ee4.07 coding theory · i introduction to coding theory ron m. roth i coding theory: a first...

EE4.07 Coding Theory

W. Dai

Imperial College London (IC)

2019

W. Dai (IC) EE4.07 Coding Theory 2019 page 0-1

Syllabus

Instructor: Dr. Wei Dai

GTA: Mr. Hengyan Liu

Lectures: 14:00-16:00 FridaysRoom 508 (11/10/2019-19/11/2019) Room 408 (6/12/2019-13/12/2019)

Assessment: Exam (75%) and coursework (25%)

Textbook: No textbook is required. You can rely on lecture notes.

References:

I �Introduction to coding theory� Ron M. Roth

I �Coding Theory: a First Course,� S. Lin and C. Xing

I �Codes: An Introduction to Information Communication and

Cryptography,� N. L. Biggs

W. Dai (IC) EE4.07 Coding Theory Syllabus 2019 page 0-1

Contents

1. Mathematical foundations: �nite �elds

2. CryptographyI Password management: store, exchange, and shareI Public key cryptographyI Digital signature

3. Error correcting codesI Linear block codesI Hamming codesI Reed-Solomon codes and decoding

4. Modern codesI Brief introduction to information theoryI Low-density parity check (LDPC) codesI Polar codes

W. Dai (IC) EE4.07 Coding Theory Syllabus 2019 page 0-2

Section 1

Finite Fields

I Basic factsI Euclidean algorithmI Unique factorisation theorem

I Finite �elds: de�nition and construction

I Finite �elds: general properties

I Primitive elements

I Polynomial factorisation and minimal polynomials

For basic number theory, the best reference is Wikipedia.For contents relevant to �nite �elds, refer to Lin&Xing's book, Chapter 3.

W. Dai (IC) EE4.07 Coding Theory Finite Fields 2019 page 1-1

Two Facts for Coding Theory

Euclidean geometry: all theorems are derived from a small number of

axioms.

This course: mostly relies on two facts.

I A polynomial of degree n has at most n roots.I Every positive integer n > 1 can be uniquely represented as a product

of prime numbers. (will be proved.)

W. Dai (IC) EE4.07 Coding Theory Finite Fields 2019 page 1-2

Greatest Common Divisor (GCD)

How to �nd the gcd for 0 < b < a?

gcd (5, 13) = 1. (Easy!)gcd (20, 36) = 4. (OK)But gcd (654, 2406) =?

W. Dai (IC) EE4.07 Coding Theory Finite Fields Euclidean algorithm 2019 page 1-3

The Euclidean Algorithm

Lemma 1.1 (Euclidean Algorithm)

Let a, b ∈ Z+. Without loss of generality (WLOG), assume a > b. To �ndthe greatest common divisor of a and b,

a = q1b +r1b = q2r1 +r2r1 = q3r2 +r3...

......

rn−2 = qnrn−1 +rnrn−1 = qn+1rn

Then d := gcd (a, b) = rn.


The Euclidean Algorithm: An Example

Example 1.2

gcd (654, 2406) =?:2406 = 3× 654 +444654 = 1× 444 +210444 = 2× 210 +24210 = 8× 24 +1824 = 1× 18 +618 = 3× 6

gcd (654, 2406) = 6.


The Euclidean Algorithm: Theory

Theorem 1.3

For 0 < b < a, de�ne r = a mod b 6= 0. Then gcd (a, b) = gcd (b, r).

Proof: Let a = bq + r where 1 ≤ r < b.Let d1 = gcd (a, b) and d2 = gcd (b, r). Want to show d1 = d2.

d1|a and d1|b ⇒ d1| (a− bq) ⇒ d1|rd2 = gcd (b, r)

}⇒ d1 ≤ d2.

d2|b and d2|r ⇒ d2| (bq + r) ⇒ d2|ad1 = gcd (a, b)

}⇒ d2 ≤ d1.

Therefore, d1 = d2. ♦

Corollary 1.4 (Validation of Euclidean Alg.)

In the Euclidean algorithm,gcd (a, b) = gcd (b, r1) = · · · = gcd (rn−1, rn) = rn.


Bézout's Identity

Lemma 1.5 (Bézout's Identity or Bézout's Lemma)

Given positive integers a and b, let d = gcd (a, b). Then d can be writtenas an integer linear combination of a and b, i.e., ∃x, y ∈ Z s.t.d = gcd (a, b) = xa+ yb.

Proof:

rn = −qnrn−1 + rn−2= −qn (−qn−1rn−2 + rn−3) + rn−2= (1 + qnqn−1) rn−2 − qnrn−3= · · · = xa+ yb.

♦

Example 1.6 (gcd (13, 5) = 1)

Euclidean Alg. Bézout's Identity

13 = 2 · 5 + 35 = 1 · 3 + 23 = 1 · 2 + 12 = 2 · 1

1 = 3− 2= 3− (5− 3) = 2 · 3− 5= 2 · (13− 2 · 5)− 5 = 2 · 13−5 · 5


GCD of Polynomials

The GCD of two polynomials is a polynomial, of the highest degree, that

divides both original polynomials.

In this course, the convention is that the leading coe�cient is 1.

Example 1.7

gcd(x2 − 1, 2x− 2

)={x− 1, 2x− 2, 1

2x−12 , 10

6x− 106}.

By convention, gcd(x2 − 1, 2x− 2

)= x− 1.


Euclidean Algorithm for Polynomials

Extend the Euclidean algorithm to polynomials.

Example 1.8

Let a (x) = x4 + x2 + x+ 1 and b (x) = x2 + x. Find gcd (a (x) , b (x)).

Note thatx4 + x2 + x+ 1 =

(x2 − x+ 2

) (x2 + x

)+ (−x+ 1)

x2 + x = (−x− 2) (−x+ 1) + 2−x+ 1 =

(−1

2x+ 12

)· 2.

One has2 =

(x2 + x

)+ (x+ 2) (−x+ 1)

= b (x) + (x+ 2)(a (x)−

(x2 − x+ 2

)b (x)

)= (x+ 2) a (x) +

(−x3 − x2 − 3

)b (x) .

As a result,1 = gcd (a (x) , b (x))

= 12 (x+ 2) a (x)− 1

2

(x3 + x2 + 3

)b (x) .


From About 330 B.C.

In Book VII of Elements,Euclid proved the following three results:

I Euclid's lemma: If a prime

number p divides a product ab, then p divides

at least one of the two numbers a and b.

I Fundamental theorem of arithmetic: Everynatural number is either prime or else can

be expressed as a product of primes in a way

that is unique apart from the order in which

they are written.

I There are in�nitely many primes.

W. Dai (IC) EE4.07 Coding Theory Finite Fields Unique factorisation Theorem 2019 page 1-10

Fundamental Theorem of Arithmetic

Theorem 1.9 (Unique Factorisation Theorem)

Any n ∈ Z+, n > 1, can be uniquely represented as a product of primepowers:

n = pα11 pα2

2 · · · pαkk =

∏ki=1 p

αii

Example 1.10 (Applications)

If we know the factorisation of a and b,

I Greatest common divisor:gcd(a, b) = 2min(a2,b2) 3min(a3,b3) 5min(a5,b5) 7min(a7,b7) · · ·

=∏pmin(api ,bpi )i ,

I Least common multiple:lcm(a, b) = 2max(a2,b2) 3max(a3,b3) 5max(a5,b5) 7max(a7,b7) · · ·

=∏pmax(api ,bpi )i .


Some Examples

Example 1.11

4 = 22.6 = 2 · 3. ⇒ gcd (4, 6) = 21 · 30 = 2.

lcm (4, 6) = 22 · 31 = 12.

4 = 22.9 = 32.

⇒ gcd (4, 9) = 20 · 30 = 1.lcm (4, 9) = 22 · 32 = 36.

654 = 2 · 3 · 109.2406 = 2 · 3 · 401. ⇒ gcd (654, 2406) = 6.

lcm (654, 2406) = 262254.


Proof of Unique Factorisation Theorem

Existence: By induction.

Assume it is true for all numbers less than n.If n is prime, n is the product of one prime n.Otherwise, ∃a, b where n = a · b and 1 < a ≤ b < n. By the induction

hypothesis, a = p1p2 · · · pn and b = q1q2 · · · qm are products of primes.

Then n = p1p2 · · · pnq1q2 · · · qm is the product of primes. ♦

Uniqueness: will need the Euclid's lemma.


Proof of Unique Factorisation Theorem (Uniqueness)

Assume that n > 1 is the product of primes in two di�erent ways:

n = p1p2 · · · pm, and n = q1q2 · · · qn.We shall show m = n and that the qj are a rearrangement of the pi.

WLOG, assume m ≤ n. By Euclid's lemma, p1 must divide one of the qj .Relabel the qj if necessary, say that p1|q1. But q1 is prime. Hence p1 = q1so that

np1

= p2 · · · pm = q2 · · · qn.

Repeat the process, we eventually arrive atn

p1···pm = 1 = qm+1 · · · qn.From this, it is clear that m = n and every qj is a pi. ♦


Gauss's Finite Arithmetic

In 1801

when Gauss was 24, he wrote a book DisquisitionesArithmeticae, one of the most in�uential mathematics

books ever. One of the topics is �nite arithmetic.

W. Dai (IC) EE4.07 Coding Theory Finite Fields De�nition 2019 page 1-16

Modular Arithmetic

De�nition 1.13

Let a and n > 0 be integers. We de�ne a mod n to be the remainder when

a is divided by n.

Write a = qn+ r. Then q = ba/nc and r = a mod n.

Example 1.14

11 mod 7 = 4 and −11 mod 7 = 3.

De�nition 1.15

Two integers a and b are said to be congruent modulo n if

(a mod n) = (b mod n). This is written as a ≡ b (mod n).

Example 1.16

−10 ≡ 6 (mod 8) and 1024 ≡ 0 (mod 2).


Properties of Modular Arithmetic

1. a+ b mod n = [(a mod n) + (b mod n)] mod n.

2. a− b mod n = [(a mod n)− (b mod n)] mod n.

3. a× b mod n = [(a mod n)× (b mod n)] mod n.

Proof for the addition:

a+ b mod n = ra + rb mod n = [(a mod n) + (b mod n)] mod n.

Ordinary arithmetic involving addition, subtraction, and multiplication carry

over into modular arithmetic.


Examples

I 11 = 4 mod 7 and −11 = 3 mod 7.I 11 + (−11) = 0 mod 7; 4 + 3 = 0 mod 7.I 11− (−11) = 1 mod 7; 4− 3 = 1 mod 7.

I 5× 5 = 1 mod 12; 11× 5 = 7 mod 12.1/5 = 5 mod 12; 7/5 = 11 mod 12.But 5/6 mod 12 is not de�ned.


Fields: De�nition

De�nition 1.17 (Field)

A �eld F is a nonempty set of elements with two operations, called addition

(+) and multiplication (·).I F is closed under + and ·, i.e., a+ b and a · b are in F.

I Commutative: a+ b = b+ aI Associative: a+ (b+ c) = (a+ b) + cI Distributive a (b+ c) = ab+ ac

I Exists two distinct identity 0 and 1 (additive and multiplicative

identities, respectively)I a+ 0 = a, ∀a ∈ FI a · 1 = a and a · 0 = 0, ∀a ∈ FI Additive inverse: ∀a ∈ F, ∃ (−a) ∈ F, s.t. a+ (−a) = 0.I Multiplicative inverse: ∀a ∈ F\ {0}, ∃a−1 ∈ F, s.t. a · a−1 = 1.

Example: R, Q, Z7 are �elds, Z is not.


Integer Ring

De�nition 1.18 (Modulo)

The modulo operator �nds the remainder of one number divided by

another.

Examples: 5 mod 4 = 1, 14 mod 4 = 2.

De�nition 1.19 (Integer Ring)

I Zm = {0, · · · ,m− 1}: a nonempty set of elements.

I �+� operator: + mod m

I �·� operator: · mod m.

Example of m = 4:Zm = {0, 1, 2, 3}.1 + 1 = 2 (mod 4); 2 + 3 = 1 (mod 4).3 · 3 = 1 (mod 4); 2 · 2 = 4 = 0 (mod 4).


Examples: Integer Rings Versus Fields

I Z3 is a �eld.I −0 = 0, −1 = 2, −2 = 1.I 1−1 = 1, 2−1 = 2.

I Z4 is not a �eld.I −0 = 0, −1 = 3, −2 = 2, −3 = 1.I 1−1 = 1, @ 2−1, 3−1 = 3.


When a Multiplicative Inverse Exists

Lemma 1.20 (Existence of the multiplicative inverse)

Let a, n ∈ Z+ with a < n. The multiplicative inverse a−1 (mod n) existsi� gcd (a, n) = 1.

Proof:

1. If gcd (a, n) = 1, by Bézout's identity ∃x, y s.t.

1 = xn+ ya ≡ ya (mod n). Hence y is a−1.

2. If a−1 (mod n) exists, want to show that gcd (a, n) = 1.Suppose not, i.e., d = gcd (a, n) > 1.By assumption that a−1 exists, ∃x = a−1 and y s.t.

1 = xa mod n = xa− yn.As d | a and d | n, it follows d | (xa− yn), i.e. d | 1.This contradicts with d > 1. ♦


Finite Fields of Integers

Theorem 1.21

Zm is a �eld if and only if m is a prime. (Hence notation Fp.)

Proof of the �if� part: m be a prime⇒Zm is a �eld.

∀a ∈ Zm\ {0}, since m is a prime, one has gcd (a,m) = 1.By Lemma 1.20, a−1 exists. ♦

Proof of the �only if� part: Zm is a �eld ⇒ m is a prime.

Suppose m is not a prime. ∃1 < a, b < m s.t. a · b = m.

Since a = gcd (a,m) 6= 1, by Lemma 1.20, a−1 does not exist. ♦


An Alternative Proof

Recall: Zm is a �eld if and only if m is a prime. (Hence notation Fp.)

Lemma 1.22

Let a, b ∈ Fp. Then ab = 0 implies a = 0 or b = 0.

Proof: Suppose that a 6= 0. Then 0 = a−1 · 0 = a−1 · (a · b) = b. ♦

Alternative proof of the �only if� part:

Suppose m is not a prime.∃1 < a, b < m s.t. a · b = m = 0 (mod m). Butfrom Lemma 1.22, either a or b is zero mod m. Contradict with

1 < a, b < m. ♦


Polynomials

Polynomials over a �eld Fp: f (x) =∑d

i=0 aixi, ai ∈ Fp.

Degree: highest degree of its terms: deg (f) = d if ad 6= 0.Monic polynomials: ad = 1.

Polynomial division:

a (x) = q (x) b (x) + r (x) where 0 ≤ deg (r (x)) < deg (b (x)).Example: Let a (x) = x3 + x+ 1 ∈ F2 [x] and b (x) = x2 + x ∈ F2 [x].Then a (x) = (x+ 1) b (x) + 1.

f (x) ∈ F [x] is irreducible if f (x) = g (x)h (x) , g, h ∈ F [x], implies either

g or h is a constant (similar to prime numbers).


Finite Fields: Polynomials

Fp [x]={g (x) =

∑di=0 aix

i : ai ∈ Fp}.

Fp [x] /f (x): Fp [x] with �mod f (x)� algebra.

It contains all the polynomials with degree less than deg (f).

Example: f (x) = x2 + x ∈ F2 [x].F2 [x] /f (x) = {0, 1, x, x+ 1}.x · (x+ 1) = x2 + x ≡ 0 mod f (x).

Theorem 1.23

Fp [x] /f (x) is a �eld i� f (x) is irreducible over Fp.

Proof: Same idea as before.


Some Comments

Examples of Irreducible polynomials and those that are not

I x2 + 1 ∈ R [x] is irreducible.

I x2 + 1 ∈ F2 [x] is not irreducible (reducible).

I x2 + 1 ∈ F3 [x] is irreducible.

I x2 + 1 ∈ F5 [x] is not irreducible.

A systematic way to write the elements in a polynomial ring

Fp [x] /f (x) where d = deg (f (x)).αdx

d + αd−1xd−1 + · · ·+ α1x+ α0, where αi ∈ Fp.

It contains pd many distinct polynomials.

Size of the �nite �eld FqI Fq contains numbers: q = p.

I Fq contains polynomials: q = pd where d = deg (f).


Example Fields Containing Polynomials

Some irreducible polynomials over F2

x, x+ 1, x2 + x+ 1, x3 + x+ 1, x3 + x2 + 1, x4 + x+ 1, · · ·Each of these polynomial generates a �nite �eld.

Example 1.24

F2 [x] /x3 + x+ 1 F2 [x] /x

3 + x2 + 10 0 0

1 1 1x x xx2 x2 x2

x3 x+ 1 x2 + 1x4 x2 + x x2 + x+ 1x5 x2 + x+ 1 x+ 1x6 x2 + 1 x2 + x


Another Example

Example 1.25 (An Example of F16)

F2 [x] /x4 + x+ 1 F2 [x] /x

4 + x+ 10 0 x7 x3 + x+ 11 1 x8 x2 + 1x x x9 x3 + xx2 x2 x10 x2 + x+ 1x3 x3 x11 x3 + x2 + xx4 x+ 1 x12 x3 + x2 + x+ 1x5 x2 + x x13 x3 + x2 + 1x6 x3 + x2 x14 x3 + 1


Useful Exercise

Example 1.26 (An Exercise)

1. Understand Examples 1.24 and 1.25.

2. For the �eld F2 [x] /x4 + x+ 1 in Example 1.25, compute:

I(x3 + x2

) (x3 + x2 + 1

)=?

I Answer: x+ 1.

I(x3 + x2

)−1=? (Use Euclidean algorithm)

I Answer: x3 + x.

I(x3 + x2 + 1

)−1=? (Use Euclidean algorithm)

I Answer: x2.


Finite Fields: General Properties?

Previously, we saw two ways to construct �nite �elds.

I Fp: p many integers.

I Fp [x] /f (x): pdeg(f) many polynomials.

What can we say about the size of a �nite �eld F in general?

W. Dai (IC) EE4.07 Coding Theory Finite Fields Size 2019 page 1-32

Characteristic: De�nition

Let F be an arbitrary �eld.

By de�nition, ∃ a multiplicative identity, denoted by `1'.Consider a sequence in Fq: 1, 1 + 1, · · ·

Since |Fq| = q <∞, we will see repetitions.

That is, ∃t ∈ Z+ s.t. 1 + · · ·+ 1︸︷︷︸t times

= t · 1 = 0.

Remark: To compute 1 + · · · + 1 = t · 1, we have used the algebra de�ned for this �eld F.

De�nition 1.27

The smallest t s.t. t · 1 = 0 is called characteristic of F.


Characteristic: Property

Lemma 1.28

The characteristic t is always a prime.

Proof: Otherwise, t · 1 = ab · 1 = 0.1st equation uses normal algebra for integers. 2nd equation uses the algebra for the �nite �eld.

This implies a = 0 or b = 0 (by Lemma 1.22).

Contradict with that t is the smallest.


Finite Fields: Size

Theorem 1.29

All �nite �elds are of the size pm.

Proof: For any given �nite �eld Fq, let p be its characteristic.

Choose a nonzero element from Fq, say b1.Choose another nonzero element from Fq, say b2, such that b2 and b1 are

linearly independent, i.e.,

λ1b1 + λ2b2 = 0, λ1, λ2 ∈ Fp ⇔ λ1 = λ2 = 0.Consider a maximal set

B = {b1, · · · , bm} ⊂ Fwhich are linearly independent over Fp.

De�ne the linear span of Bspan (B) = {λ1b1 + · · ·+ λmbm : λi ∈ Fp}.


Finite Fields: Size and Dimension

Proof continued:

1. Then |span (B)| = pm ≤ |Fq|.If(λ(1)1 , · · · , λ(1)

m

)6=(λ(2)1 , · · · , λ(2)

m

), then

∑λ(1)i bi 6=

∑λ(2)i bi.

Suppose not, i.e.,∑λ(1)i bi =

∑λ(2)i bi. Then

∑(λ(1)i − λ

(2)i

)bi = 0 which, by

linear independence of bi's, implies that λ(1)i = λ

(2)i .

This contradicts the assumption that(λ(1)1 , · · · , λ(1)

m

)6=(λ(2)1 , · · · , λ(2)

m

).

2. It also holds that |span (B)| = |Fq|:Otherwise ∃bm+1 linearly independent of B.This contradicts with the de�nition of the maximal independent set B.

Hence, for any �nite �eld Fq, q = pm. ♦

B is a basis of Fq.m is the dimension of Fq.


Primitive Elements∀a ∈ F, consider the sequence a, a2, a3, · · · . Since |Fq| = q is �nite, we will

see repetitions. That is, ∃t s.t. at = 1.

De�nition 1.30

The order of a ∈ F (ord (a)) is the smallest t s.t. at = 1.An element of order q − 1 is called a primitive element of Fq.

Example 1.31

Consider the �eld F2 [x] /x4 + x+ 1 in Example 1.25.

It can be veri�ed that

ord (x) = ord(x2)= ord

(x4)= 15.

Hence x, x2, and x4 are primitive elements (Primitive element is not

unique).

It can also be veri�ed that ord(x3)= 5. Hence x3 is not a primitive

element.

W. Dai (IC) EE4.07 Coding Theory Finite Fields Primitive Elements 2019 page 1-37

Represent a Field by a Primitive Element

Let α be a primitive element. Since α0 = 1, α, · · · , αq−2 are distinct,

F ={0, 1, α, · · · , αq−2

}.

I Standard notation: F∗ = F\ {0} ={α0, · · · , αq−2

}.

Why primitive elements? Recall Example 1.26

I Calculate multiplication:I(x3 + x2

) (x3 + x2 + 1

)=?

I α6 · α13 = α19 = α15+4 = α4 = x+ 1.

I Find inverse:I(x3 + x2

)−1=?;

(x3 + x2 + 1

)−1=?

I Note that αq−1 = 1 = α0. The multiplicative inverse of αa = αq−1−a.α−6 = α15−6 = α9 = x3 + x; α−13 = x2.


Existence of Primitive Elements

Theorem 1.32

Every �nite �eld Fq contains a primitive element.

To prove this theorem, we need several lemmas. After presenting and

proving these lemmas, we shall prove the theorem.


Lemma 1: Fermat's Little Theorem

Theorem 1.33 (Fermat's Little Theorem)

For every β ∈ F∗q , we have βq−1 = 1.Or equivalently, ∀β ∈ Fq, it holds that βq = β.

History (from Wikipedia):

Pierre de Fermat �rst stated the theorem in a letter dated October 18,

1640, to his friend and con�dant Frénicle de Bessy.

Fermat did not prove his assertion, only stating: �· · · , the proof of which I

would send to you, if I were not afraid to be too long.�

Euler provided the �rst published proof in 1736, but Leibniz had given

virtually the same proof in an unpublished manuscript from sometime

before 1683.(The same proof technique will be used to prove Euler's Theorem.)


Proof of Fermat's Little Theorem

Proof: For any β ∈ F∗q , de�ne βF∗q = {ββ1, · · · , ββq−1}.I ββi 6= 0 ⇒ βF∗q ⊆ F∗q .

Otherwise βi = β−1ββi = β−1 · 0 = 0. A contradiction.

I ββi 6= ββj for i 6= j. ⇒∣∣βF∗q∣∣ = q − 1.

Otherwise βi = β−1 (ββi) = β−1 (ββj) = βj . A contradiction.

Hence, F∗q = βF∗q .Therefore,

∏γ∈F∗q γ =

∏γ∈βF∗q γ.

That is,β1 · β2 · · · · · βq−1= (ββ1) · (ββ2) · · · · · (ββq−1)= βq−1 · (β1 · β2 · · · · · βq−1) .

We conclude βq−1 = 1. ♦


Examples Related to Fermat's Little Theorem

Example 1.34

Let F = F5. Find F∗ and β · F∗ for all β ∈ F∗.F∗ = 1 · F∗ = {1, 2, 3, 4} 2 · F∗ = {2, 4, 1, 3}3 · F∗ = {3, 1, 4, 2} 4 · F∗ = {4, 3, 2, 1}

Example 1.35

Let F = F2 [x] /(x2 + x+ 1

). Find F∗ and β · F∗ for all β ∈ F∗.

F∗ = 1 · F∗ = {1, x, x+ 1}x · F∗ = {x, x+ 1, 1}(x+ 1) · F∗ = {x+ 1, 1, x}


Existence of Primitive Elements: Lemma 2

Lemma 1.36

For any β ∈ F∗, if βt = 1 for some t ∈ Z+, then ord (β) |t.

Proof: Let a = ord (β) & t = ka+ b where 0 < b < a.Then βt = βb = 1.Contradict with that a is the smallest number that βa = 1. ♦

Corollary 1.37

∀β ∈ F∗q = Fq\ {0}, it holds that ord (β) |q − 1.

Proof: This is proved by Fermat's little theorem (Theorem 1.33) and

Lemma 1.36.


Existence of Primitive Elements: Lemma 3

Lemma 1.38

Suppose that ord (β1) = r1, ord (β2) = r2, and gcd (r1, r2) = 1. Letβ = β1β2 and r = ord (β). Then r = r1r2.

Proof:

1. Since 1 = (β1β2)r1r2 = βr1r2 , it holds r|r1r2 by Lemma 1.36.

2. r1r2|r:1 = βrr1 = (β1β2)

rr1 = (βr11 )r βrr12 = βrr12 . Then r2|rr1. Then r2|r.Similarly, r1|r.Hence lcm (r1, r2) |r or equivalently r1r2|r.

3. That r|r1r2 and r1r2|r implies r = r1r2. ♦


An Example Related to Lemmas 2 & 3

Consider F = F7.

F∗ = {1, 2, 3, 4, 5, 6}

ord (1) = 1 ord (2) = 3ord (3) = 6 ord (4) = 3ord (5) = 6 ord (6) = 2

You may check the above results with Corollary 1.37.

Note that ord (2) = 3 and ord (6) = 2.Fact 1.38 implies that ord (2 · 6) = 3× 2 = 6 = ord (5).


Existence of Primitive Elements: the Proof (1)

Proof of Theorem 1.32 (the existence):

Let F∗q = {α1, · · · , αq−1} and ri = ord (αi).De�ne m := lcm (r1, · · · , rq−1).Based on the unique factorisation theorem (Theorem 1.9), m can be

written as m = pk11 · · · pk`` .

Let r1 = pk(1)1

1 · · · pk(1)`` ,

...

rq−1 = pk(q−1)1

1 · · · pk(q−1)`` .

Then ki = max(k(1)i , · · · , k(q−1)i

).

Hence, ∃αi ∈ F∗q s.t. pk11 |ord (αi):


Existence of Primitive Elements: the Proof (2)

Let β1 = αord(αi)/p

k11

i , then ord (β1) = pk11 .

Similarly, �nd β2, · · · , β`.Clearly ord (βi) = pkii , i = 1, · · · , ` by our construction.

Let β = β1 · · · · · β`. Then ord (β) = m (Lemma 1.38).

Because ord (βi)'s are co-prime.

Hence, m| (q − 1) (Corollary 1.37) or m ≤ q − 1.

On the other hand, by the de�nition of m, all q − 1 elements in F∗q are

roots of xm − 1. Therefore m ≥ q − 1.

It then can be concluded that m = q − 1 and β is a primitive element. ♦


Uniqueness of Finite Fields

De�nition 1.39

Two �elds F and G are isomorphic if there exists a one-to-one mapping

ϕ : F→ G that satis�es

ϕ (ab) = ϕ (a)ϕ (b) , ϕ (a+ b) = ϕ (a) + ϕ (b) .

Theorem 1.40

The �nite �eld Fq is unique up to isomorphism.

Proof is not required.

Example: F2 [x] /(x3 + x+ 1

)and F2 [x] /

(x3 + x2 + 1

)are isomorphic.

W. Dai (IC) EE4.07 Coding Theory Finite Fields Uniqueness 2019 page 1-48

Example

ϕ : F2 [x] /(x3 + x2 + 1

)→ F2 [y] /

(y3 + y + 1

)x 7→ ϕ (x) = y + 1

ϕ : F2 [x] /(x3 + x2 + 1

)F2 [y] = y3 + y + 1

0 0

1 1

x y + 1

x2 y2 + 1

x2 + 1 y2

x2 + x+ 1 y2 + y + 1

x+ 1 y

x2 + x y2 + y

Verify ϕ (ab) = ϕ (a)ϕ (b):ϕ(x2 · (x+ 1)

)= ϕ

(x3 + x2

)= ϕ

(x2 + 1 + x2

)= ϕ (1) = 1.

ϕ(x2)ϕ (x+ 1) =

(y2 + 1

)· y = y3 + y = y + 1 + y = 1.

W. Dai (IC) EE4.07 Coding Theory Finite Fields Uniqueness 2019 page 1-49

Polynomial Factorisation

Problem: factorise the polynomial xqm−1 − 1 in Fq [x].

Be careful about the concept of �irreducible polynomial�:

Have to specify the �eld we are considering.

Example 1.41

Consider a polynomial M (x) = x2 + 1.

1. M (x) is irreducible w.r.t. R.2. M (x) is reducible w.r.t. C: M (x) = (x+ j) (x− j).

Consider a polynomial M (x) = x2 + x+ 1.

1. M (x) is irreducible w.r.t. F2.

2. M (x) is reducible w.r.t. F4 = F2 [y] /y2 + y + 1

I F4 = {0, 1, y, y + 1}.I M (x) = (x− y) (x− (y + 1)) = x2 − (y + y + 1)x+ y (y + 1).

W. Dai (IC) EE4.07 Coding Theory Finite Fields Polynomial Factorisation 2019 page 1-50

An Example of Factorisation

Factorise x3 − 1 ∈ R [x]:

I Consider the easier problem: factorise x3 − 1 in C [x].

I Group terms of conjugate roots

I x3 − 1 = (x− 1)(x− ej2π/3

) (x− ej4π/3

)= (x− 1)

(x2 + x+ 1

).

To factorise the polynomial xqm−1 − 1 in Fq [x], we use the same strategy:

I Factorise xqm−1 − 1 in Fqm [x].

I Let α be a primitive element of Fqm :

xqm−1 − 1 =

∏qm−2i=0

(x− αi

)(Irreducible polynomials in Fqm [x]).

I Group appropriate terms together:

xqm−1 − 1 =

∏sk=1M

(k) (x) (Irreducible polynomials in Fq [x]).


A Preview of the Final Result

Example 1.42

Want to factorise x3 − 1 ∈ F2 [x].Let α be a primitive element of F4 = F2 [y] /y

2 + y + 1.That is, F∗4 =

{1, α, α2

}= {1, y, y + 1}.

x3 − 1 = (x− 1) (x− α)(x− α2

)= (x− 1) (x− y) (x− (y + 1))= (x− 1)

(x2 + x+ 1

).

Both x− 1 and x2 + x+ 1 are irreducible polynomial in F2 [x].We have obtained the factorisation of x3 − 1 in F2 [x].


Construction of Minimal Polynomials

De�nition 1.43 (Cyclotomic Coset)

The cyclotomic coset of q modulo n = qm − 1 containing i isCi :=

{i · qj mod n : j = 0, 1, 2, · · ·

}⊂ Zn

Example 1.44

Cyclotomic cosets of 2 mod 15(= 24 − 1

)are

C0 = {0}, C1 = {1, 2, 4, 8}, C3 = {3, 6, 12, 9}, C5 = {5, 10}, C7 = {7, 14, 13, 11}.

De�nition 1.45 (Minimal Polynomial)

Let α be a primitive element of Fqm . The minimal polynomial of αi inFq [x] is

M (i) (x) =∏j∈Ci

(x− αj

),

where Ci is the cyclotomic coset of q modulo qm − 1 containing i.


Towards Factorisation

xqm−1 − 1 =

∏sk=1M

(k) (x)

Want to show:

I M (i) (x) ∈ Fq [x].I M (i) (x) is irreducible.

Lemma 1.46

Every Fqm contains a sub-�eld Fq. For any β ∈ Fqm , β ∈ Fq i� βq = β.

Proof: ⇒: If β ∈ Fq, by Fermat's little theorem (Theorem 1.33) βq = β.⇐: The polynomial xq − x has at most q distinct roots in Fqm . As allelements in Fq are roots of xq − x and |Fq| = q, it holdsFq = {all roots of xq − x in Fqm}. ♦


A Useful Lemma

Lemma 1.47

Let p be the characteristic of Fq. It holds that (x+ y)p = xp + yp.

Proof: (x+ y)p =∑p

i=0

(pi

)xiyp−i.

Clearly(p0

)=(pp

)= 1.

For any 1 ≤ i ≤ p− 1,(pi

)= p!

i!(p−i)! =p(p−1)···(p−i+1)

i! ∈ Z+.

Note that gcd (i!, p) = 1 but(pi

)∈ Z+. By Euclid's Lemma (Theorem

1.12), i!| (p− 1) · · · (p− i+ 1) and(pi

)= p · s for some s ∈ Z+.

By the de�nition of the characteristic,(pi

)= 0, ∀1 ≤ i ≤ p− 1. ♦

Corollary 1.48

On the �eld Fqm , (x+ y)q = xq + yq.


Properties of Cyclotomic Cosets

Lemma 1.49

Let Ci be the cyclotomic coset of q modulo qm − 1 containing i. De�neqCi := {qj mod qm − 1 : j ∈ Ci}. Then qCi = Ci.

Proof: Note that i · qm = i mod qm − 1. It is clear thatCi =

{i · qj mod qm − 1 : j = 0, 1, · · · ,m− 1

}={

i · qj mod qm − 1 : j = 1, 2, · · · ,m}= qCi. ♦

Corollary 1.50

Let α be a primitive element of Fqm . ThenM (i) (x) =

∏j∈Ci

(x− αj

)=∏j∈Ci

(x− αjq

).

Proof:∏j∈Ci

(x− αjq

)=∏`∈qCi

(x− α`

)=∏j∈Ci

(x− αj

). ♦


M (i) (x) ∈ Fq [x]

Let r = |Ci|. Write

M (i) (x) =∑

` a`x` =

∏j∈Ci

(x− αj

)(a)=∑

`

(∑j1,··· ,jr−` α

j1 · · ·αjr−`)x`,

where (a) comes from the expansion of∏j∈Ci

(x− αj

). At the same

time,

M (i) (x) =∏j∈Ci

(x− αj

) (a)=∏j∈Ci

(x− αjq

)=∑

`

(∑j1,··· ,jr−` α

j1q · · ·αjr−`q)x`

(b)=∑

`

(∑j1,··· ,jr−` α

j1 · · ·αjr−`)qx`

=∑

` aq`x`,

where (a) comes from Corollary 1.50, (b) comes from Corollary 1.48.

Hence, a` = aq` , which implies a` ∈ Fq and M (i) (x) ∈ Fq [x]. ♦


M (i) (x) is Irreducible

Step 1: For all f (x) ∈ Fq [x] s.t. f(αi)= 0, it holds that M (i) (x) |f (x).

Write f (x) = f0 + f1x+ · · ·+ fnxn.

For any j ∈ Ci, ∃` s.t. j = iq` mod qm − 1.

f(αj)

= f(αiq

`)= f0 + f1α

iq` + · · ·+ fnαiq`·n

= f q`

0 + f q`

1 αiq` + · · ·+ f q

`

n αiq`·n

=(f0 + f1α

i + · · ·+ fnαin)q`

= f(αi)q`

= 0.

That is, αj is also a root of f . Hence, M (i) (x) |f (x).

Step 2: M (i) (x) is irreducible in Fq [x].Suppose not. Then M (i) (x) = g (x)h (x) for nontrivial g (x) and h (x).αi is a root of M (i) (x) ⇒ αi is a root of one of g (x) and h (x).W.l.o.g., αi is a root of g (x). Then M (i) (x) |g (x) which is impossible.

Hence M (i) (x) is irreducible. ♦


Representatives of Cyclotomic Cosets

De�nition 1.51

Consider the cyclotomic cosets of q mod n.A subset {i1, · · · , ij} ⊂ Zn is a complete set of representatives of

cyclotomic cosets if

Ci1⋃· · ·⋃Cij = Zn.

Example 1.52

Cyclotomic cosets of 2 mod 15 are

C0 = {0}, C1 = {1, 2, 4, 8}, C3 = {3, 6, 12, 9}, C5 = {5, 10}, C7 = {7, 14, 13, 11}.The complete set of representatives is {0, 1, 3, 5, 7}.


Factorisation

Theorem 1.53

Let α be a primitive element of Fqm . Let {i1, · · · , is} be a complete set ofrepresentatives of cyclotomic cosets of q modulo qm − 1. Then

xqm−1 − 1 =

∏qm−2i=0

(x− αi

)=∏sk=1M

(ik) (x) .

Proof:

The �rst equality: The degrees are the same. The coe�cients before

xqm−1 are the same. The roots are also the same.

The second equality: holds from the de�nitions of M (ik) (x) and the

complete set of representatives. ♦


Section 2

Cryptography

I Introduction

I Password management: store, exchange, and secret share

I The public key cryptographyI The RSA cryptosystemI The ElGamal cryptosystem

I Digital signatureThe contents are heavily based on Biggs' book, Chapters 13 & 14.

W. Dai (IC) EE4.07 Coding Theory Cryptography 2019 page 2-1

Cryptography

De�nition 2.1 (Cryptography)

A framework of cryptography includes a set of plaintext messagesM, a set

of ciphertext messages C, and a set of keys K. For each k ∈ K, there is an

encryption function Ek : M→ C and the corresponding decryption

function D` : C →M such that

D` (Ek (m)) = m, for all m ∈M.

W. Dai (IC) EE4.07 Coding Theory Cryptography Introduction 2019 page 2-2

Cryptography: An Example

One of the oldest cryptographic systems is said to have been used by Julius

Caesar over two thousand years ago.

Let A be the English alphabet set. Let K = {1, 2, · · · , 25}. For a given key

k ∈ K, replace each letter by the one that is k places later.

For example, if k = 5, then the message

SEE YOU TOMORROW becomes XJJ DTZ YTRTWWTB

For the Caesar system, a simple attack is exhaustive search as there are

only 25 keys.

A natural extension is to use any permutation of 26 letters, yielding

26! ≈ 4× 1027 keys. Exhaustive search is impossible.

However, in this case another method, called frequency analysis, is a much

more e�ective attack.

It uses the observation that the frequencies of the English letters are fairly

constant over a wide range of texts.


Another Example: Hill's Cryptography System

Consider a 29-symbol alphabet including 26 English letters, the space ,

comma, and full stop. It is mapped to F29.

Given a stream of symbols, split it into blocks of size n so that each block

can be written as m ∈ Fn29. A key K ∈ Fn×n29 is an invertible matrix. The

encryption function is given by

c =Km,

and the decryption function is

m =K−1c.


Diagram of Cryptography Systems

Adapted from http://www.akadia.com/services/email_security.html

I Popular cryptography systems are built on large prime numbers.

I Symmetric cryptography: encryption key k = decryption key `.

I Asymmetric cryptography: k 6= `.


Existence of Large Prime Numbers

Theorem: There exist in�nitely many prime numbers.

Proof:

1. Suppose that there exist only �nitely many prime numbers.

2. List all these prime numbers, p1, p2, · · · , pN .3. Let x = p1 · p2 · · · pN + 1.

4. Claim: x is a prime number.

Proved by the Unique Factorisation Theorem 1.9 as gcd (pi, x) = 1.

5. This contradicts the assumption that the list of p1, p2, · · · , pNcontains all the prime numbers. ♦

W. Dai (IC) EE4.07 Coding Theory Cryptography Prime Numbers 2019 page 2-6

Large Prime Numbers

A list of large prime numbers (http://primes.utm.edu)

Rank Prime Digits When

1 282589933 − 1 24862048 2018

2 277232917 − 1 23249425 2018

3 274207281 − 1 22338618 2016

4 257885161 − 1 17425170 2013

5 243112609 − 1 12978189 2008...

......

...

9 10223·231172165 + 1 9383761 2016


Large Prime Numbers Matter

It is di�cult to check whether a given number is a prime or not.

Suppose a 64 bit number.

Assume a computer can evaluate 1G (109) �basic operations� per second.

Brute force method requires 264/(109 · 3600 · 24 · 365

)≈ 585 years!

Nowadays, prime numbers of 512b or 1024b are often used.

The brute force method is not practical!


How to Store Passwords on a Server?

I A set of users wish to log in securely to a server.

I Each user choose a password.

I The passwords are stored in a �leI Should not be saved in the `raw' format.I Easy to check whether a password is valid.I Very di�cult to extract the passwords from the �le.

Solution: use the discrete logarithmic function.

W. Dai (IC) EE4.07 Coding Theory Cryptography Store Passwords 2019 page 2-9

The Discrete Logarithm

Normal exponential function:

x 7→ y = bx,Normal logarithmic function:

y 7→ x = logb y.It can be solved by Taylor expansion e�ciently.

De�nition 2.2 (Discrete logarithm problem (DLP))

Let p be a prime number and b ∈ F∗p be a primitive element.

x = logb y (mod p) if y = bx (mod p).

I It is well-de�ned if and only if b is primitive.


Computation Complexity

Discrete exponential function: computational complexity O (log (p))Example: 3211 =? (mod 811)Note that 211 = 128 + 64 + 16 + 2 + 1.One has 3211 = 3128 · 364 · 316 · 32 · 31 (mod 811).It can be achieved by computing

32 = 3 · 3 (mod 811), 34 = 32 · 32 (mod 811),

· · · , 32k = 32k−1 · 32k−1

(mod 811).

Discrete logarithmic function: computational complexity O (p).

I It is usually solved by brute force search.I No su�ciently e�cient algorithm in general.


Examples

Let p = 811 and b = 3.The output of discrete logarithmic function looks random:

log3 2 = 717; log3 3 = 1; log3 4 = 624; log3 5 = 494; · · · .

0 100 200 300 400 500 600 700 8000

1

2

3

4

5

6

7

x

y=lo

g(x)

Normal Logarithmic Function: b=3

0 100 200 300 400 500 600 700 8000

100

200

300

400

500

600

700

800

x

y=dl

og(x

) (m

od p

)

Discrete Logarithmic Function: p=811, b=3


Store Passwords on a Server: A Solution

I The administrator chooses a prime p and a primitive element b.I The values of p and b are also kept on the server.

I The user i chooses a password. This is converted into a number

xi ∈ F∗p.I Let yi = bxi (mod p) and the pair (i, yi) is stored.


Cryptography for Information Exchange

In the previous scheme:

Decoding is di�cult for everyone.

In the information exchange scenario, for example, Alice sends some

message to Bob.

Alice's information to Bob should be encrypted.

Bob would like to be able to decrypt the message easily.

The traditional choice: Symmetric cryptographyThe encryption and decryption keys are the same, i.e., k = `.The keys are known to both Alice and Bob for encryption and decryption

respectively.

Disadvantages: A secure channel is needed for key exchange.

Disasters may happen if the key is leaked.

W. Dai (IC) EE4.07 Coding Theory Cryptography Encryption Key Exchange 2019 page 2-14

Symmetric Key Cryptography

From http://chrispacia.wordpress.com/2013/09/07/bitcoin-cryptography-digital-signatures-explained/

The key is to keep the key safe.


Key Exchange

Problem: Alice and Bob want to share a secret key but their information

exchange could be observed by their adversary Eve. How is it possible for

Alice and Bob to share a key without making it known to Eve?

Solution: Di�e-Hellman key exchange.Wikipedia: The scheme was �rst published by Whit�eld Di�e and Martin Hellman in 1976. It had been separatelyinvented a few years earlier within GCHQ, by James H. Ellis, Cli�ord Cocks and Malcolm J. Williamson but was keptclassi�ed.


God Rewards Fools

Whit�eld Di�e Martin Hellman

�Ralph, like us, was willing to be a fool. And the way to get to the top of the heap in terms of developing originalresearch is to be a fool, because only fools keep trying. You have idea number 1, you get excited, and it �ops. Thenyou have idea number 2, you get excited, and it �ops. Then you have idea number 99, you get excited, and it �ops.Only a fool would be excited by the 100th idea, but it might take 100 ideas before one really pays o�. Unless you'refoolish enough to be continually excited, you won't have the motivation, you won't have the energy to carry itthrough. God rewards fools.�

� Hellman


Di�e-Hellman Key Exchange

1. Alice and Bob agree on a large prime p and an integer g mod p. Thevalues of p and g are publicly known.

2. Alice picks a secret integer a that she does not reveal to anyone, and

Bob picks an integer b that he keeps secret. They compute

A = ga mod p, and B = gb mod p,

respectively. They next exchange these computed values.

Note that Eve sees the values of A and B.

3. Alice and Bob uses their secret integers to compute

A′ = Ba mod p, and B′ = Ab mod p,

respectively. Note that A′ = B′ = gab is the shared secret key for

information exchange.


Secret Share: Motivation

Secrecy-reliability tradeo� in storing an encryption key

I Maximum secrecy: keep a single copy of the key in one locationI What if it gets lost.

I Reliability: store multiple copies at di�erent locationsI What if a copy falls into the wrong hand.

Secret Sharing: (k, n) threshold scheme.

Store the secret S into n pieces of encrypted words S1, · · · , Sn such that

I Knowledge of any K or more Si pieces makes S easily computable.

I Knowledge of any k − 1 or fewer Si pieces leaves S undetermined.

W. Dai (IC) EE4.07 Coding Theory Cryptography Secret Share 2019 page 2-19

Shamir's Secret Sharing

Idea of Adi Shamir's threshold scheme: k points to de�ne a polynomial ofdegree k − 1. 2 points are su�cient to de�ne a line, 3 points are su�cient to de�ne aparabola, 4 points to de�ne a cubic curve and so forth.

A (k, n) threshold scheme to share our secret S:

1. Let p be a prime number. Let n < p and S < p.

2. Randomly choose k − 1 positive integers a1, · · · , ak−1. Set a0 = S.

3. Set f (x) = a0 + a1x+ a2x2 + · · ·+ ak−1x

k−1.

4. Evaluate f (x) at n points to obtain (ti, f (ti)), ti ∈ F∗p and

i = 1, · · · , n.Claim: given any k such pairs (ti, f (ti)), we can �nd the coe�cients of the

polynomial and therefore a0.


Finding the Polynomial Coe�cients

Polynomial coe�cients can be found via

I Solving the linear system:f (ti1)f (ti2)

...

f (tik)

=

1 ti1 · · · tk−1i1

1 ti2 · · · tk−1i2...

.... . .

...

1 tik · · · tk−1ik

a0a1...

ak−1

.I Or polynomial interpolation:

f (x) =

k∑j=1

f(tij)∏` 6=j

x− ti`xij − xi`

.


Cryptography for Information Exchange (2)

A modern solution: Public key algorithms (Asymmetric Cryptography)

Encryption key k 6= ` decryption key.

The encryption key is public while the decryption key is kept secret.

From http://www.akadia.com/services/email_security.html

W. Dai (IC) EE4.07 Coding Theory Cryptography Public Key Cryptography 2019 page 2-22

ComparisonComparisons of asymmetric cryptography over the symmetric one.

Advantages:

I No secret channel is necessary for the key exchange.

I Less key-management problems. Only 2n keys are needed for nentities to communicate securely with one another (each entity

maintains a private key and a public key). In a system based on

symmetric ciphers, you would need(n2

)= n (n− 1) /2 secret keys

(each pair of entities agrees on a key).

I More robust to �brute-force� attack in which all possible keys are

attempted.

I Can provide digital signatures.

Disadvantages:

I Much slower. The computational complexity of asymmetric

cryptography is much larger.

In practice, these two schemes are rarely used exclusively. For example,

your browser encrypts a symmetric key using the server's public key.W. Dai (IC) EE4.07 Coding Theory Cryptography Public Key Cryptography 2019 page 2-23

The ElGamal Cryptography

Key generation:

I Choose a prime p and a primitive element b ∈ F∗p.I Private key: choose an integer a′ ∈ N.I Public key: a = ba

′ ∈ F∗p.

Encryption: Alice transmits her public key a to Bob and keeps the private

key a′ secret. Bob randomly choose t ∈ N and encrypt the message m to(bt, mat

)Decryption: Alice can recover m via

m = mat(bt)−a′

= mata−t mod p.

Advantage:

The random number t generates a random encryption function.


RSA Cryptography

RSA public key cryptography:Published in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT.


RSA Cryptography: The Details

Key generation:

I Choose primes p1 6= p2. Let n = p1p2 and t = (p1 − 1) (p2 − 1).

I Public key: (n, e) where 1 < e < t and gcd (e, t) = 1.

I Private key: d where 1 < d < t and d · e mod t = 1.I Find d by the Euclidean algorithm.

Encryption: Bob sends his public key (n, e) to Alice and keeps the private

key d secret. Alice encrypts the message m to c via

c = me mod n.

Decryption: Bob can recover m from c via

cd = mde = m mod n.

(Will prove mde = m mod n in Euler's theorem.)


An Example

I Bob chooses p1 = 47 and p2 = 59.

I n = 47× 59 = 2773. t = 46× 58 = 2668.

I e = 157 is a valid public key as gcd (e, 2668) = 1.

I Use Euclidean algorithm, d = 17.

I To send a message m = 5, Alice computes the ciphertext

c = me = 5157 = 1044 (mod 2773).

I Bob deciphers the ciphertext via

m̂ = cd = 104417 = 5 (mod 2773),which is the correct message.


Theory Behind RSA

Recall Fermat's Little Theorem (Thm 1.33): ∀a ∈ F∗p, ap−1 = 1 mod p

Theorem 2.3 (Euler's Theorem)

Let p1 6= p2 be two prime numbers. De�ne n := p1p2 andt := (p1 − 1) (p2 − 1). Then ∀a ∈ Z+,

akt+1 = a mod n, ∀k ≥ 0

The correctness of RSA:

(me)d = med = mqt+1 = mqt ·m = m mod n.


Proof of Euler's Theorem: A Lemma

With a slight abuse of notation, de�ne x = y mod p if |x− y| = 0 mod p.

Lemma 2.4

For any two positive integers x and y, if x = y mod p1 and x = y mod p2,then x = y mod p1p2.

Proof:

I x = y mod p1 ⇒ p1| (x− y).Hence x− y = ap1 for some integer a.

I x = y mod p2 ⇒ p2| (x− y) ⇒ p2| (ap1) ⇒ p2|a⇒ p1p2| (x− y)

Hence x = y mod p1p2. ♦


Proof of Euler's Theorem

Fix an m ∈ {1, 2, · · · , p1p2 − 1}.I We �rst show that mde = m mod p1.

I If p1|m, then m = 0 mod p1 and mde = 0 mod p1. Hencemde = m mod p1.

I If p1 - m, then by Fermat's Little Theorem (Thm 1.33)mp1−1 ≡ 1 mod p1. Hence m

de ≡ mk(p1−1)(p2−1)+1 ≡ m mod p1.

I Similarly mde = m mod p2.

I Hence mde = m mod p1p2.

Euler's Theorem is therefore proved. ♦


Attack

Decryption is hard without the private key.

I Decryption is the inverse function of encryption.I Uniquely de�ned as m = cd.

I Find d from public available information?

d = e−1 mod t (t = (p1 − 1) (p2 − 1)).Without knowing the factorization n = p1p2,it is di�cult to �nd t and hence d.


Digital Signature: The General Principle

Problem:

I Alice wishes to send a message m to Bob.

I Bob would like to verify that the message comes from Alice.

In physical world, Alice sign the letter.

In digital world, any �xed signature can be easily copied.

General principle:

I Alice sends (m, y = s (m)),I y = s (m) is the message dependent signature.I The signature function s should kept secret.

I Bob checks whether m = s−1 (y).I He doesn't know the signature function s.

W. Dai (IC) EE4.07 Coding Theory Cryptography Digital Signature 2019 page 2-32

RSA Signature Scheme

I Let p1 6= p2, n = p1p2, and t = (p1 − 1) (p2 − 1).

I Public key: (n, e) where 1 < e < t & gcd (e, t) = 1.

I Private key: 1 < d < t s.t. d · e = 1 mod t.

�Sign� the message:

Alice computes y = s (m) = md mod n and sends (m, y).

Read the signature: If the message comes from Alice, then

ye =(md)e

= mkt+1 = m mod n.


Extend ElGamal Cryptography to ElGamal Signature?

RSA based schemes:

I In cryptography, we have D` (Ek (m)).

I In digital signature, we have Ek (D` (m)).

I This works as (me)d =(md)e.

This principle cannot be directly applied to ElGamal scheme.


ElGamal Signature Scheme

Notation:

∀x ∈ F∗p, let |x| ∈ {1, · · · p− 1} be the integer to represent x ∈ F∗p.I Choose a prime p and a primitive element b ∈ F∗p.I Choose a private key a′ ∈ N. Set the public key a = ba

′ ∈ F∗p.I Random choose 1 ≤ t ≤ p− 1 such that gcd (t, p− 1) = 1.

I Set u s.t. t · u = 1 mod p− 1.

I The signature function st : M→(F∗p,N

)is de�ned by

st (m) = (i, j) , where i = bt, j = u (|m| − a′ |i|).The algebra in computing j is w.r.t. normal integers.That is, the multiplication and subtraction are not w.r.t. Fp.

I (i, j) is a valid signature for the message m if

a|i|ij = ba′|i|btu(|m|−a

′|i|)

= b|m| in F∗p.


Summary

I Factorize a product of two large prime numbersI RSA public key cryptographyI RSA signature scheme

I Discrete logarithm problemI Store passwordsI Di�e-Hellman key exchangeI ElGamal public key cryptographyI ElGamal signature scheme

I PolynomialI Secret share

W. Dai (IC) EE4.07 Coding Theory Cryptography Summary 2019 page 2-36

ee4.07 coding theory · i introduction to coding theory ron m. roth i coding theory: a first...

Documents