Cryptography is an indispensable tool for protecting information in computer systems. In this course you will learn the inner workings of cryptographic systems and how to correctly use them in real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two parties generate a shared secret key. Throughout the course participants will be exposed to many exciting open problems in the field and work on fun (optional) programming projects. In a second course (Crypto II) we will cover more advanced cryptographic tasks such as zero-knowledge, privacy mechanisms, and other forms of encryption.
Arithmetic algorithms
Loading...
来自 Stanford University 的课程
Cryptography I
2038 个评分
从本节课中
Basic Key Exchange
Week 5. This week's topic is basic key exchange: how to setup a secret key between two parties. For now we only consider protocols secure against eavesdropping. This question motivates the main concepts of public key cryptography, but before we build public-key systems we need to take a brief detour and cover a few basic concepts from computational number theory. We will start with algorithms dating back to antiquity (Euclid) and work our way up to Fermat, Euler, and Legendre. We will also mention in passing a few useful concepts from 20th century math. Next week we will put our hard work from this week to good use and construct several public key encryption systems.
与讲师见面
Dan BonehProfessor
Computer Science
The next thing we're going to look at is how to compute modular large integers. So
the first question is how do we represent large integers in a computer? So that's
actually fairly straightforward. So imagine we're on a 64 bit machine, what we
would do is we would break the number we want to represent, into 32 bit buckets And
then, we will basically have these n/32 bit buckets, and together they will
represent the number that we want to store on the computer. Now, I should mention
that I'm only giving 64 bit registers as an example. In fact, many modern
processors have 128 bit registers or more, and you can even do multiplications on
them. So normally you would actually use much larger blocks than just 32 bits. The
reason, by the way, you want to limit yourself to 32 bits is so that you can
multiply two blocks together, and the result will still be less than 64 bits,
less than the word size on the machine. So now let's look at particular arithmetic
operations and see how long each one takes. So addition and subtraction
basically what you would do is that addition would carry or subtraction would
borrow and those are basically linear time operations. In other words, if you want to
add or subtract two n bit integers the running time is basically
linear in n. Multiplication naively will take quadratic time. In fact,
this is what's called the high school algorithm. This is what you kind of
learned in school, where if you think about this for a minute you'll see that,
that algorithm basically is quadratic in the length of the numbers that are being
multiplied. So a big surprise in the 1960s was an algorithm due to Karatsuba that
actually achieves much better than quadratic time in fact, it achieved a
running time of n to the 1.585. And there's actually no point in me showing
you how the algorithm actually worked, I'll just mention the main idea What
Karatsuba realized, is that in fact when you want to multiply two numbers, you can
write them as, you can take the first number x, write it as 2 to the b times
x2 plus x1. Where x2 and x1 are roughly the size of the square root of x. Okay, so
we can kind of break the number x into the left part of x and the right part of x.
And basically, you're writing x as if it was written base 2 to the b. So it's got
two digits base 2 to the b. And you do the same thing with, y. You write y base
2 to the b. Again, you would write it as, the sum of the left half plus the
right half, And then, normally, if you try to do this multiplication, when you open
up the parentheses. You see that, this would require 4 multiplications, right?
It would require x2 times y2, x2 times y1, x1 times y2, and x1 times y1. What
Karatsuba realized is there's a way to do this multiplication of x by y using only
three multiplications of x1 x2 y1 y2. So it's just a big multiplication of x times y
only it takes three little multiplications. You can now recursively
apply exactly the same procedure to multiplying x2 by y2, and x2 by y1, and so
on and so forth. And you would get this recursive algorithm. And if you do the
recursive analysis, you will see that basically, you get a running time of n to the 1.585.
This number is basically, the 1.585 is basically, log of 3 base 2.
Surprisingly, it turns out that Karatsuba isn't even the best multiplication
algorithm out there. It turns out that, in fact, you can do multiplication in about n<i>log(n) time.</i>
So you can do multiplication in almost linear time. However, this is an extremely asymptotic results.
The big O here hides very big constants. And as a
result, this algorithm only becomes practical when the numbers are absolutely
enormous. And so this algorithm is actually not used very often. But
Karatsuba's algorithm is very practical. And in fact, most crypto-libraries
implement Karatsuba's algorithm for multiplication. However, for simplicity
here, I'm just gonna ignore Karatsuba's algorithm, and just for simplicity, I'm
gonna assume that multiplication runs in quadratic time. But in your mind, you
should always be thinking all multiplication really is a little bit faster than quadratic.
And then the next question after multiplication is what about
division with remainder and it turns out that's also a quadratic time algorithm.
So the main operation that remains, and one that we've used many times so far, and
I've never, actually never, ever told you how to actually compute it, is this
question of exponentiation. So let's solve this exponentiation problem a bit more
abstractly. So imagine we have a finite cyclic group G. All this means is that
this group is generated from the powers of some generator little g. So for example
think of this group as simply ZP<i>, and think of little g as some generator of</i>
big G. The reason I'm sitting in this way, is I'm, I want you to start getting used
to this abstraction where we deal with a generic group G and ZP really is just
one example of such a group. But, in fact, there are many other examples of finite
cyclic groups. And again I want to emphasis basically that group G, all it
is, it's simply this powers of this generator up to the order of the group.
I'll write it as G to the Q. So our goal now is given this element g, and some
exponent x, our goal is to compute the value of g to the x. Now normally what you
would say is, you would think well, you know, if x is equal to 3 then I'm
gonna compute you know, g cubed. Well, there's really nothing to do. All I do is
I just do g times g times g and I get g cubed, which is what I wanted. So that's
actually pretty easy. But in fact, that's not the case that we're interested in. In
our case, our exponents are gonna be enormous. And so if you try, you know,
think of like a 500-bit number and so if you try to compute g to the power of a
500-bit number simply by multiplying g by g by g by g this is gonna take quite a
while. In fact it will take exponential time which is not something that we want
to do. So the question is whether even though x is enormous, can we still compute
g to the x relatively fast and the answer is yes and the algorithm that does that
is called a repeated squaring algorithm. And so let me show you how repeated
squaring works. So let's take as an example, 53. Naively you would have to do
53 multiplications of g by g by g by g until you get to g by the 53 but I want to
show you how you can do it very quickly. So what we'll do is we'll write 53 in
binary. So here this is the binary representation of 53. And all that means
is, you notice this one corresponds to 32, this one corresponds to 16, this one
corresponds to 4, and this one corresponds to 1. So really 53 is 32
plus 16 plus 4 plus 1. But what that means is that g to the power of 53 is
g to the power of 32+16+4+1. And we can break that up, using again, the rules of
exponentiation. We can break that up as g to the 32 times g to the 16 times g to the
4 times g to the 1, Now that should start giving you an idea for how to compute g to
the 53 very quickly. What we'll do is, simply, we'll take g and we'll start
squaring it. So what square wants, g wants to get g squared. We square it again to
get g to the 4, turn g to the 8. Turn g to the 16, g to the 32. So
we've computed all these squares of g. And now, what we're gonna do is we're simply
gonna multiply the appropriate powers to give us the g to the 53. So this is g to
the one times g to the 4 times g to the 16 times g to the 32, is basically
gonna give us the value that we want, which is g to the 53. So here you see that
all we had to do was just compute, let's see, we had to do one, two, three, four,
five squaring, plus four more multiplications so with 9 multiplications we computed g
to the 53. Okay so that's pretty interesting. And it turns out this is a
general phenomena that allows us to raise g to very, very high powers and do it very
quickly. So let me show you the algorithm, as I said this is called the repeated
squaring algorithm. So the input to the algorithm is the element g and the
exponent x. And the output is g to the x. So what we're gonna do is we're gonna
write x in binary notation. So let's say that x has n bits. And this is the actual
bit representation of x as a binary number. And then what we'll do is the
following. We'll have these two registers. y is gonna be a register that's constantly
squared. And then z is gonna be an accumulator that multiplies in the
appropriate powers of g as needed. So all we do is the following we loop through the
bits of x starting from the least significant bits, And then we do the
following: in every iteration we're simply gonna square y. Okay, so y just keeps on
squaring at every iteration. And then whenever the corresponding bit of the
exponent x happens to be one, we simply accumulate the current value of y into
this accumulator z and then at the end, we simply output z. That's it. That's the
whole algorithm, and that's the repeated squaring algorithm. So, let's see an
example with G to the 53. So, you can see the two columns. y is one
column, as it evolves through the iterations, and z is another column, again
as it evolves through the iterations. So, y is not very interesting. Basically, all
that happens to y is that at every iteration, it simply gets squared. And so
it just walks through the powers of two and the exponents and that's it. z is the
more interesting register where what it does is it accumulates the appropriate
powers of g whenever the corresponding bit to the exponent is one. So for example the
first bit of the exponent is one, therefore, the, at the end of the first
iteration the value of z is simply equal to g. The second bit of the exponent is zero
so the value of z doesn't change after the second iteration. And at the end of the
third iteration well the third bit of the exponent is one so we accumulate g to the
fourth into z. The next bit of the exponent is zero so z doesn't change. The
next bit of the exponent is one and so now we're supposed to accumulate the previous
value of y into the accumulator z so let me ask you so what's gonna be the value of z?
Well, we simply accumulate g to the 16 into z and so we simply compute the sum
of 16 and 5 we get g to the 21. Finally, the last bit is also set to one
so we accumulate it into z, we do 32 plus 21 and we get the finally output g to the 53.
Okay, so this gives you an idea of how this repeated squaring algorithm works.
It's is quite an interesting algorithm and it allows us to compute enormous powers of
g very, very, very quickly. So the number of iterations here, essentially, would be
log base 2 of x. Okay. You notice the number of iterations simply depends on the
number of digits of x, which is basically the log base 2 of x. So even if x is a
500 bit number in 500 multiplication, well, 500 iterations, really 1,000
multiplications because we have to square and we have to accumulate. So in 1,000
multiplications we'll be able to raise g to the power of a 500 bit exponent.
Okay so now we can summarize kind of the running times so suppose we
have an N bit modulus capital N as we said addition and subtraction in ZN takes
linear time. Multiplication of just, you know, as I said, Karatsuba's actually makes this
more efficient, but for simplicity we'll just say that it takes quadratic time. And
then exponentiation, as I said, basically takes log of x iterations, and at each
iteration we basically do two multiplications. So it's O(log (x))
times the time to multiply. And let's say that the time to multiply is quadratic. So
the running time would be, really, N squared log x. And since x is always gonna
be less than N, by Fermat's theorem there's no point in raising g to a power
that's larger than the modulus. So x is gonna be less than N. Let's suppose that x
is also an N-bit integer, then, really exponentiation is a cubic-time algorithm.
Okay so that's what I wanted you to remember, that exponentiation is actually
a relatively slow. These days, it actually takes a few microseconds on a modern
computer. But still, microseconds for a, for a, say a four gigahertz processor is
quite a bit of work. And so just keep in mind that all the exponentiation
operations we talked about. For example, for determining if a number is a quadratic
residue or not, All those, all those exponentiations basically take cubic time.
Okay, so that completes our discussion of arithmetic algorithms, and then in the
next segment we'll start talking about hard problems, modulo, primes and composites.
