunit root of
\(\mathbb {F}_{q}^{*}\), comparing the unit root table
R, we can determine
\(m_{1}\). Continuing with this method, we can calculate
\(m_{2}, \ldots , m_{\alpha -1}\) in turn, so
\(m {{\,\mathrm{mod}\,}}p^{\alpha }\) is calculated, then by the Chinese remainder theorem, the discrete logarithm
m of
y under
b is calculated.
Exponential integral method
Let
\(\mathbb {F}_{q}\) be the finite field of
q element,
\(q=p^{n}\),
p be a relatively small prime number, and
n be a large positive integer, so that the security of
q can meet certain requirements. Let
\(\mathbb {F}_{p}\) be the finite field of
p element, we can think of
\(\mathbb {F}_{q}\) as an
n-th extension field of
\(\mathbb {F}_{p}\), according to the finite extension theory of the field,
\(\mathbb {F}_{q}\) equivalent to (isomorphism) a quotient ring of polynomial ring
\(\mathbb {F}_{p}[T]\) over
\(\mathbb {F}_{p}\). Let
\(f(T) \in \mathbb {F}_{p}[T]\) be the first irreducible polynomial of
n degree, then
$$\begin{aligned} \mathbb {F}_{q}=\mathbb {F}_{p}[T]/_{<f(T) >}=\{a_{0}+a_{1}T+\cdots +a_{0}T^{n-1}|\forall ~ a_{i} \in \mathbb {F}_{p}\}. \end{aligned}$$
(4.49)
Therefore, any element
a in
\(\mathbb {F}_{q}\) is equivalent to a polynomial
a(
T) on
\(\mathbb {F}_{p}\), where
\(\deg a(T) \le n-1.\) Let
\(b \in \mathbb {F}_{q}\) be the generator of
\(\mathbb {F}_{q}\),
\(b=b(T)\), if
\(a_{0} \in \mathbb {F}_{p}\) is a constant polynomial,
\(a_{0}\) is called a constant in
\(\mathbb {F}_{q}\).
By Lemma
4.8, the discrete logarithm of the constant in
\(\mathbb {F}_{q}\) can be easily determined. Let
\(b' \in \mathbb {F}_{p}\) be the generator of
\(\mathbb {F}_{p}^{*}\), if
\(m'\) is the discrete logarithm of constant
\(a_{0} \in \mathbb {F}_{p}\) to base
\(b'\), then by Lemma
4.8,
\(m=m'\frac{q-1}{p-1}\) is the discrete logarithm of
\(a_{0} \in \mathbb {F}_{q}\) under base
b. Take
\(m'(a_{0})\) as the discrete logarithm of
\(a_{0}\) under base
\(b'\), since
p is small, we can easily calculate and list the discrete logarithms of all constants in
\(\mathbb {F}_{q}\):
$$\begin{aligned} L_{0}=\{m'(a_{0})\frac{q-1}{p-1}|a_{0} \in \mathbb {F}_{p}\}. \end{aligned}$$
(4.50)
Next, we determine the discrete logarithm of a nonconstant polynomial under base
b(
T). Let
\(1<m<n\), define
$$\begin{aligned} L_{m}=\{p(x)\in \mathbb {F}_{p}[x]|p(x) ~\text {is monic irreducible polynomial}, \deg p(x) \le m\}, \end{aligned}$$
(4.51)
The number of irreducible polynomials in
\(L_{m}\) is written as
\(h_{m}\), that is
\(|L_{m}|=h_{m}\). We first calculate the discrete exponent of irreducible polynomials in
\(L_{m}\).
Let
\(b=b(T)\) be the generator of
\(\mathbb {F}_{q}^{*}\),
\(b(T) \in \mathbb {F}_{p}[T]\),
\(\deg b(T) \le n-1\), obviously, when
t runs through all positive integers from 1 to
\(q-1\),
\(b^{t}(T)\) runs through all nonzero polynomials in Eq. (
4.49). Appropriate choice
t, let
$$b^{t}(T) \equiv c(T) ({{\,\mathrm{mod}\,}}f(T)),~ \deg c(T) \le n-1.$$
Such that
$$c(T)= c_{0} \prod _{p(T) \in L_{m} }p(T)^{\alpha _{c, p}},$$
denote the discrete logarithm of
a(
T) under
b(
T) with
\(\text {ind} (a(T))\), which can be obtained from the above formula,
$$\begin{aligned} \text {ind} (c(T))-\text {ind} (c_{0}) \equiv \sum _{p(T)\in L_{m}}\alpha _{c, p} \text {ind} (p(T))~({{\,\mathrm{mod}\,}}q-1). \end{aligned}$$
Because of
\(\text {ind} (c(T))=t\), thus,
$$\begin{aligned} t-\text {ind} (c_{0}) \equiv \sum _{p(T)\in L_{m}}\alpha _{c, p} \text {ind} (p(T))~({{\,\mathrm{mod}\,}}q-1). \end{aligned}$$
(4.52)
By (
4.50),
\(\text {ind} (c_{0})\) is known, therefore, the above formula is a linear equation with
\(h_{m}\) variables
\(\text {ind} (p(T))\). By continuously selecting the appropriate
t, we can obtain
\(h_{m}\) independent linear equations, that is, the
\(h_{m} \times h_{m}\)-order matrix formed by the coefficients of
\(h_{m}\) variables and
\(h_{m}\) linear equations is reversible under
\({{\,\mathrm{mod}\,}}q-1\), by Lemma
4.2, as long as its determinant and
\(q-1\) are coprime. From the knowledge of linear algebra, we can calculate all
\(\text {ind} (p(T))\) by solving the above linear equations, the following exponential integral table
\(B_{m}\) is obtained,
$$\begin{aligned} B_{m}=\{\text {ind} (p(T))|p(T)\in L_{m}\}. \end{aligned}$$
(4.53)
With exponential integral table
\(B_{m}\), the discrete logarithm of any element
\(a(T) \in \mathbb {F}_{q}^{*}\) can be easily calculated. Let
\(a_{1}(T)=a(T)b(T)^{t}\), select the appropriate
t such that
$$a_{1}(T)\equiv a_{0} \prod _{p(T) \in L_{m} }p(T)^{\alpha _{a}}~ ({{\,\mathrm{mod}\,}}f(T)).$$
Once the decomposition is established, there are
$$\text {ind}(a_{1}(T))=\text {ind} (a_{0})+ \sum _{p(T) \in L_{m} }\alpha _{a}\text {ind}(p(T)).$$
Thus
$$\text {ind}(a(T))=\text {ind} (a_{1}(T) )-t.$$
The discrete logarithm of
a(
T) is obtained.
ElGamal cryptosystem
Using the computational complexity of discrete logarithm to design asymmetric cryptosystem is the basic idea of ElGamal cryptosystem. Each user randomly selects a finite field \(\mathbb {F}_{q}\), \(q=p^{n}\), p is a sufficiently large prime number, and then calculates the generator g of \(\mathbb {F}_{q}^{*}\), select the positive integer x randomly, \(1<x<q-1,\) and calculate \(y=g^{x}\), to get the public key \(P_{e}=(y, g, q)\), own private key \(P_{d}=(x, g, q)\).
Encryption algorithm: To send an encrypted message to user
A, user
B first corresponds each plaintext unit of plaintext space
P to an element in
\(\mathbb {F}_{q}^{*}\), and then encrypts each plaintext unit. Let
\(m \in \mathbb {F}_{q}^{*}\) be a plaintext unit, and user
B randomly selects an integer
k,
\(1< k< q-1\), then, the public key (
y,
g,
q) of user
A is used to encrypt
m, and the encryption algorithm
f is
$$\begin{aligned} f(m)=c', \text {where}{\left\{ \begin{aligned}&c'=my^{k},\\&c=g^{k}. \end{aligned} \right. } \end{aligned}$$
(4.54)
Get cryptosystemtext
\((c,c')\).
Decryption algorithm: After receiving the cryptosystemtext
\((c,c')\) sent by user
B, user
A decrypts
\((c,c')\) with its own private key (
x,
g,
q), decryption algorithm
\(f^{-1}\) is
$$\begin{aligned} f^{-1}(c')=c'c^{-x}. \end{aligned}$$
(4.55)
Finally, we discuss the computational complexity over finite fields.
4.7.4 Knapsack Problem
Given a pile of items with different weights, can you put all or several of these items into a backpack to make it equal to a given weight? This is a knapsack problem arising from real life. Abstract into mathematical problems: Suppose \(A=\{a_{0},a_{1}, \ldots , a_{n-1}\}\) are n sets of positive integers, N is a positive integer. Is N the sum of the elements of a subset in A? Using binary system, the knapsack problem in mathematics can be expressed as follows:
Knapsack problem: When
N and
\(A=\{a_{0},a_{1}, \ldots , a_{n-1}\}\) given, where each
\(a_{i} \ge 1\) is a positive integer, whether there is a binary integer
\(e=(e_{n-1}e_{n-2} \cdots e_{1}e_{0})_{2}\) makes the following formula true,
$$\sum _{i=0}^{n-1}e_{i}a_{i}=N, ~\text {where}~e_{i}=0 ~\text {or}~e_{i}=1.$$
If
e exists, it is called knapsack problem (
A,
N) solvable, denote as
\(\psi (A, N)=e\). If
\(N=0\), then
\(\psi (A, 0)=0\) (each
\(e_{i}=0\)) is called a trivial solution. Therefore,
\(N\ge 1\) is assumed to be a positive integer.
The above knapsack problem may have solutions, no solutions or multiple solutions. It is very difficult to solve the general knapsack problem (A, N), which belongs to the “NP complete” problem. If the conjecture of \(``P \ne NP\)” holds, there is no general algorithm, and its computational complexity is polynomial of n and \(\log N\). However, under some special conditions, such as the so-called super-increasing sequence, the solution of the problem will be very easy. Next, we introduce the polynomial solution method on the premise of super-increasing sequence.
The knapsack problem of super-increasing sequence is actually to find a monotonically decreasing index sequence
\(\{i_{k}\}_{k \ge 0}\), where
\(i_{k}>i_{k+1},~ 0\le i_{k} \le n-1, ~\forall ~ k \ge 0.\) First,
\(i_{0}\) is defined as
$$\begin{aligned} i_{0}=\max \{i|a_{i} \le N \}. \end{aligned}$$
(4.57)
Then consider
\(N-a_{i_{0}}=0,\) then the algorithm is completed, that
\(N=a_{i_{0}}.\) If
\(N-a_{i_{0}}>0\), then define
$$i_{1}=\max \{i|a_{i} \le N-a_{i_{0}} \}.$$
For any
\(k \ge 1\), define
$$\begin{aligned} i_{k}=\max \{i|a_{i} \le N-a_{i_{0}}-\cdots -a_{i_{k-1}}\}. \end{aligned}$$
(4.58)
If the equal sign in Eq. (
4.58) holds, that is
\(a_{i_{k}}=N-a_{i_{0}}-\cdots -a_{i_{k-1}}\), then the algorithm completes and obtains the solution
\(N=a_{i_{0}}+a_{i_{1}}\cdots +a_{i_{k}}\) of (
A,
N). If
\(i_{k}\) does not exist, that is
$$N-a_{i_{0}}-\cdots -a_{i_{k-1}}<a_{i},~\forall ~ i \ne i_{0}, i_{1}, \ldots , i_{k-1},$$
call the algorithm terminated. Obvious indicators
\(i_{0}> i_{1}>\cdots> i_{k}>\cdots \). Let
I be a set of some indicators, and denote the above algorithm as
\(\psi \).
MH knapsack public key encryption system
Merkle and Hellman first proposed an encryption method using knapsack problem in 1978, it is the first public key encryption password. Let
\(A=\{a_{0},a_{1}, \ldots , a_{n-1}\}\) be a sequence of super-increasing positive integers, take
p,
b as two prime numbers and satisfy
$$\begin{aligned} p>\sum _{i=0}^{n-1}a_{i}, ~1 \le b \le p-1. \end{aligned}$$
(4.59)
Calculate
\(t_{i} \equiv ba_{i}({{\,\mathrm{mod}\,}}p),~0 \le i \le n-1\), then the public key is
\(t=(t_{0},t_{1}, \ldots , t_{n-1})\), private key are
A and
b.
Encryption algorithm: The plaintext space
\(P=\mathbb {F}_{2}^{n}\), for each plaintext unit
\(m=(m_{0}m_{1}\cdots m_{n-1})\in P\), encryption algorithm
$$\begin{aligned} c=f(m)\equiv \sum _{i=0}^{n-1}t_{i}m_{i}({{\,\mathrm{mod}\,}}p), ~0\le c \le p, \end{aligned}$$
(4.60)
where
c is cryptosystemtext.
Decryption algorithm: First, use the private key
\(N \equiv b^{-1}c({{\,\mathrm{mod}\,}}p), ~0\le N \le p-1\). Then use the algorithm
\(\psi =f^{-1}\) of knapsack problem (
A,
N) to solve
$$\begin{aligned} f^{-1}(N)=(m_{0}m_{1}\cdots m_{n-1})\in \mathbb {F}_{2}^{n}, \end{aligned}$$
(4.61)
to get plaintext
\(m=(m_{0}m_{1}\cdots m_{n-1})\).
The correctness of MH knapsack public key cryptography is attributed to the following Lemma.
It can be seen from the above discussion that if \(A=\{a_{0},a_{1}, \ldots , a_{n-1}\}\) is not a super-increasing sequence, the decryption algorithm \(f^{-1}\) is a difficult problem of “NP complete class", so the encryption and decryption algorithm defined by MH knapsack cryptosystem is the most typical trapdoor single function. Because of this, people believe that MH knapsack public key cryptography is very secure for a long time. However, in 1982, Shamir proved that a class of nonsuper-increasing sequences can be transformed into super-increasing sequences by a simple transformation \(x\longrightarrow ax {{\,\mathrm{mod}\,}}m\), which can be solved by polynomial algorithm. Although this kind of convertible nonsuper-increasing sequence knapsack problem is quite special, it is enough to shake people’s confidence in the security of knapsack problem public key cryptosystem. It is now generally accepted that knapsack public key cryptography is no longer secure.
Shamir transform
Let
\(A_{1}=\{\alpha _{0},\alpha _{1}, \ldots , \alpha _{n-1}\}\) is a super-increasing sequence of positive integers. Randomly select four positive integers
\(m_{1}, a_{1}, m_{2}, a_{2}\), where
$$\begin{aligned} m_{1}>\sum _{i=0}^{n-1}\alpha _{i}, ~m_{2}>nm_{1}, ~(a_{1}, m_{1})=(a_{2}, m_{2})=1. \end{aligned}$$
(4.62)
A new positive integer sequence is defined by
\(m_{1}\) and
\(a_{1}\),
$$A_{2}=\{\omega _{0},\omega _{1}, \ldots , \omega _{n-1}\}, ~\text {where}~\omega _{i}=a_{1}\alpha _{i} {{\,\mathrm{mod}\,}}m_{1}.$$
Where
\(a_{1}\alpha _{i} {{\,\mathrm{mod}\,}}m_{1}\) represents the minimum nonnegative residue of
\(a_{1}\alpha _{i}\) \( {{\,\mathrm{mod}\,}}m_{1}\), that is
$$\begin{aligned} 0 \le \omega _{i}<m_{1}, ~\text {and}~\omega _{i} \equiv a_{1}\alpha _{i} ({{\,\mathrm{mod}\,}}m_{1}). \end{aligned}$$
(4.63)
By the third sequence of positive integers is defined by
\(m_{2}\) and
\(a_{2}\),
$$A_{3}=\{u_{0},u_{1}, \ldots ,u_{n-1}\}, ~u_{i}= a_{2}\omega _{i} {{\,\mathrm{mod}\,}}m_{2},$$
that is
$$\begin{aligned} 0 \le u_{i}<m_{2}, ~u_{i} \equiv a_{2}\omega _{i} ({{\,\mathrm{mod}\,}}m_{2}). \end{aligned}$$
(4.64)
Because
\(\{u_{i}\}\) is not a super-increasing sequence, if
\(A_{3}\) is used for encryption, it seems to be a general knapsack problem. Its difficulty will be NP complete, but Shamir transform will prove that its decryption algorithm is polynomial.
Let
\(x=(e_{n-1}e_{n-2}\cdots e_{1}e_{0})_{2}\in \mathbb {F}_{2}^{n}\) be clear text and encrypt with
\(A_{3}\),
$$\begin{aligned} c=f(x)=\sum _{i=0}^{n-1}e_{i}u_{i}, \end{aligned}$$
(4.65)
get cryptosystemtext
c. If decryption is required after receiving cryptosystemtext
c, it is a general knapsack problem, but the problem of using private key
\((b_{1}, m_{1}, b_{2}, m_{2})\) will become quite simple, where
$$\begin{aligned} {\left\{ \begin{aligned}&0 \le b_{1}<m_{1}, \ ~a_{1}b_{1}\equiv 1({{\,\mathrm{mod}\,}}m_{1})\\&0 \le b_{2} <m_{2}, \ ~a_{2}b_{2}\equiv 1({{\,\mathrm{mod}\,}}m_{2}). \end{aligned} \right. } \end{aligned}$$
First, note the minimum nonnegative residue of
\(b_{2}c\) under
\({{\,\mathrm{mod}\,}}m_{2}\),
$$\begin{aligned} N_{0}=b_{2}c {{\,\mathrm{mod}\,}}m_{2}=\sum _{i=0}^{n-1}e_{i}\omega _{i}. \end{aligned}$$
(4.66)
Because by (
4.65),
$$b_{2}c \equiv \sum _{i=0}^{n-1}e_{i}b_{2}u_{i}\equiv \sum _{i=0}^{n-1}e_{i}\omega _{i}({{\,\mathrm{mod}\,}}m_{2}). $$
By the assumption
\(m_{2}>nm_{1}\) of formula (
4.62), and (
4.63), there is
$$ 0 \le \sum _{i=0}^{n-1}e_{i}\omega _{i}< m_{2}. $$
So (
4.66) holds. Then consider the minimum nonnegative residue
\(N=b_{1}N_{0} {{\,\mathrm{mod}\,}}m_{1}(0 \le N <m_{1})\) of
\(b_{1}N_{0}\) \({{\,\mathrm{mod}\,}}m_{1}\), by (
4.63),
$$N=b_{1}N_{0}\equiv \sum _{i=0}^{n-1}e_{i}b_{1}\omega _{i}\equiv \sum _{i=0}^{n-1}e_{i}\alpha _{i}({{\,\mathrm{mod}\,}}m_{1}). $$
So there is
$$N= \sum _{i=0}^{n-1}e_{i}\alpha _{i},~\alpha _{i} \in A_{1}.$$
Since
\(A_{1}\) is a super-increasing sequence, the algorithm of polynomial (see Lemma
4.13), we have
$$\psi (A_{1},N)=(e_{n-1}e_{n-2}\cdots e_{1}e_{0})_{2}=x.$$
To get plaintext
x.
Therefore, Shamir uses simple transformation to transform the general knapsack problem into super-incremental knapsack problem. Although \(A_{3}\) is very special, we have reason to doubt that the public key cryptography based on the general knapsack problem solving algorithm is not as secure as people think.
Exercise 4
1.
Explain the following terms. (1) One secret at a time, (2) Completely confidential system, (3) Unique solution distance, (4) Improve the certification system.
2.
Short answer:
(1)
What are the advantages and disadvantages of symmetric cryptosystem and asymmetric cryptosystem?
(2)
The goal of perfecting the certification system.
3.
It is known that the plaintext is “Friday”, and the cryptosystemtext obtained after encryption with \(m=2\)’s Hill password is “POCFKU”, find the key of Hill password.
4.
Find the inverse matrix
\(({{\,\mathrm{mod}\,}}N)\) of the following matrix:
$$A= \left[ \begin{array}{cccc} 1 &{} 3 \\ 4 &{} 3 \end{array}\right] {{\,\mathrm{mod}\,}}5,~ A= \left[ \begin{array}{cccc} 1 &{} 3 \\ 4 &{} 3 \end{array}\right] {{\,\mathrm{mod}\,}}29,$$
$$A= \left[ \begin{array}{cccc} 15 &{} 17 \\ 4 &{} 9 \end{array}\right] {{\,\mathrm{mod}\,}}26,~ A= \left[ \begin{array}{cccc} 197 &{} 62 \\ 603 &{} 271 \end{array}\right] {{\,\mathrm{mod}\,}}841.$$
5.
In number theory, Fibonacci number is defined as
\(a_{1}=1,a_{2}=1,a_{3}=2\), when
\(n>1\),
\(a_{n+1}=a_{n}+a_{n-1}\). Prove
$$ \left[ \begin{array}{cccc} a_{n+1} &{} a_{n} \\ a_{n} &{} a_{n-1} \end{array}\right] = \left[ \begin{array}{cccc} 1 &{} 1 \\ 1 &{} 0 \end{array}\right] ^{n},$$
and
\(a_{n}\) is even if and only if 3|
n. More generally, find the law of
\(d|a_{n}\).
6.
Suppose
\(N=mn\), and
\((n,m)=1\). A second-order matrix
\(A\in M_{2}(\mathbb {Z}_{N})\) on n
\(\mathbb {Z}_{N}\), can consider
\(A\in M_{2}(\mathbb {Z}_{m})\) and
\(A\in M_{2}(\mathbb {Z}_{n})\), let
\(A_{1}\) and
\(A_{2}\) represent the elements of
A in
\(M_{2}(\mathbb {Z}_{m})\) and
\(M_{2}(\mathbb {Z}_{n})\), then prove
(i)
Mapping \(A{\mathop {\longrightarrow }\limits ^{\sigma }}(A_{1},A_{2})\) is a 1–1 correspondence between \(M_{2}(\mathbb {Z}_{N}){\mathop {\longrightarrow }\limits ^{\sigma }}M_{2}(\mathbb {Z}_{m})\times M_{2}(\mathbb {Z}_{n})\).
(ii)
In the corresponding \(\sigma \), A is the invertible matrix \(({{\,\mathrm{mod}\,}}N)\) if and only if \(A_{1}\) is the invertible matrix \(({{\,\mathrm{mod}\,}}m)\) and \(A_{2}\) are the invertible matrix \(({{\,\mathrm{mod}\,}}n)\).
7.
Let p be a prime, \(\alpha \ge 1\), then \(A\in M_{2}(\mathbb {Z}_{p^{\alpha }})\) is a reversible square matrix if and only if \(A\in M_{2}(\mathbb {Z}_{p})\) is a reversible square matrix. By calculate, for \(\forall ~ \alpha \ge 1\), find the number of reversible matrices in \(M_{2}(\mathbb {Z}_{p^{\alpha }})\).
8.
Let \(\varphi (N)\) be Euler function, \(\varphi _{2} (N)\) is the number of invertible matrices in \(M_{2}(\mathbb {Z}_{N})\), calculation formula for \(\varphi _{2} (N)\): that is, write a formula for \(\varphi _{2} (N)\) similar to \(\varphi (N)\). Known \(\varphi (N)=N\prod _{p|N}(1-\frac{1}{p})\), solve \(\varphi _{2} (N)=?\)
9.
Let \(\varphi _{k} (N)\) be the number of k-order reversible matrices in \(M_{k}(\mathbb {Z}_{N})\) and give the calculation formula of \(\varphi _{k} (N)\).
10.
According to exercise 8 and exercise 9, find the order of k-dimensional affine transformation group \(G=(A,b)\) on \(\mathbb {Z}_{N}\).
11.
RSA is used for encryption, the alphabet of plaintext and cryptosystemtext is \(\{0,1,2,\ldots , 39\}\) 40 numbers, of which \(\{0,1,2,\ldots , 25\}\) 26 numbers are equivalent to English 26 letters. Blank \(=26\), \(\bullet =27\), \(?=28\), \(\$=29\), number \(\{0,1,2,\ldots , 9\}=\{30,31,\ldots , 39\}\). Suppose all public keys \(n_{A}\) satisfy \(40^{2}<n_{A}<40^{3}\). Plaintext unit \(m=m_{1}m_{2}\in \mathbb {Z}_{40}^{2}\), cryptosystemtext unit \(c=c_{1}c_{2}c_{3}\in \mathbb {Z}_{40}^{3}\). For any plaintext unit, \(m=m_{1}m_{2}\) corresponds to a number \(m_{2}40+m_{1}\) of \(\mathbb {Z}_{n_{A}}\), any cryptosystemtext \(c=c_{3}40^{2}+c_{2}40+c_{1}\in \mathbb {Z}_{n_{A}}\).
(i)
Encrypting plaintext "\(SEND \$7500\)" with public key \((n_{A},e_{A})=(2047,179)\).
(ii)
Factor \(n_{A}=2047\) to find the private key \((n_{A},d_{A})=?\)
(iii)
A password attacker can quickly find the private key \(d_{A}\) without factoring 2047, so \(n_{A}=2047\) is a pretty bad choice. Why?
12.
The computer attacks the public key \((n_{A},e_{A})=(536813567,3602561)\) and finds the private key \(d_{A}\). It shows that 29-bit \(n_{A}\) is not safe in RSA system.
13.
Assuming that the plaintext alphabet is
\(\{0,1,\ldots , 26\}\), and the first 26 numbers are 26 letters in English, blank
\(=26\). Cryptosystemtext alphabet adds
\(``|"=27\) to the plaintext alphabet, a total of 28 numbers. If the plaintext unit is
\(m=m_{1}m_{2}m_{3}\in \mathbb {Z}_{27}^{3}\), Cryptosystemtext unit is
\(c=c_{1}c_{2}c_{3}\in \mathbb {Z}_{28}^{3}\). Then in the corresponding number of
\(Z_{n_{A}}\) (see exercise 11), we need
\(n_{A}\) to meet
$$19683=27^{3}<n_{A}<28^{3}=21952,$$
(i)
If your decryption key is \((n_{A},d_{A})=(21583,20787)\), decrypt cryptosystemtext is “YSNAUOZHXXH" (blank at the end).
(ii)
If you know the Euler function \(\varphi (n)=21280\), calculate \(e=d^{-1} {{\,\mathrm{mod}\,}}\varphi (n)\) and factorize n.
14.
Prove: In RSA, the 35 bit integer \(n=23360947609\) is a particularly bad choice. (Hint: \(n=p\cdot q\) factorization, the size difference between p and q remains unchanged, and Fermat factorization can be used to attack.)
15.
Let
n be a square free number, and
\(de\equiv 1({{\,\mathrm{mod}\,}}\varphi (n))\). It is proved that there is congruence
$$a^{de}\equiv a({{\,\mathrm{mod}\,}}n)$$
for all integers
a.
16.
The multiplication group \(\mathbb {F}_{181}^{*}\) of finite field \(\mathbb {F}_{181}\) is generated by \(g=2\), the discrete logarithm of 153 pairs of basis 2 is calculated by smoothing factor method.
17.
In the knapsack problem, determine whether the following sequence is an over increasing sequence, whether the knapsack problem is solvable for a given
N, and how many solutions there are:
(i)
\(A=\{2,3,7,20,35,69\}, N=45;\)
(ii)
\(A=\{1,2,5,9,20,49\}, N=73;\)
(iiii)
\(A=\{1,3,7,12,22,45\}, N=67\);
(iv)
\(A=\{2,3,6,11,21,40\}, N=39;\)
(v)
\(A=\{4,5,10,30,50,101\}, N=186.\)
18.
If \(A=\{a_{i}|i=0,1,2,\cdots \}\) is an over increasing sequence and \(a_{0}=1\), \(a_{i}\) is the smallest positive integer satisfies \(a_{i}\ge \sum _{j=0}^{i-1}a_{j}\), then \(a_{i}=2^{i}\) holds for \(\forall ~ i\ge 1\).
19.
Let \(A=\{a_{0},a_{1}, \ldots ,a_{i},\ldots \}\) be a super-increasing sequence, where \(a_{i}=2^{i}(i\ge 1)\), then for any positive integer N, Knapsack problem (A, N) has a unique solution.
20.
Let \(A=\{a_{0},a_{1}, \ldots , a_{i}, \ldots \}\) be a super-increasing sequence, if for any positive integer N, knapsack problem (A, N) always has a solution, prove \(a_{i}=2^{i}(i\ge 1)\).