Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
第二章 PowerPoint Presentation

第二章

289 Views Download Presentation
Download Presentation

第二章

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. 第二章 數學基礎

  2. 密碼學相關的學基礎 • 數論(Number Theory) • 資訊理論 (Information Theory) • 複雜度理論 (Complexity Theory) • 組合理論(Combinatoric Theory) • 機率(Probability) • 及線性代數(Linear Algebra)

  3. Information Theory • Shannon 1984提出信息理論(Information Theory) • 編碼理論(Coding Theory) • Information theory measures the amount of information in a message by the average number of bits needed to encode all possible messages in an optimal encoding. • 熵(Entropy): 是一種表示訊息量的方法,為了表示不同的信息所需要的平均位元數(bit)。 • 例如: SEX(性別) male or female v.s. 0 or 1 5 1 • Programs and text file are encoded with 8-bit ASCII code, can be compressed by about 40% without losing any information.

  4. Entropy • Entropy is a function of the probability distribution over the set of all possible message. • Let X1, X2, ..., Xn be n possible messages occurring with probabilities p(X1), p(X2), ...,p( Xn), where • The entropy of a given message is defined by the weight average:

  5. Example for Entropy • Male and Female have equal probability p(Male)=p(Female)=1/2. • Intuitively, each term log2(1/p(X)) represents the number of bits needed to encode message X in an optimal encoding – that is, one which minimize the expected number of bits transmitted over the channel.

  6. Entropy • Because 1/p(X) decreases as p(X) increases, an optimal encoding uses short codes for frequently occurring messages at the expense of using longer ones for infrequent messages. • Morse code. • Huffman code.

  7. Example • n=3, 3 message A, B, and C p(A)=1/2, p(B)=p(C)=1/4. • Then Coding method: A=0 B=10 C=11 A B A A C A B C 0 10 0 0 11 1 10 11 8/12=1.5 is optimal.

  8. Example • Assume all message are equally likely p(Xi)=1/n, for i=1,.2,...,n. Then H(X)=n(1/n) log2n= log2n Let n=1 and p(X)=1. Then H(X) =log21=0. There is no information because there in on choice.

  9. Entropy • Given n, H(X) is maximal for p(X1), p(X2), ...,p( Xn)= 1/n, that is, when all message are equally likely. • H(X) decreases as the distribution of messages becomes more and more skewed, reaching a minimum of H(X)=0 when p(Xi)=1 for some message Xi.

  10. Uncertainty不確定性 • H(X)=0 表示該MESSAGE不含任何不確定值,表該信息一定發生。 • 不需要傳送。 • 若H(X)很大,表不確定性很大,則訊息量(amount of information)也大,及很重要了。

  11. 密碼學的觀點看不確定性 • H(X)大,不確定性大,資訊量大,越安全。 • H(X)小,不確定性小,資訊量小,越不安全,易被猜中。

  12. Rate of language • Given a language, consider the set of all messages N characters long. • 語文率The rate of the language for message of length N is defined by r =H(X)/N; that is, the average number of bits on information in each character. • Example: English: • N=4, 5, 6 r=1.0/bit/letter, • N較大時,r=1.5 bits/letter

  13. Absolute rate of the language • The absolute rate of the language is defined to be the maximum number of bits of information that could be encoded in each character assuming all possible sequence of characters are equally likely. • If there are L characters in the language, then the absolute rate is given by R=log2L Example: English • R=log226=4.7 bits/letter • Note r <= R • The actual rate of English is thus considerably less than its absolute rate. • The English is highly redundant (重複性,多於成分).

  14. Redundancy 多於成分 • Redundancy arise from the structure of the language. It is reflected in the statistical properties: • Single letter frequency distributions: E, T, and A • Digram frequency distributions: TH, EN • Trigram distributions : BBB 少見 THE • N-gram distributions: phase • D=R-r • Example: R=4.7, r=1, D=3.7 • D/R=79% redundant of English • Redundancy 越大則提供破密者更多資訊來破解密文

  15. Perfect Secrecy • Shannon提出:若一個密碼系統,即使攻擊者截收到無線多的密文,都對明文不造成危害,則稱為Perfect Secrecy • 當攻擊者截收到更多的密文時,明文的不確定性(Uncertainty) 值越來越小。到H(X)=0時,則遭破解。 • 唯有KEY LENGTH 大於或等於PLAINTEXT 的長度時,則為PERFECT SECRECY. • One-Time Pad • 傳輸前先將Redundancy降低,可以降低被密的機率。可以先壓縮。

  16. Key equivocation • Shannon measured the secrecy of a cipher in terms of the key equivocation Hc(K) of a key K for a given ciphertext C; that is, the amount of uncertainty in K given C. where PC(K) is the probability of K given C. If Hc(K) = 0 then there is no uncertainty, and the cipher is theoretically breakable given enough resources.

  17. Unicity Distance • Unicity distance: 能唯一決定KEY值所需密文的最低數量。 • The unicity distance is the smallest N such that HC(K) is close to 0; that is, it is the amount of ciphertext needed to uniquely determine the key. • A cipher is unconditionally secure if HC(K) never approaches 0 even for large N; that is, on matter how much ciphertext is intercepted, the key cannot be determined. • ideal secrecy: that did not achieve perfect secrecy, but were nonetheless unbreakable because they did not given enough information to determine the key.

  18. Unicity distance • Hellman 定義: U=H(K)/D H(K) 為代表KEY的ENTROPTY D 為該語言的redundancy • Example: DES system 64 bits plaintext, key length 56 bits, H(K)=56, D=3.2 bit/letters U=H(K)/D=56/3.2=17.5

  19. Unicity distance • Unicity distance提供了破解密碼時,所需最少的密文數量。卻未提供如何破解密文的方法,為一理論值。 • 一般可能需更多的密文。 • 若Unicity distance太小時,密碼系統必定不太安全。 • 若Unicity distance太大時,密碼系統的安全性不一定增大。

  20. Complexity Theory複雜度理論 • 依各系統是否安全與破密者欲破解此系統時,所要花費的計算複雜度(Computational complexity)有關。 • Computational complexity • Time complexity • Space complexity • Computational complexity 的表示法 • 級數Order O • Eg. 2n2+8n+7 -> O(n2) • Eg. O(1) 固定值 O(nt) 多項式關係 O(tf(n))指數關係

  21. Computational Complexity

  22. 問題的分類 • Tractable vs. Intractable 易處理與不易處理 • Hard problem: 指數次方的問題 • P problem: 能再多項式時間能夠求解出來的問題 • NP problem:不能再多項式時間能夠求解出來的問題 • P =? NP • NP-complete problem: NP 中有一些問題是已被證明較其他問題難的。 • SATISFIABLITY problem • Partition Problem

  23. Complexity Classes

  24. Complexity 與密碼學的關係 • 1976 Diffe and Hellman建議以計算複雜度來設計密碼系統。 • 當暗門(trapdoor)被巧妙的放入設計的密碼系統中時,對破密者,需解NP-complete problem;對知道暗門的人,可以快速的解出。 • 是否越複雜的問題越好? • 不見得理想,可能導致密碼系統的加解密速度太慢。 • Example: • RSA 1978, 質因數分解的問題 • Merkel and Hellman 1978, trapdoor knaspsack problem

  25. 複雜度越高的問題不適合用於設計密碼系統的原因複雜度越高的問題不適合用於設計密碼系統的原因 • 複雜度理論,通常只針對某一種問題中的一個特例進行分析,破密者卻有許多的統計資料可供分析。 • 複雜度理論是針對worst Case or average case作分析,但對於密碼系統,必須確認所有的case 均是難以破解的。 • 暗門必須巧妙的安排至問題中,但一般而言不易安排。

  26. Number Theory 數論 • Congruences and Modular Arithmetic • Given integers a, b, and n≠0, a is congruent to b modulo n, written a≡nb if and only if a-b = kn, for some interger k • That is n divides (a-b) 即n 整除 a-b, 記成 n|(a-b) • Example: 17 ≡ 5 7, because (17-7) =2*5 • If a≡nb, then b is called a residue of a modulo n (餘 數) • A set of n numbers {r1, r2, ...,rn} is called a complete set of residues modulo n if, for every integer a, there is exactly one ri in the set such that a≡nri. • For any modulus n, the set of integers {0, 1, ..., n-1} forms a complete set of residues modulo n. • We shall write a mod n to denoted the residue r of a modulo n in the range [0, n-1]. • Example: 7 mod 3 =1

  27. Properties of modulo • a mod n =r implies a≡nr but not conversely. • a≡nb if and only if a mod n = b mod n. • The integers mod n with addition and multiplication form a communicative ring. • 反身律 a= a mod n • 對稱律 if a = b mod n then b = a mod n • 遞移律 if a=b mod n and b=c mod n then a=c mod n • 結合律(associativity) if a = b mod n and c =d mod n then a+c =b+d mod n, a-c=b-d mod n, ac=bd mod n. • 交換律(commutativity) • 分配律 distributivity

  28. Principle of modular arithmetic • (a1 op a2 ) mod n = [(a1 mod n) op (a2 mod n)] mod n • (a+ b) mod n = [(a mod n) + (b mod n)] mod n • (a-b) mod n = [(a mod n) - (b mod n)] mod n • (ab) mod n = [(a mod n) (b mod n)] mod n

  29. modular arithmetic • 若ac=bd mod n 且c=d mod n, 且 (c,n)=1互質 則 a = b mod n • Proof)

  30. Example

  31. Example • The principle of modular arithmetic also applies to exponentiations of the form et, where 0 ≦ t ≦n-1. • That is: • If n ≦ t, (et mod n) mod n may not equal et mod n.

  32. Example

  33. Fast exponentiation algorithm

  34. Computing Inverses • 反元素inverses:Given ax mod n =1, x=? • Example: 3*7 mod 10 =1, if a=3 then x=7; if a=7 then x=3 • Given a in [0, n-1], a has a unique inverse mod n when a and m are relative prime. gcd(a,n)=1. • Lemma: If gcd(a,n)=1, then (ai mod n) ≠(aj mod n) for each i, j such that 0≦i < j <n. • This property implies that each ai mod n (i=0,...,n-1) is a distinct residue mod n, and that the set {ai mod n, i=0,1, ..., n-1} is a permutation of the complete set of residues{0, ..., n-1}.

  35. Example • If n=5 and a=3 • 3*0 mod 5 =0 • 3*1 mod 5=3 • 3*2 mod 5=1 • 3*3 mod 5=4 • 3*4 mod 5=2 • This property does not hold when a and n have a common factor • 2*0 mod 4=0 • 2*1 mod 4=2 • 2*2 mod 4=0 • 2*3 mod 4=2

  36. Inverse Theorem • If gcd(a,n)=1, then there exist an integer x, 0 <x < n, such that ax mod n =1 • Existence of an inverse. • How to find it? • The reduced set of residues mod n is the subset of residues {0, 1,...,n-1} relatively prime to n. • Example if n=10 then {1,3,7,9} is the set of reduced set of residues. • If n is prime, the ten reduced set of residues is {1,2,...,n-1}. (除了0)

  37. Finding Inverse • The Euler totient function is the number of elements in the reduced set of residues modulo n. Equivalently, ψ(n) is the number of positive integers less than n that are relatively prime to n • Note, every integer relatively prime to n is congruent modulo n to some member of the set. • If gcd(a,n)=1 for some integer a, then for each ri, gcd(ari, n)=1 and ari mod n =rj for some rj. • For prime p, ψ(p)=p-1.

  38. Theorem • For n=pq and p,q prime ψ(n)= ψ(p) ψ(q)=(p-1)(q-1) Example: p=3, q=5 Then ψ(15)=(3-1)(5-1)=2*4=8, and there are 8 elements in the reduced set of residues modulo 15: {1, 2, 4, 7, 8, 11, 13, 14} • In general, for arbitrary n, ψ(n) is given by

  39. Theorem • In general, for arbitrary n, ψ(n) is given by is the prime factorization of n (i.e.. the pi are distinct primes, and ei gives the number of occurrences of pi) • Example n=24=2331 • ψ(24)=22(2-1)30(3-1)=8

  40. Theorem • Fermat’s Theorem: • Let p be prime. Then for every a such that gcd(a,p)=1, ap-1 mod p =1 • Euler’s generalization • For every a and n such that gcd(a,n)=1, a ψ(n) mod n =1

  41. Finding inverse • Equation: ax mod n =1, where gcd(a,n)=1 x=a ψ(n)-1 mod n • If n is prime, this is simply x=a (n-1)-1 mod n=a (n-2) mod n • Example: Let a =3 and n=7. Then x=35mod 7=5

  42. Finding inverse If ψ(n) is known, the inverse x of a (mod n) can be computed using fastexp algorithm. Alternatively, x can be computed using an extension of Euclid’s algorithm for computeing the gcd. Time complexity: O(.843 ln(n) + 1.47)

  43. GCD algorithm(輾轉相除法)

  44. 如何解 ax mod n =b • If gcd(a,n)=1. • First the solution x0 to “ax mod n =1” is found. • Now ax0 mod n =1 implies bax0 mod n =b • Whence x=bx0 mod n is the unique solution to “ax mod n =b” in the range [1, n-1] • That is x=[b * inv (a,n)] mod n or x= [b * fastexp(a, ψ(n)-1, n)] mod n • If gcd (a,n) ≠1, the equation will either have no solution or will have more than one solution in the range [1, n-1]

  45. Theorem • Let g = gcd(a,n). If g | b the equation ax mod n =b will have g solution of the form

  46. Example • Equation: 6x mod 10=4 • Because g = gcd (6,10)=2, 2 |4, there are 2 solutions. • First, compute the solution x0 to the equation (6/2) x mod (10/2) =1, that is 3x mod 5 =1 get x0=2. This gives x1=(4/2)2 mod (10/2) =4 mod 5 =4 The solution are thus: t=0: x =4 t=1: x=[4+(10/2)] mod 10=9

  47. Solve ax mod n =b n =d1d2d3...dt be the prime factorization of n, where di = piei Let f(x) be a polynomial in x. The following theorem shows that x is a solution to the equation f(x) mod n =0 if and only if x is a common solution to the set of equation f(x) mod di=0 for i=1,...,t. f(x) mod n =0 if and only if f(x) mod di=0

  48. Solve ax mod n =b • Writing this as (ax-b) mod n =0, we find a common solution to the equations (ax-b) mod di=0 or, equivalently, to the equations ax mod di =b mod di • Theorem: Chinese Remainder Theorem Let d1, ...,dt be pairwise relatively prime, and let n=d1d2...dr. Then the system of equations (x mod di ) = xi i=1, ...,t)

  49. Example Equation: 3 x mod 10 =1 Observe 10 = 2* 5, so d1=2 and d2=5 We first find solution x1 and x2 to the equations: 3 x mod 2 =1 3 x mod 5 =1 This gives us x1=1 and x2=2 Chinese Remainder Theorem is applied: x mod 2 =x1 =1, x mod 5 =x2=2. (10/2) y1 mod 2 = 1 and (10/5)y2 mod 5 =1 getting y1=1 and y2=3. We then have x=[(10/2)y1x1+(10/5)y2x2]mod 10 =[5*1*1+2*3*2] mod 10 =7. Thus 7 is the inverse of 3 (mod 10.)

  50. Galois Fields