ENGG5383: Applied Cryptography
Fall 2020
Tutorial 1: Introduction
Tutor: Harry W. H. Wong
1.1
1.1.1
Prepared by: Rusell W. F. Lai
Basic Cryptographic Primitives
Notations
ˆ λ (sometimes n or k): security parameter (Think of λ = 100 for 100-bit of security)
ˆ p(λ) = poly(λ): p(λ) is a polynomial in λ
ˆ |µ(λ)| ≤ negl(λ): |µ(λ)| ≤
1
p(λ)
for all p(λ) = poly(λ)
ˆ PPT: Probabilistic Polynomial (in λ) Time
ˆ {0, 1}n : The set of n-bit binary strings
ˆ {0, 1}∗ : The set of finite-length binary strings
ˆ ⊕: bit-wise XOR
1.1.2
Primitives
Definition 1.1 (One-Way Function / Permutation (OWF/P)) An efficiently computable function f :
D → R is said to be one-way if for any PPT adversary A, it holds that
Pr {f (A(f (x))) = f (x)} ≤ negl(λ).
x∈D
Furthermore, if f is bijection, then f is a one-way permutation.
Definition 1.2 (Trapdoor Permutation (TDP)) A one-way permutation f : D → R is said to be a
trapdoor permutation if there exists a trapdoor t and a polynomial-time algorithm g such that, for all x ∈ D,
given y = f (x), we have x = g(t, y).
Remark 1.3 Some definitions require the domain D and the space of function and trapdoor pairs be efficiently sampleable.
Example 1.4 (A “Not Useful” TDP) Let f : D1 → R1 be a TDP. Let f 0 : D1 × D2 → R1 × R2 be
defined as f 0 (x1 , x2 ) = (f (x1 ), x2 ). Then f 0 is also a TDP.
Proof: Bijectivity and the existence of trapdoor are trivial. Suppose f 0 is not one-way. Then there exists a
PPT adversary A0 such that
Pr
(x1 ,x2 )∈D1 ×D2
{f 0 (A0 (f 0 (x1 , x2 ))) = f 0 (x1 , x2 )} > negl(λ).
1-1
1-2
ENGG5383(Fall 2020) Tutorial 1: Introduction
Let A be another PPT adversary which, on input y1 = f (x1 ), samples y2 ← D2 , and passes (y1 , y2 ) to A0 .
A0 returns (x01 , x02 ) to A, who in turn returns x01 . Note that
Pr {f (A(f (x1 ))) = f (x1 )} > negl(λ),
x1 ∈D1
which contradicts the fact that f is one-way.
Example 1.5 (Candidate OWF based on The Short Integer Solution (SIS) Problem) Let n, m,
q ∈ Z such that m > n and q = nc for some positive integer c. Let A ← Zn×m
be a random matrix, and
q
r ← Znq be a random vector. Let fA,r : {0, 1}m → Znq be defined as fA,r (x) = Ax + r. Then fA,r is a OWF
assuming the hardness of SIS.
Definition 1.6 (Pseudorandom Generators (PRG)) An efficiently computable function g : {0, 1}λ →
{0, 1}λ+k for some positive integer k is said to be a pseudorandom generator if for any PPT adversary A, it
holds that
| Pr {A(g(x)) = 1} −
Pr
{A(y) = 1}| ≤ negl(λ).
x∈{0,1}λ
y∈{0,1}λ+k
Definition 1.7 (Pseudorandom Functions / Permutations (PRF/P) Family) Let F : K × D → R
be a family of efficiently computable functions indexed by k ∈ K. For any PPT adversary A, consider the
following PPT experiments:
RealA : Sample k ← K, and give A oracle access to f (k, ·) ∈ F. After querying polynomial number of times,
A returns a bit b which is returned by the experiment.
IdealA : Initiates an empty table T . On query x from A, check if T [x] is set. If not, sample y ← R and
assign T [x] = y. Reply A with T [x]. After querying polynomial number of times, A returns a bit b which is
returned by the experiment.
F is said to be a pseudorandom functions family if for any PPT adversary A, it holds that
| Pr{RealA = 1} − Pr{IdealA = 1}| ≤ negl(λ).
Furthermore, if all f ∈ F are bijective, then F is a pseudorandom permutations family.
Example 1.8 (Simple SKE from PRF) Let f be a PRF with key k. To encrypt a message m ∈ R,
sample r ← D, and output the ciphertext c = (r, f (k, r) ⊕ m). To decrypt a ciphertext c = (c1 , c2 ), compute
m = c2 ⊕ f (k, c1 ).
1.2
1.2.1
Basic Number Theory
Modular Arithmetic
ˆ Consider Zn = {0, 1, 2, . . . , n − 1} and Z = {. . . , −2, −1, 0, 1, 2, . . .}.
ˆ We say that “a is congruent to b modulo n”, or a ≡ b (mod n), if a = nx + b for some x ∈ Z.
ˆ Usual arithmetic rules apply:
1. a ≡ a (mod n)
ENGG5383(Fall 2020) Tutorial 1: Introduction
1-3
2. if a ≡ b (mod n), then b ≡ a (mod n)
3. if a ≡ b (mod n) and b ≡ c (mod n), then a ≡ c (mod n)
4. if a ≡ b (mod n) and c ≡ d, then a + c ≡ b + d (mod n) and ac ≡ bd (mod n)
5. if a ≡ b (mod n), then a + c ≡ b + c (mod n) and ac ≡ bc (mod n)
6. if a ≡ b (mod n), then ak ≡ bk (mod n) for all positive integer k
ˆ Except:
– if ac ≡ bc (mod n), then a ≡ b (mod n/d) where d = gcd(c, n)
1.2.2
Fast Exponentiation Algorithm
How to calculate ax (mod n) for large x, say 5110 (mod 131)?
1. Expand x in binary representation: 110 = 64 + 32 + 8 + 4 + 2
2. Complete the following table by repeated squaring:
52 ≡ 25 (mod 131)
58 ≡ 1012 ≡ 114 (mod 131)
532 ≡ 272 ≡ 74 (mod 131)
54 ≡ 252 ≡ 101 (mod 131)
516 ≡ 1142 ≡ 27 (mod 131)
564 ≡ 742 ≡ 105 (mod 131)
3. 5110 = 564+32+8+4+2 = 564 · 532 · 58 · 54 · 52 ≡ 105 · 74 · 114 · 101 · 25 ≡ 60 (mod 131).
1.2.3
Euclidean Algorithm
Notations and Terminologies:
ˆ The greatest common divisor (GCD) d of two integers a and b is the maximum of the integers that
divides both a and b, denoted as d = gcd(a, b).
ˆ The integers a and b are said to be coprime if gcd(a, b) = 1.
ˆ a | b means “a divides b”. a - b means “a does not divide b”.
Lemma 1.9 If a = qb + r, then gcd(a, b) = gcd(b, r).
Proof: Let d = gcd(a, b), then d | a and d | b. Then d | (r = a − qb). Suppose c is a common divisor of b
and r, then c | (a = qb + r). By definition of d, c ≤ d. Therefore d = gcd(b, r).
Theorem 1.10 For non-zero integers a and b, there exists integers x and y such that gcd(a, b) = ax + by.
Proof: We provide a constructive proof, i.e. we state the (extended) Euclidean algorithm which computes
the GCD, x and y. Without loss of generality, assume a > b > 0. Compute the following:
1-4
ENGG5383(Fall 2020) Tutorial 1: Introduction
a = q1 b + r1
b = q2 r1 + r2
r1 = q3 r2 + r3
..
.
0 < r1 ≤ b
0 < r2 ≤ r1
0 < r3 ≤ r2
rn−2 = qn rn−1 + rn
rn−1 = qn+1 rn + 0
0 < rn < rn−1
By Lemma 1.9, gcd(a, b) = gcd(b, r1 ) = . . . = gcd(rn−1 , rn ) = gcd(rn , 0) = rn .
Now, we work backward from the second last equation.
rn = rn−2 − qn rn−1
= (1 + qn qn−1 )rn−2 + (−qn )rn−3
= ...
= ax + by
Example 1.11 Compute gcd(360, 924).
924 = 2 × 360 + 204
gcd(360, 924) = 12 = 156 − 3 × 48
360 = 1 × 204 + 156
= 156 − 3 × (204 − 156)
204 = 1 × 156 + 48
= 4 × 156 − 3 × 204
156 = 3 × 48 + 12
= 4 × (360 − 1 × 204) − 3 × 204
48 = 4 × 12 + 0
= 4 × 360 − 7 × 204
= 4 × 360 − 7 × (924 − 2 × 360)
= 18 × 360 − 7 × 924
1.2.4
Euler’s Phi / Totient Function
Euler’s totient function: φ(n) = “# of positive integers that are less than and coprime with n”.
Properties: Let p be prime. Let m, n be positive integers such that gcd(m, n) = 1.
ˆ φ(p) = p − 1
ˆ φ(pk ) = pk−1 (p − 1)
ˆ φ(mn) = φ(m)φ(n).
Proof: Consider the following array:
1
m+1
2m + 1
..
.
2
m+2
2m + 2
..
.
(n − 1)m + 1
(n − 1)m + 2
...
r
m+r
2m + r
..
.
(n − 1)m + r
...
m
2m
3m
..
.
nm
ENGG5383(Fall 2020) Tutorial 1: Introduction
1-5
For each row, we know by Lemma 1.9 that gcd(km + r, m) = gcd(r, m). Therefore there are exactly
φ(m) columns in each row that are coprime with m. Now consider the r-th column, none of them are
congruent to each other modulo n. Therefore they are congruent to 0, 1, . . . , n − 1 in some order, and
exactly φ(n) of them are coprime with n.
1.2.5
Fermat’s Little Theorem and Euler’s Generalization
Theorem 1.12 (Fermat’s Little Theorem) Let p be a prime and p - a. Then ap−1 ≡ 1 (mod p).
Theorem 1.13 (Euler’s Generalization of Fermat’s Little Theorem)
If n ≥ 1 and gcd(a, n) = 1 , then aφ(n) ≡ 1 (mod n).
Proof: Let a1 , a2 , . . . , aφ(n) be positive integers that are less than and coprime with n. Since gcd(a, n) =
1, aa1 , aa2 , . . . , aaφ(n) are congruent to a1 , a2 , . . . , aφ(n) in some order. Let aai ≡ a0i (mod n) for i =
1, 2, . . . , φ(n). Then
(aa1 )(aa2 ) . . . (aaφ(n) ) ≡ a01 a02 . . . a0φ(n)
(mod n)
≡ a1 a2 . . . aφ(n)
(mod n)
and so
aφ(n) (a1 a2 . . . aφ(n) ) ≡ a1 a2 . . . aφ(n)
(mod n)
Since gcd(ai , n) = 1 for all i, we have gcd(a1 a2 . . . aφ(n) , n) = 1. Therefore aφ(n) ≡ 1 (mod n).
Definition 1.14 (Orders and Primitive Roots) Given a ∈ Z, let k ≤ φ(n) be the smallest positive
integer such that ak ≡ 1 (mod n). Then k is called the order of a. If a has the highest order, namely φ(n),
then a is called a primitive root of n. A primitive root a generates all the integers less than and coprime
with n by self multiplication.
Example 1.15 3 is a primitive root of 7.
x
3 (mod 7)
x
1.2.6
1
3
2
2
3
6
4
4
5
5
6
1
Chinese Remainder Theorem (CRT)
Theorem 1.16 (Chinese Remainder Theorem (CRT)) Let n1 , . . . , nk ∈ N be pair-wise coprime. Then
for any a1 , . . . , ak ∈ Z, there exists x ∈ Z such that x ≡ ai (mod ni ) for 1 ≤ i ≤ k. Furthermore, all solutions
x are congruent modulo the product N = n1 · nk . Hence, x ≡ y (mod ni ) for 1 ≤ i ≤ k if and only if x ≡ y
(mod N ).
Proof: Let N = n1 · nk and Ni = N/ni . Since gcd(ni , nj ) = 1 for all i 6= j,Pwe have gcd(Ni , ni ) = 1. Let
xi be the unique solution for Ni xi ≡ 1 (mod ni ) for each i. Consider x0 = i ai Ni xi . Obviously, x0 ≡ ai
(mod ni ) for all i. For the uniqueness of x0 modulo N , suppose there is another solution x00 such that
x0 ≡ x00 ≡ ai (mod ni ) for all i. Thus ni | (x0 − x00 ) for all i. Hence (N = Πi ni ) | (x0 − x00 ). In other words,
x0 ≡ x00 (mod N ).
1-6
1.2.7
ENGG5383(Fall 2020) Tutorial 1: Introduction
Quadratic Residues
Definition 1.17 (Quadratic Residues) An integer a is said to be a quadratic residue modulo n if there exists
an integer x such that a ≡ x2 (mod n). Other, a is said to be a quadratic non-residue.
Lemma 1.18 Let p be an odd prime, g be a primitive root of p. Then for any element a ≡ g z (mod p), the
following statements are equivalent:
1. a is a quadratic residue.
2. z is even.
3. a(p−1)/2 ≡ 1 (mod p). (Euler’s criterion)
The Legendre symbol of a modulo p is defined as


0
a
= 1

p

−1
a
p
= a(p−1)/2 . Therefore
p|a
a is a quadratic residue and p - a
a is a quadratic non-residue
Proof: The equivalence of the first two statements is trivial.
For the third statement, suppose a is a quadratic residue modulo p, then there exists an integer x such that
a ≡ x2 (mod p). Then a(p−1)/2 ≡ xp−1 ≡ 1 (mod 1) by Fermat’s little theorem.
Conversely, suppose a(p−1)/2 ≡ 1 (mod 1). Let g be a primitive root modulo p. Then a ≡ g z (mod p) for
some integer z. We have a(p−1)/2 ≡ g z(p−1)/2 ≡ 1 (mod 1). Since g is a primitive root, it has order p − 1.
Thus, p − 1 | z(p − 1)/2, which means z is even. Thus, a is a quadratic residue.
1.3
Basic Abstract Algebra
Definition 1.19 (Groups) Let G be a set and “·” be an operation defined over G. (G, ·) or simply G is
called a group if the following holds.
1. Closed: If a, b ∈ G, then a · b ∈ G
2. Associative: If a, b, c ∈ G, then (a · b) · c = a · (b · c)
3. Existence of Identity: ∃ e ∈ G such that a · e = e · a = a ∀ a ∈ G
4. Existence of Inverses: If a ∈ G, then ∃ a−1 ∈ G such that a · a−1 = a−1 · a = e
Furthermore, if G is commutative, i.e. “if a, b ∈ G, then a · b = b · a”, then G is said to be an Abelian group.
If the number of elements in G is finite, G is said to be a finite group. In this case, the number of elements
|G| is called the order of the group G. Otherwise, G is said to be an infinite group.
Definition 1.20 (Cyclic Groups and Generators) Let G be a finite group with order n and identity
element 1G . If there exists an element g ∈ G such that G can be written as {g, g 2 , g 3 , . . . , g n = 1G }, then G
is said to be a cyclic group, and g is said to be a generator of G.
ENGG5383(Fall 2020) Tutorial 1: Introduction
1-7
Example 1.21 Let n ∈ Z. (Zn , +) is a cyclic group of order n, and any g ∈ Z∗n is a generator of Zn .
Furthermore, if n = 2, 4, pk or 2pk for some odd prime p and positive integer k, then (Z∗n , ×) is a cyclic
group of order φ(n), and any primitive root of n is also a generator of Z∗n .
Definition 1.22 (Rings) Let (R, +) be an Abelian group and “·” be an additional operation defined over
R. (R, +, ·) or simply R is called a ring if the following holds.
1. Associative w.r.t. ·: If a, b, c ∈ R then (a · b) · c = a · (b · c)
2. Existence of Identity w.r.t. ·: ∃ e ∈ R such that a · e = e · a = a ∀ a ∈ R
3. Distributive w.r.t. +: If a, b, c ∈ R then (a + b) · c = (a · c) + (b · c) and a · (b + c) = (a · b) + (a · c)
Furthermore, if R is commutative w.r.t. ·, i.e.“if a, b ∈ R, then a · b = b · a”, then R is said to be a
commutative ring.
Definition 1.23 (Fields) A commutative ring (F, +, ·) is called a field if multiplicative inverses exist except
for the additive identity.
1.4
Computationally Hard Problems
Definition 1.24 (Integer Factoring Problem) Given that N = pq for some randomly chosen λ-bit long
primes p and q, find p and q.
Definition 1.25 (Discrete Logarithm Problem (DLP)) Let G be a cyclic group of λ-bit long prime
order p. Given (g, y = g x , p) where g ∈ G is a generator, and 1 ≤ x ≤ p is randomly chosen, find x.
Example 1.26 Let G be a cyclic group of prime order p with generator g. Let f : Z∗p → G be defined as
f (x) = g x . Then f is a OWP assuming the hardness of DLP.
Proof: One-wayness is trivial by the hardness of DLP. f is bijective since G is cyclic.
Definition 1.27 (RSA Problem) Given a tuple (N, e, c), where N = pq for some randomly chosen λ-bit
long primes p and q, e ← Z∗ φ(n), and c = me (mod n) for some m ← Z∗n , find m.
Definition 1.28 (Short Integer Solution (SIS) Problem) Given a tuple (A, n, m, q, β), where A ←
Zn×m
, find s ∈ Zm such that ksk ≤ β and As = 0.
q