Undergraduate Thxts in Mathematics

Springer Science+Business Media, LLC

Editors

S. Axler F. W. Gehring

K.A. Ribet

Undergraduate Texts in Mathematics

Abbott: Understanding Analysis.Anglin: Mathematics: A Concise History

and Philosophy .Readings in Mathematics.

Anglin/Lambek: The Heritage ofThales.Readings in Mathematics.

Apostol: Introduction to AnalyticNumber Theory. Second edition.

Armstrong: Basic Topology.Armstrong: Groups and Symmetry.Axler: Linear Algebra Done Right.

Second edition.Beardon: Limits: A New Approach to

Real Analysis.BaklNewman: Complex Analysis.

Second edition.BanchofflWermer: Linear Algebra

Through Geometry. Second edition.Berberian: A First Course in Real

Analysis.Bix: Conics and Cubics: A

Concrete Introduction to AlgebraicCurves.

Bremaud: An Introduction toProbabilistic Modeling.

Bressoud: Factorization and PrimalityTesting.

Bressoud: Second Year Calculus.Readings in Mathematics .

Brickman: Mathematical Introductionto Linear Programming and GameTheory.

Browder: Mathematical Analysis:An Introduction .

Buchmann: Introduction toCryptography, Second edition.

Buskes/van Rooij: Topological Spaces:From Distance to Neighborhood.

Callahan: The Geometry of Spacetime:An Introduction to Special and GeneralRelavitity.

Carter/van Brunt: The Lebesgue­Stieltjes Integral: A PracticalIntroduction .

Cederberg: A Course in ModemGeometries . Second edition.

Childs: A Concrete Introduction toHigher Algebra. Second edition.

Chung/AitSahlia: Elementary ProbabilityTheory: With Stochastic Processes andan Introduction to MathematicalFinance. Fourth edition .

Cox/Little/O'Shea: Ideals, Varieties ,and Algorithms. Second edition.

Croom: Basic Concepts of AlgebraicTopology.

Curtis: Linear Algebra: An IntroductoryApproach. Fourth edition .

Daepp/Gorkin: Reading, Writing, andProving: A Closer Look atMathematics.

Devlin : The Joy of Sets: Fundamentalsof Contemporary Set Theory .Second edition.

Dlxmler: General Topology.Driver: Why Math?Ebbinghaus/FlumlThomas:

Mathematical Logic. Second edition .Edgar: Measure, Topology, and Fractal

Geometry.Elaydi: An Introduction to Difference

Equations . Second edition .Erdos/Suranyi: Topics in the Theory of

Numbers.Estep: Practical Analysis in One Variable .Exner: An Accompaniment to Higher

Mathematics.Exner: Inside Calculus.Fine/Rosenberger: The Fundamental

Theory of Algebra.Fischer: Intermediate Real Analysis.Flanigan/Kazdan: Calculus Two: Linear

and Nonlinear Functions . Secondedition.

Fleming: Functions of Several Variables.Second edition.

Foulds: Combinatorial Optimization forUndergraduates .

Foulds: Optimization Techniques: AnIntroduction .

(continued after index)

Johannes Buchmann

Introduction toCryptography

Second Edition

, Springer

Johannes A. Buchmann Department of Computer Science Thchnical University, Darmstadt Hochschulstr, 10 64289 Darmstadt Germany

Editorial Board

S. Axler Mathematics Department San Francisco State

University San Francisco, CA 94132 USA

F.w. Gehring Mathematics Department East Hali University of Michigan Ann Arbor, MI 48109 USA

K.A. Ribet Mathematics Department University of California

Berkeley Berkeley, CA 94720-3840 USA

axler@sfsu.edu gehring@math.lsa.umich.edu ribet@math.berkeley.edu

Cover: The factorization of RSA-576, a 576-bit or 174-digit prime number, was the goal of an open ehallenge sponsored by RSA Laboratories (Bedford, Mass.). RSA-576 was faetored by a team of researehers in Germany and other eountries in December, 2003.

Mathematics Subjeet Classifieation (2000): 94-01, 94A60, l1T71

Library of Congress Cataloging in Publieation Data Buehmann, Johannes.

Introduction to cryptography I Johannes Buchmann. - [2nd ed.). p. em. - (Undergraduate texts in mathematies)

Inc\udes bibliographieal references and index.

1. Cod ing theory. 2. Cryptography. 1. Title. II Series. QA268.B83 2004 003l 54-de22 2004041657 ISBN 978-0-387-20756-8 ISBN 978-1-4419-9003-7 (eBook) DOI 10.1007/978-1-4419-9003-7

Printed on aeid-free paper.

German edition: Einfiirung in die Kryptographie <CSpringer Science+Business Media New York 2004 Originally published by Springer-Verlag New York, Inc. in 2004 Softcover reprint of the hardcover 1 st edition

Ali rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form ofinformation storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden.

The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as sueh, is not to be taken as an expression of opinion as to whether or not they are subjeet to proprietary rights.

9865432 1 SPIN 10991503 (hard eover) - SPIN 10963999 (soft cover)

springeronIine.eom

For Almut, Daniel, and Jan

Contents

Preface for the Second Edition xiii

Preface xv

1 Integers 11.1 Basics. . . . . .. . . . .. 11.2 Divisibility . . . . . . . . . 31.3 Representation of Integers 41.4 0 - and Q-Notation . . . . . 61.5 Cost of Addition, Multiplication , and Division with

Remainder . . . . . . . . . 71.6 Polynomial Time . . . . . 91.7 Greatest Common Divisor 91.8 Euclidean Algorithm ... 121.9 Extended Euclidean Algorithm . 161.10 Analysis of the Extended Euclidean Algorithm 181.11 Factoring into Primes 221.12 Exercises . . . . . . . . . . . . . . . 24

2 Congruences and Residue Class Rings2.1 Congruences .

2929

..Vll

V111 Contents

2.22.32.42.52.62.72.82.92.102.112.122.132.142.152.162.172.182.192.202.212.22

2.23

Semigroups .Groups .Residue Class Ring .Fields .Division in the Residue Class Ring .Analysis of the Operations in the Residue Class RingMultiplicative Group of Residues mod mOrder of Group ElementsSubgroups .Fermat's Little TheoremFast Exponentiation . . .Fast Evaluation of Power ProductsComputation of Element Orders .The Chinese Remainder TheoremDecomposition of the Residue Class RingA Formula for the Euler cp-FunctionPolynomials . . . . . . . . .Polynomials over Fields. . . . . . .Construction of Finite Fields . . . .The Structure of the Unit Group of Finite FieldsStructure of the Multiplicative Group of ResiduesModulo a Prime NumberExercises .

3234353636383941424445484951535556586165

6667

3 Encryption3.1 Encryption Schemes .3.2 Symmetric and Asymmetric Cryptosystems3.3 Cryptanalysis . . . .3.4 Alphabets and Words3.5 Permutations . . . . .3.6 Block Ciphers . . . .3.7 Multiple Encryption .3.8 The Use of Block Ciphers3.9 Stream Ciphers ... ..3.10 The Affine Cipher . . . .3.11 Matrices and Linear Maps3.12 Affine Linear Block Ciphers3.13 Vigenere, Hill, and Permutation Ciphers

717173747780818283939597

102103

Contents

3.14 Cryptanalysis of Affine Linear Block Ciphers . 1043.15 Secure Cryptosystems . 1053.16 Exercises . .. . . ... .. . III

4 Probability and Perfect Secrecy 1154.1 Probability . ... ... 1154.2 Conditional Probability 1174.3 Birthday Paradox . . . . 1184.4 Perfect Secrecy . . . . . 1194.5 Vernam One-Time Pad 1234.6 Random Numbers . . . 1244.7 Pseudorandom Numbers 1244.8 Exercises . . . ... ... 125

5 DES 1275.1 Feistel Ciphers . 1275.2 DESAlgorithm. 1285.3 An Example . . 1345.4 Security of DES 1365.5 Exercises . . .. 137

6 AES 1396.1 Notation . . . 139

6.2 Cipher .... 1406.3 KeyExpansion 1456.4 An Example 1466.5 InvCipher 1486.6 Exercises . . 148

7 Prime Number Generation 1517.1 ThaI Division . . . . . 1517.2 Fermat Test . . . . . . 1537.3 Carmichael Numbers 1547.4 Miller-Rabin Test . 1567.5 Random Primes 1597.6 Exercises ... . . 160

X Contents

8 Public-Key Encryption 1638.1 Idea . . . . . . . . . 1638.2 Security. . . . . . . 1658.3 RSA Cryptosystem . 1678.4 Rabin Encryption . 1818.5 Diffie-Hellman Key Exchange 1868.6 EIGamal Encryption . 1918.7 Exercises . . . . .. . 196

9 Factoring 1999.1 Trial Division . 1999.2 P - 1 Method . 2009.3 Quadratic sieve 2019.4 Analysis of the Quadratic Sieve 2069.5 Efficiency of Other Factoring Algorithms 2109.6 Exercises. . . ... . .. .. . . .. . . . 211

10 Discrete Logarithms 21310.1 The DL Problem . . . . . . . . . . . . . 21310.2 Enumeration . . . . . . . . . . . . . . . 21410.3 Shanks Baby-Step Giant-Step Algorithm 21410.4 The Pollard p-Algorithm ... . 21710.5 The Pohlig-Hellman Algorithm . 22110.6 Index Calculus . . . . . . . . . . 22610.7 Other Algorithms . . . . . . . . 23010.8 Generalization of the Index Calculus Algorithm 23110.9 Exercises . . . . . . . . . . . . . . . . . . . . . . 232

11 Cryptographic Hash Functions 23511.1 Hash Functions and Compression Functions 23511.2 Birthday Attack .. . . . . . . . . . . . . . . 23811 .3 Compression Functions from Encryption Functions 23911.4 Hash Functions from Compression Functions 23911 .5 SHA-l . . . . . . . . . . . . . . . . . . . 24211 .6 Other Hash Functions . . . . . . . . . . 24411 .7 An Arithmetic Compression Function . 24511 .8 Message Authentication Codes 24711 .9 Exercises . . . . . . . . . . . . . . . . . 248

Contents Xl

12 Digital Signatures 24912.1 Idea . . . . . . 24912.2 Security . . . . 25012.3 RSA Signatures . 25112.4 Signatures from Public-Key Systems . 25712.5 ElGamal Signature . . . . . . . . . . . 25712.6 The Digital Signature Algorithm (DSA) 26312.7 Undeniable Signatures 26612.8 Blind Signatures 27112.9 Exercises . 274

13 Other Systems 27713.1 Finite Fields 27813.2 Elliptic Curves . . 27813.3 Quadratic Forms . 28213.4 Exercises . . . . . 283

14 Identification 28514.1 Passwords 28614.2 One-Time Passwords . . . . . . . . 28714.3 Challenge-Response Identification . 28714.4 Exercises . . . . . . . . . . . . . . . 292

15 Secret Sharing 29315.1 The Principle 29315.2 The Shamir Secret Sharing Protocol 29415.3 Exercises . . . . . . . . . . . . . . . 297

16 Public-Key Infrastructures 29916.1 Personal Security Environments 29916.2 Certification Authorities 30116.3 Certificate Chains . 306

Solutions of the exercises 307

References 325

Index 331

Preface for theSecond Edition

The second edition of my introduction to cryptography contains up­dates and new material. I have updated the discussion of the securityof encryption and signature schemes and the state ofthe art in factor­ing and computing discrete logarithms. I have added descriptions oftime-memory trade of attacks and algebraic attacks on block ciphers,the Advanced Encryption Standard (AES), the Secure Hash Algo­rithm (SHA-l) , secret sharing schemes, and undeniable and blindsignatures. I have also corrected the errors that have been reportedto me . I thank the readers of the first edition for all comments andsuggestions.

October 2003 Johannes Buchmann

XIll

Preface

Cryptography is a key technology in electronic security systems.Modern cryptograpic techniques have many uses, such as to digitallysign documents, for access control, to implement electronic money,and for copyright protection. Because of these important uses it isnecessary that users be able to estimate the efficiency and securityof cryptographic techniques. It is not sufficient for them to knowonly how the techniques work.

This book is written for readers who want to learn about mod­ern cryptographic algorithms and their mathematical foundationbut who do not have the necessary mathematical background. Itis my goal to explain the basic techniques of modern cryptography,including the necessary mathematical results from linear algebra,algebra , number theory, and probability theory. I only assume basicmathematical knowledge.

The book is based on courses in cryptography that I have beenteaching at the Technical University Darmstadt, since 1996. I thankall students who attended the courses and who read the manuscriptcarefully for their interest and support. In particular, I would like tothank Harald Baier, Gabi Barking, Manuel Breuning, Safuat Hamdy,Birgit Henhapl, Michael Jacobson (who also corrected my English) ,Markus Maurer, Andreas Meyer, Stefan Neis, Sachar Paulus, Thomas

xv

XVI Preface

Pfahler, Marita Skrobic, Edlyn Teske, Patrick Theobald, and Ralf­Philipp Weinmann. I also thank the staff at Springer-Verlag, inparticular Martin Peters, Agnes Herrmann, Claudia Kehl, Ina Lin­demann, and Terry Kornak, for their support in the preparation ofthis book.

DarmstadtJune 1999 Johannes Buchmann