Abstract
In 1949, Shannon published a famous paper entitled “communication theory of secure systems” in the technical bulletin of Bell laboratory. Based on the mathematical theory of information established by him in 1948 (see Chap. 3), this paper makes a comprehensive discussion on the problem of secure communication and establishes the mathematical theory of secure communication system. It has a great impact on the later development of cryptography. It is generally believed that Shannon transformed cryptography from art (creative ways and methods) to science, so he is also known as the father of modern cryptography. The main purpose of this chapter is to introduce Shannon’s important ideas and results in cryptography theory, which is the cornerstone of the whole modern cryptography.
You have full access to this open access chapter, Download chapter PDF
In 1949, Shannon published a famous paper entitled “communication theory of secure systems” in the technical bulletin of Bell laboratory. Based on the mathematical theory of information established by him in 1948 (see Chap. 3), this paper makes a comprehensive discussion on the problem of secure communication and establishes the mathematical theory of secure communication system. It has a great impact on the later development of cryptography. It is generally believed that Shannon transformed cryptography from art (creative ways and methods) to science, so he is also known as the father of modern cryptography. The main purpose of this chapter is to introduce Shannon’s important ideas and results in cryptography theory, which is the cornerstone of the whole modern cryptography.
4.1 Definition and Statistical Characteristics of Cryptosystem
Let \(X=\{a_{1}, a_{2}, \ldots , a_{q}\}\) be the plaintext alphabet and a source. \(\{\xi _{i}\}_{i=1}^{\infty }\) is a set of random variables valued on X, for any given positive integer \(n \ge 1\), we define the plaintext space P as the product information space \(X_{1}X_{2}\cdots X_{n}\), that is
If \(m=m_{1}m_{2}\cdots m_{n} \in P(m_{i}\in X_{i})\), m is called a plaintext information column of alphabet length n, or a plaintext string of length n, the joint probability p(m) is defined as
Let \(Z=\{b_{1}, b_{2}, \ldots , b_{s}\}\) be the key alphabet, which is also a memoryless source (see Definition 3.9 of Chap. 3), let \(\{\eta _{i}\}_{i=1}^{\infty }\) be a group of random variables with independent values on Z and equal probability distribution, then for any \(b \in Z\),
We define the power space \(Z^{r}\) as a key space, denoted by K, that is
Each \(k=k_{1}k_{2}\cdots k_{r} \in K\) is called a key of length r, and the joint probability p(k) is
This shows that the r-dimensional random vector \(\eta =(\eta _{1},\eta _{2}, \ldots , \eta _{r})\) taking value on the key space K is also equally almost distributed on K. Unless otherwise specified, we generally stipulate that the plaintext space P and the key space K are independent information spaces, that is
For every \(k\in K\), k defines or controls an encryption transform \(E_{k}\), denote by
E is called encryption algorithm. When \(k\in K\) is given, the encryption transformation \(E_{k}\) acts on the plaintext \(m \in P\) to produce a cryptosystemtext \(E_{k}(m)\), each encryption transformation \(E_{k}\) is an injection, and its left inverse mapping is recorded as \(D_{k}\), which is called decryption transformation. Taking \(1_{P}\) as the identity transformation of plaintext space, that is \(1_{P}(m)=m, \forall ~ m \in P\), then we have
Define cryptosystemtext space C as
That is, cryptosystemtext space C and plaintext space P have the same alphabet and the same letter length.
For each cryptosystemtext \(c\in C, c=E_{k}(m)\), then c is uniquely determined by plaintext m and key k, so we can define the occurrence probability p(c) of cryptosystemtext c as
Obviously,
Therefore, the cryptosystemtext space C defined by formula (4.7) is also an information space.
When \(k\in K\) is given, we let
Then the encryption transformation \(E_{k}\) is the full mapping of \(P\rightarrow A_{k}\), so \(E_{k}\) is a 1–1 correspondence of \(P\rightarrow A_{k}\), and its inverse mapping is the decryption transformation \(D_{k}\), that is
We denote D as all decryption transformations, that is
D is called decryption algorithm.
Definition 4.1
Under the above provisions, \(\mathfrak {R}=\{P, C, K, E, D\}\) is called a cryptosystem, where P, C, K is the information space, K and P are statistically independent, E is the encryption algorithm and D is the decryption algorithm.
The statistical characteristics of a cryptosystem are attributed to the following theorem.
Theorem 4.1
If \(\mathfrak {R}=\{P, C, K, E, D\}\), then
-
(1)
\(\forall ~ c \in C, \text {we have}\)
$$\begin{aligned} p(c)=\sum _{\begin{array}{c} {k \in K} \\ c \in A_{k} \end{array}}p(k)p(D_{k}(c)). \end{aligned}$$(4.10) -
(2)
\(c \in C, m\in P,\) then
$$\begin{aligned} p(c|m)=\sum _{\begin{array}{c} {k \in K} \\ E_{k}(m)=c \end{array}}p(k). \end{aligned}$$(4.11) -
(3)
\(c \in C, m\in P,\) then
$$\begin{aligned} p(m|c)=\frac{p(m)\sum _{\begin{array}{c} {k \in K} \\ D_{k}(c)=m \end{array}}p(k)}{\sum _{\begin{array}{c} {k \in K} \\ c\in A_{k} \end{array}}p(k)p(D_{k}(c))}, \end{aligned}$$(4.12)where \(A_{k}\) is given by equation (4.8).
Proof
By (4.7), if \(c \in C\), then
(1) holds. (2) is trivial. Because when \(m\in P\) is given, the occurrence probability p(c|m) of cryptosystemtext c has
To prove (3), by (1.24),
the items in the denominator are
So in the end
Theorem 4.1 holds!
By Theorem 4.1, the statistical characteristics of a cryptosystem can be summarized as follows: The probability distribution of cryptosystemtext space and the conditional probability distribution of plaintext about cryptosystemtext are completely determined by the probability distribution of plaintext space and key space. That is, anyone who knows the probability distribution of plaintext space and key space will know the probability distribution of cryptosystemtext and the conditional probability distribution of plaintext about cryptosystemtext.
It is assumed that the plaintext space and the key space are statistically independent, by (3.14) of Theorem 3.2 of Chap. 3, we have
It has been previously specified that the key source alphabet Z is an equal probability information space without memory, and the probability p(k) of the key space \(K=\{k=k_{1}k_{2}\cdots k_{r}|k_{i}\in Z\}\) is
Therefore, the key space is also an equal probability information space.
From the definition of cryptosystem, when the plaintext space and key space are given, the cryptosystemtext space is completely determined. On the contrary, when the cryptosystemtext space and key space are known, the plaintext space is also known, combined with Lemma 3.3 in the previous chapter, we have
Theorem 4.2
In a cryptosystem \(\mathfrak {R}=\{P, C, K, E, D\}\), we have
Proof
We only prove \(H(P|KC)=0\), similarly to \(H(C|KP)=0\) and \(H(K|PC)=0.\) For given \(m\in P\), let
Thus \(N_{m}\subset KC\), and
Because assuming \(kc \in N_{m}\) is selected, then \(E_{k}(m)=c\), thus \(m=D_{k}(c)\), m will be determined. Conversely, if \(kc \not \in N_{m}\), when the kc-joint event occurs and m cannot occur, thus \(p(m|kc)=0\). By Lemma 3.3 from the previous chapter, \(H(P|KC)=0\), we complete the proof of Theorem 4.2.
Corollary 4.1
In a cryptosystem \(\mathfrak {R}=\{P, C, K, E, D\}\), we always have
Proof
It is stipulated that P and K are statistically independent, so there are
The Corollary holds.
The Corollary shows that the uncertainty of plaintext is less than that of cryptosystemtext in cryptosystem.
4.2 Fully Confidential System
Generally speaking, the mutual information I(P, C) between plaintext space and cryptosystemtext space (see Definition 3.8 in the previous chapter) reflects the information of plaintext space contained in cryptosystemtext space, so I(P, C) minimization is an important design goal of cryptosystem. If the cryptosystemtext does not provide any information about the plaintext, or the analyst cannot obtain any information about the plaintext by observing the cryptosystemtext, such a cryptosystem is called completely confidential.
Definition 4.2
A cryptosystem \(\mathfrak {R}=\{P, C, K, E, D\}\), if \(H(P|C)=H(P)\), or \(I(P, C)=0\), \(\mathfrak {R}\) is called complete secrecy system, or unconditional secrecy system.
Theorem 4.3
For any cryptosystem \(\mathfrak {R}=\{P, C, K, E, D\}\), we have
Proof
By Theorem 4.2, we have \(H(P|KC)=0\), and
So we have
By definition,
So the Theorem holds.
From the previous chapter, we know the amount of mutual information \(I(X, Y)\ge 0\), there is
Corollary 4.2
In a completely confidential cryptosystem \(\mathfrak {R}=\{P, C, K, E, D\}\), there is always
Proof
Defined by \(\mathfrak {R}=\{P, C, K, E, D\}\) as a completely confidential system, so \(I(P, C)=0\). From the above theorem, there are
Thus there is \(H(P)\le H(K)\). By (4.14), K is equipotential distribution, so there is
It can be seen from the above that the larger the scale |K| of the key space, the better the confidentiality of the system!
Definition 4.3
A cryptosystem \(\mathfrak {R}=\{P, C, K, E, D\}\) is called a “one secret at a time" system, if there is a unique key \(k\in K\) for a given \(m\in P\) and \(c\in C\), such that \(c=E_{k}(m)\).
As can be seen from the above definition, for given \(m\in P\), if \(k\ne k'\), then \(E_{k}(m)\ne E_{k'}(m)\). In other words, we only use a unique key k to encrypt the same set of plaintext and cryptosystemtext. This is also the origin of the concept of “one secret at a time”. Thus, for any given plaintext \(m\in P\) and cryptosystemtext \(c\in C\), there happens to be a unique key \(k\in K\) such that \(E_{k}(m)=c\). Therefore, when k traverses the key space K, m traverses the plaintext space P, and each m appears only once. Thus, for \(c\in C\), we have
That is to say, in a one-time cryptosystem, the cryptosystemtext space C is also an equal probability information space.
Theorem 4.4
The one-time password system is a completely confidential system.
Proof
When c, m given, by (4.11),
Thus
Therefore, \(\mathfrak {R}=\{P, C, K, E, D\}\) is a completely confidential system.
4.3 Ideal Security System
In order to introduce Shannon’s concepts of unique solution distance and ideal cryptosystem, we first consider the scenario of secret only attack. In the scenario of secret only attack, when the cryptanalyzer intercepts cryptosystemtext c, he may decrypt c with all decryption keys \(D_{k}\) to obtain
Therefore, he records the keys corresponding to all meaningful messages \(m'\), only one of the set of these keys is a correct key, while other incorrect keys are called pseudo keys. A large number of cryptosystemtexts are required as samples in secret only attacks. Therefore, we will consider the product space \(P^{n}\) of plaintext and cryptosystemtext and the joint events in \(C^{n}\), \(P^{n}\) and \(C^{n}\) as plaintext string and cryptosystemtext string.
Definition 4.4
For cryptosystemtext string \(y\in C^{n}\) with given length n, let
Then the number of pseudo keys is \(|K(y)|-1\). The mathematical expectation \(S_{n}\) of the pseudo key is defined as
Therefore, the mathematical expectation of pseudo key is the weighted average of the number of pseudo keys of each cryptosystemtext string. We first prove the following two theorems.
Theorem 4.5
If \(\mathfrak {R}=\{P, C, K, E, D\}\) is a cryptosystem, there are
Proof
From the addition formula of information entropy (see Theorem 3.2 in the previous chapter),
By Theorem 4.2, we have
thus,
Again, from the addition formula and note that K and P are statistically independent, so
and
So we have
The Theorem holds.
Theorem 4.6
Let \(\mathfrak {R}=\{P, C, K, E, D\}\) be a cryptosystem, and \(|C|=|P|\), let r be the redundancy of P, then the pseudo key mathematical expectation \(S_{n}\) of a cryptosystemtext string with a given length of n satisfies
Proof
From the definition and properties of product space,
also constitutes a cryptosystem. By Theorem 4.5, then
By (3.9), we have
Replace information space X with P, then we have
So we have
Combined with the above formula, we have an estimate
Because of the definition,
We get
Then by Jensen inequality,
Finally, (4.21) can be obtained from form (4.23) to complete the proof!
When the mathematical expectation of the number of pseudo keys is greater than 0, the secret only attack cannot break the password in theory, so we define the unique solution distance of a cryptosystem as the value of n of \(S_{n}=0\).
Definition 4.5
A cryptosystem whose unique solution distance is infinite is called an ideal security system.
From Theorem 4.6, we can obtain an approximate value of the distance of the unique solution.
The unique solution distance indicates the minimum amount of cryptosystemtext that may be decrypted successfully when an exhaustive attack is carried out. Generally speaking, the greater the unique solution distance, the better the confidentiality of the system. However, Shannon only gives the existence of the unique solution distance, but does not give a specific calculation program. In practice, the amount of cryptosystemtext required to decryptosystem a cryptosystemtext is far greater than the theoretical value of the unique solution distance.
4.4 Message Authentication
Authentication system, also known as authentication code, is an important tool to ensure the authenticity and integrity of messages. In 1984, Simmons systematically put forward the information theory of authentication system for the first time. He used mathematics to study the theoretical and practical security of authentication system. This paper puts forward the performance limit of authentication system and the mathematical principles that should be followed in the design of authentication code. Although Simmons’ theory is not mature and perfect, its position in authentication system is as important as Shannon’s theory in cryptosystem, which lays a theoretical foundation for the research of mathematical theory of authentication system.
In cryptography, authentication system includes entity authentication and message authentication. We mainly discuss message authentication system. At present, there are two main models of authentication system. One is the arbiter-free authentication system model. In this model, the participants of the system are mainly message sender, message receiver and attacker, in which the message sender and receiver trust each other. They share the same key information; another model is the authentication system model with arbiter. In this model, the participants of the system have arbiters in addition to the information sender, receiver and attacker. At this time, the sender and receiver of the message do not trust each other, but they all trust the arbiter. The arbiter shares the key information with the sender and receiver.
An authentication system without privacy and confidentiality function and without arbiter is composed of four parts: a finite set S of source states, called the source set, a finite set A of authentication tags, called the tag set, a key space composed of all solvable keys, and an authentication rule set \(E=\{e_{k}(s)|k\in K, s \in S\}\), where for any \(k\in K, ~s\in S\), \(e_{k}(s)\) is the authentication rule. It is a mapping of \(S\rightarrow A\).
Definition 4.6
An authentication system is \(T=\{ S, A, K, E \},\) where S, A, K is the information space, S is the source space or source set, A is the label space or label set, and K is the key space, where S and K are statistically independent,
Each \(e_{k}(s)\) is an injection of \(S\rightarrow A\), which is called an authentication rule.
Definition 4.7
The product space SA is called the message space, and M represents SA.
Authentication protocol: The sender and receiver of the message use the following protocol to transmit information. First, they secretly select and share the random key \(k\in K\); if the sender wants to transmit an information source state \(s \in S\) to the receiver, the sender calculates \(a=e_{k}(s)\) and sends the message \(sa\in M\) to the receiver. When the receiver receives message sa, he calculates \(a'=e_{k}(s)\) again, if \(a'=a\), he confirms that the message is reliable and receives the message, otherwise he refuses to receive the message sa.
Definition 4.8
Matrix \([e_{k}(s)]_{|K|\times |S|}\) is called authentication matrix. Its rows are marked by key \(k\in K\) and columns by source state \(s \in S\). It is a \(|K|\times |S|\)-order matrix, the element intersecting row k and column s is \(e_{k}(s)\).
Authentication matrix is an important tool in authentication theory research. Our detailed list is as follows:
Let \(K=\{ k_{1}, k_{2}, \ldots , k_{n}\}\), \(S=\{ s_{1}, s_{2}, \ldots , s_{m}\}\). Then the authentication matrix is an \(n\times m\)-order matrix, which is listed as follows:
4.5 Forgery Attack
In the process of message authentication, the attacker is an intermediate intruder. We usually consider two types of attacks, one is forgery attack and the other is substitution attack, which correspond to secret only attack and plaintext attack in cryptosystem. In forgery attack, the attacker sends message \(sa\in M\) in the channel and wants the receiver to confirm that it is true and receive it; in the substitution attack, the attacker first observes a message \(sa\in M\) in the channel, so he analyzes the coding rules currently used, then he tampers the message sa with \(s'a' \in M\), where \(s'\ne s\), and wants the receiver to receive it as a real message.
We assume that the attacker adopts the optimal deception strategy. \(p_{d_{0}}\) represents the probability that the forgery attacker is most likely to succeed in deception, and \(p_{d_{1}}\) represents the probability that the attacker is most likely to succeed in deception. The probability \(p_{d}\) that the attacker is successful in deception is defined as
Simmons’ theory is mainly to estimate the lower bound of \(p_{d}\), so as to provide a theoretical basis for constructing authentication codes with attack success probability \(p_{d}\) as small as possible.
First, let’s look at the definition and estimation of the maximum probability \(p_{d_{0}}\) of successful deception by forgery attackers.
\(A=\{a_{1}, a_{2}, \ldots , a_{r}\}\) represents the authentication tag space. The attacker first selects a source state \(s \in S\) and an authentication tag \(a \in A\). Let \(k_{0}\in K\) represent the shared key selected by the sender and receiver, if \(a=e_{k_{0}}(s)\), the forgery attacker can successfully deceive the receiver. We use pay off (s, a) to represent the probability that the message receiver receives sa as a true message, that is
If the attacker adopts the optimal strategy, then
Theorem 4.7
If the scale of authentication tag space A is set to \(|A|=r\), for any fixed source state \(s \in S\), there will always be an authentication tag \(a \in A\) such that
Proof
By the definition of pay off (s, a),
When a runs through the s column of the authentication matrix, k traverses the whole key space, so
Therefore, there is at least one \(a \in A\) such that
Theorem 4.8
Let \(T=\{ S, A, K, E \}\) be a message authentication system,
is the maximum probability of successful forgery attack, then
and
Proof
By definition, we know that \(p_{d_{0}}\) is not less than the mathematical expectation of pay off (s, a), that is
Then by Jensen inequality, we have
Obviously,
Thus
So
Because the source space S and the key space K are statistically independent, so
Also, the tag space A is completely determined by the source space S and the key space K, so
By the addition formula of information space,
On the other hand,
On the whole, we have
Thus
We completed the proof of the theorem.
\(M=SA\) is called message space, it can be seen from theorem 4.8 that the maximum success probability \(p_{d_{0}}\) of forgery attack satisfies
where I(K, M) is the average amount of mutual information between the key space and the information space. If the amount of mutual information I(K, M) is larger, the probability of the most successful forgery attack is lower. On the contrary, if the amount of mutual information is smaller, the success rate of forgery attack is higher.
4.6 Substitute Attack
The so-called substitution attack is that the attacker first observes a message (s, a) on the message, and then replaces (s, a) with message \((s', a')\), hoping that the receiver will receive \((s', a')\) as a real message. Considering the maximum success probability \(p_{d_{1}}\) of substitution attack, it is more difficult than forgery attack, the main reason is that \(p_{d_{1}}\) depends on both the probability distribution of source state space S and the probability distribution of key space K.
Let \((s', a')\) and (s, a) be two messages, where \(s\ne s'\). We use pay off \((s', a', s, a)\) to express the probability that using \((s', a')\) instead of (s, a) can cheat success, then
The above formula represents the conditional probability of \(a'=e_{k_{0}}(s')\) under the condition of \(a=e_{k_{0}}(s)\) under the same key \(k_{0}\), so
When the message \((s, a)\in M\) is given, the attacker uses the optimal strategy to maximize the success probability of the deceiver, so let
Taking \(p_{s,a}\) as a random variable, its mathematical expectation on message set \(M=SA\) is
The above formula is the formal definition of \(p_{d_{1}}\), which is the weighted average of the maximum success probability of pay off \((s', a', s, a)\) in message space M.
Like Theorem 4.7, we have
Theorem 4.9
Let \(T=\{ S, A, K, E \}\) be an authentication code, \(|A|=r\), then for any given \(s' \in S\), \(s \in S\), \(s\ne s'\) and \(a \in A\), there is a label \(a' \in A\) such that
So we have
Proof
By (4.28),
So at least one \(a'\in A\) such that
By the definition of \(p_{s,a}\), for \(\forall ~ s \in S\) and \(a \in A\), we have
Thus
Theorem 4.10
Let \(T=\{ S, A, K, E \}\) be an authentication code, for any \((s, a)\in M\), when using \((s', a')\) instead of attack, let \(p_{d_{1}}\) be the mathematical expectation of \(p_{s,a}\) in space M, then
and
Proof
By (4.29), \(p_{s,a}\) will not be less than the mathematical expectation of pay off \((s', a', s, a)\) on \(s' \in S\), \(a' \in A\), that is
By (4.30) and Jensen inequality, we have
In addition,
So there are
It can be proved that
So there are
Thus
That is
The Theorem holds!
Definition 4.9
An authentication code \(\{ S, A, K, E \}\) is called perfect if
Theorem 4.11
Perfect certification system exists.
Proof
The theorem is proved directly by the construction method. First, let the source state space be \(S=\{0, 1\}\). Let N be a positive even number, and define the label space A and the key space K as follows:
and
The authentication rule \(e_{k}(s)\) determined by \(k=k_{1}k_{2}\cdots k_{\frac{N}{2}}k_{\frac{N}{2}+1}\cdots k_{N}\) is defined as
and
Assuming that all \(2^{N}\) keys k are equitably selected, so for \(s \in S\) and \(a \in A\), we have
So there is \(p_{d_{0}}=2^{-\frac{N}{2}}\), similarly to \(p_{d_{1}}=2^{-\frac{N}{2}}\), so
Easy to calculate
So
Therefore, \(\{ S, A, K, E \}\) is a perfect authentication system.
4.7 Basic Algorithm
4.7.1 Affine Transformation
Encryption with matrix comes from the classical \(Vigen\grave{e}re\) password. Let \(X=\{a_{1}, a_{2}, \ldots , a_{N}\}\) be a plaintext alphabet of N characters, we replace the characters in \(\mathbb {Z}_{N}\) and X with numerical values, where \(\mathbb {Z}_{N}\) is the remaining class ring of \({{\,\mathrm{mod}\,}}N\). Let \(P=\mathbb {Z}_{N}^{k}\) be the plaintext space, \(x=x_{1}x_{2}\cdots x_{k} \in P\) is called a plaintext unit or a plaintext message of length k. Let \(M_{k}(\mathbb {Z}_{N})\) be a k-order full matrix ring over \(\mathbb {Z}_{N}\), \(A\in M_{k}(\mathbb {Z}_{N})\) is a invertible matrix of order k, \(b=b_{1}b_{2}\cdots b_{k} \in \mathbb {Z}_{N}^{k}\) is a given directional quantity, each plaintext unit \(x=x_{1}x_{2}\cdots x_{k}\) in P is encrypted by affine transformation (A, b):
where \(x=x_{1}x_{2}\cdots x_{k} \) is clear text, \(x^{'}=x_{1}^{'}x_{2}^{'}\cdots x_{k} ^{'}\) is cryptosystemtext. The decryption algorithm is:
Because affine transformation (A, b) is a 1–1 correspondence on \(\mathbb {Z}_{N}^{k}\longrightarrow \mathbb {Z}_{N}^{k}\), its inverse transformation is \((A^{-1}, -A^{-1}b)\); therefore, using affine transformation (A, b), we obtain the so-called high-order affine cryptosystem. This cryptosystem was first proposed by mathematician Lester hill in American Mathematics monthly in 1929, so it is also called Hill cryptosystem.
Hill cryptosystem divides the plaintext into a group of k characters and then encrypts each plaintext unit in turn by using k-order affine transformation (A, b) on \(\mathbb {Z}_{N}\). The advantage of this password is that it hides the statistical characteristics of a single character (such as 26 letters in English), which can better resist the statistical analysis of the occurrence frequency of characters, and has strong ability to resist cryptosystemtext only attacks. However, on the basis of mastering a large amount of plaintext, it is not difficult to find the key (A, b), so the hill password is not strong against the attack of known plaintext.
The mathematical principles used by Hill cryptosystem are the following two conclusions.
Lemma 4.1
The set of all k-order affine transformations on \(\mathbb {Z}_{N}\) is written as \(G_{k}\), that is
Then \(G_{k}\) forms a group under the multiplication of transformation, which is called the k-order affine transformation group of ring \(\mathbb {Z}_{N}\).
Proof
Take A as the k-order identity matrix E and \(b=0\) as the k-dimensional zero vector, then (E, 0) is the identity transformation of \(\mathbb {Z}_{N}^{k}\longrightarrow \mathbb {Z}_{N}^{k}\) and the unit element of \(G_{k}\). Secondly, we look at the product of two affine transformations \((A_{1}, b_{1})\) and \((A_{2}, b_{2})\),
Obviously, the inverse transformation of (A, b) is
Therefore, \(G_{k}\) is a group. The Lemma holds.
From the above lemma, any group element \((A, b)\in G_{k}\) of affine transformation group will form a Hill cryptosystem. If we select n group elements \((A_{1}, b_{1}), (A_{2}, b_{2})\), \(\ldots \), \((A_{n}, b_{n})\) in \(G_{k}\) and let
Using (A, b) to encrypt, we get a more complex Hill cryptosystem.
Lemma 4.2
\(A\in M_{k}(\mathbb {Z}_{N})\), \(|A|=D\) is the determinant of A, then A is reversible if and only if D and N are coprime, that is \((D, N)=1\).
Proof
If \((D, N)=1\), then there is \(D_{1}\) such that \(D_{1}D\equiv 1 ({{\,\mathrm{mod}\,}}N)\), let
where \(A=(a_{ij})_{k \times k}\), \(A_{ij}\) is the algebraic cofactor of \(a_{ij}\). obviously, we have
So A is reversible, \(A^{-1}=A^{*}\). Let’s take \(k=2\) as an example, if \(|A|=D\), \((D, N)=1\),
Conversely, if A is reversible and \(A^{-1}\) is the inverse matrix, because \(A^{-1}A=AA^{-1}=E\), we get
So we have \((D, N)=1\). The Lemma holds.
If \(k=1\), first-order affine cryptosystem \(x^{'} \equiv ax+b ({{\,\mathrm{mod}\,}}N)\), where \((a, N)=1\), contains many famous classical passwords, especially when \(a=1\), \(b=3\), \(N=26\), \(x^{'}=x+3({{\,\mathrm{mod}\,}}26)\) is the famous Caesar code in history.
Next, we analyze the computational complexity of affine cryptography. We have the following Lemma.
Lemma 4.3
If \(A=(a_{ij})_{k \times k}\) is a k-order reversible square matrix on \(\mathbb {Z}_{N}\), the bit operation times of \(A^{-1}\) are estimated as follows
Therefore, when k is a fixed constant, the algorithm for finding \(A^{-1}\) is polynomial. When N is a fixed constant, the algorithm for finding \(A^{-1}\) is exponential. In other words, the greater the order of the matrix, the higher the computational complexity.
Proof
Because \(A=(a_{ij})_{k \times k}\) is reversible, then determinant
where \(j_{1}j_{2}\cdots j_{k}\) is an arrangement of \(1,2, \ldots , k\) and \(\tau (j_{1}j_{2}\cdots j_{k})\) is the reverse order number of the arrangement. The number of bit operations of each summation is \(O(k^{3} \log ^{2}N)\), and there are k! summation terms in total, thus
By Lemma 1.5 of Chapter 1, find the multiplicative inverse of D under \({{\,\mathrm{mod}\,}}N\), \(D^{-1} {{\,\mathrm{mod}\,}}N=D_{1}\) is
The bit operation times of each algebraic cofactor \(A_{ij}\) of the adjoint matrix \(A^{*}\) of formula (4.34) is \(O((k-1)^{3}(k-1)!\log ^{2}N)\), and there are \(k^{2}\) algebraic cofactors, thus
So
When k is constant, the algorithm for finding \(A^{-1}\) is polynomial. When N is constant and \(k\longrightarrow \infty \), it is obvious that the algorithm for finding \(A^{-1}\) is exponential. The Lemma holds.
4.7.2 RSA
In 1976, two mathematicians from Stanford University, Diffie and Hellman, put forward a new idea of cryptosystem design. In short, the encryption algorithm and decryption algorithm are designed based on the principle of asymmetry. We can use the following schematic diagram to illustrate
where P is the plaintext space, C is the cryptosystemtext space, f encryption algorithm and \(f^{-1}\) decryption algorithm. If f and \(f^{-1}\) are the same algorithm, such as the involution operation in binary system, or the encryption algorithm f can easily deduce the decryption algorithm \(f^{-1}\). For example, the matrix encryption algorithm mentioned in the previous section (the matrix order is very small), which is called symmetric cryptosystem. The essence of symmetric cryptosystem is that the encryption key and decryption key have the same confidentiality importance. Diffie and Hellman proposed that if \(f \ne f^{-1}\) and f are encryption algorithms that are easy to implement, while \(f^{-1}\) is a decryption algorithm that is very difficult to calculate, the key can be divided into encryption key and decryption key. Even if the encryption key is made public to the public, the security of decryption key will not be affected. This encryption algorithm f is called asymmetric or trapdoor one-way function. The password using asymmetric f is called asymmetric password or public key cryptosystem. Due to the bold innovation of Diffie and Hellman, cryptography has ushered in a new era—the era of public key cryptography. Its basic feature is that passwords change from few users to many users, which greatly improves the efficiency and social value of passwords.
How to design asymmetric encryption algorithm? Rivest, Shamir and Adleman jointly put forward the first secure and practical one-way encryption algorithm, which is called RSA algorithm in academic circles. This public key cryptosystem has been widely used in cryptographic design and has become an international standard algorithm. In addition to its simplicity and practicality, its security completely depends on the difficulty of large prime factorization of huge integers.
Let p, q be two large and relatively safe prime numbers, assume
Let \(n=pq\), \(\varphi (n)\) be an Euler function, then
Randomly select a positive integer e to satisfy
The large prime numbers p and q and e satisfying formula (4.37) are randomly generated. The so-called random generation is to randomly select the p, q and e with the help of the computer random number generator (or pseudo-random number generator), and its computational complexity is
Lemma 4.4
Randomly generated large prime number p and q, \(n=pq\), \(\varphi (n)\) is Euler function, \(1<e< \varphi (n), (e, \varphi (n))=1\), then
Proof
Use the random number generator to generate a huge integer m, such as \(m>10^{300}\), and then detect whether \(m, m+1, m+2, \ldots ,\) is a prime number. From the prime number theorem, we know that the frequency of prime numbers adjacent to m is about \(O(\frac{1}{\log m})\), so we only need about \(O(\log m)\) tests to find the required prime number p, by Lemma 1.5 of Chapter 1,
Similarly,
Because \(n=pq\), so
n after confirmation, \(\varphi (n)=(p-1)(q-1)\). A positive integer a, \(1<a<\varphi (n)\), is randomly generated by the random number generator, and then whether \(a, a+1, a+2, \ldots \) and \(\varphi (n)\) are mutually prime is detected in turn. Again, according to the prime number theorem, the frequency of the prime factor of \(\varphi (n)\) appearing in the vicinity of a is \(O(\frac{1}{\log a})\), so we only need \(O(\log a)\) tests to get the required e. Thus
The Lemma holds.
After randomly selecting p, q, \(n=pq\), and e, because \((e, \varphi (n))=1\), then exist \(d=e^{-1} {{\,\mathrm{mod}\,}}\varphi (n)\), that is
Definition 4.10
After randomly determining \(n=pq\), let \(P_{e}=(n,e)\) be called public key, \(P_{d}=(n,d)\) be called private key, or e be public key and d be private key.
By Lemma 1.5 of chapter 1, calculate the number \(\text {Time} (d)=O( \log ^{3}\varphi (n))=O( \log ^{3}n)\) of bit operations required for \(d=e^{-1} {{\,\mathrm{mod}\,}}\varphi (n)\). By Lemma 4.4, we have
Corollary 4.3
The computational complexity of randomly generated public key \(P_{e}=(n,e)\) and private key \(P_{d}=(n,d)\) is polynomial.
The key mathematical principle used in RSA cryptographic design is the generalized Euler congruence theorem. \(n \ge 1\) is a positive integer, \((m,n)=1\), from Euler theorem, it can be seen that
We will prove that under the condition that n is a positive integer without square factor, there is formula (4.39) for all positive integers m, whether \((m, n)=1\) or \((m, n)>1\).
Lemma 4.5
If \(n=pq\) is the product of two different prime numbers, then for all positive integers m, k, there are
Proof
If \((m, n)=1\), then by Euler Theorem,
We only consider the case of \((m, n)>1\), because \(n=pq\), so \((m, n)=p\), \((m, n)=q\), or \((m, n)=n\). If \((m, n)=n\), then(4.40) holds. Might as well let \((m, n)=p\), then \(m=pt\), where \(1\le t <q\). By Euler theorem, because \((m, q)=1\), so
For \(\forall ~k \ge 1\), there is
We write
Both sides are multiplied by m,
The above formula contains
We have completed the proof of lemma.
With the above preparations, the workflow of RSA password can be divided into the following three steps:
-
(1)
Suppose A is a user of RSA, and A randomly generates two huge prime numbers \(p=p(A)\), \(q=q(A)\), \(n=n(A)\), where \(n=pq, \varphi (n)=(p-1)(q-1)\). Then randomly generate positive integers \(e=e(A)\), satisfies \(1< e < \varphi (n), (e, \varphi (n))=1\), calculated \(d\equiv e^{-1} ({{\,\mathrm{mod}\,}}\varphi (n))\), and \(1<d < \varphi (n)\). User A destroys two prime numbers p and q, and only keeps three numbers n, e, d, after publishing \(P_{e}=(n,e)\) as public key, he has private key \(P_{d}=(n,d)\) and keeps it strictly confidential.
-
(2)
User B of another RSA sends encrypted information to user A using the known public key (n, e) of user A. B selects \(P=\mathbb {Z}_{n}\) as the plaintext space and encrypts each \(m \in \mathbb {Z}_{n}\). The encryption algorithm \(c=f(m)\) is defined as
$$\begin{aligned} c=f(m) \equiv m ^{e}({{\,\mathrm{mod}\,}}n) ,~ 1 \le c \le n. \end{aligned}$$(4.41)where c is cryptosystemtext.
-
(3)
After receiving the cryptosystemtext c sent by user B, user A decrypts it with its own private key (n, d). Decryption algorithm \(f^{-1}\) is defined as:
$$\begin{aligned} m=f^{-1}(c)\equiv c ^{d}({{\,\mathrm{mod}\,}}n) ,~ 1 \le m \le n. \end{aligned}$$(4.42)User A gets the plaintext m sent by user B. so far, RSA cryptosystem completes encryption and decryption.
The correctness and uniqueness of RSA password are guaranteed by the following Lemma.
Lemma 4.6
The encryption algorithm f defined by equation (4.41) is a 1–1 correspondence of \(\mathbb {Z}_{n}\longrightarrow \mathbb {Z}_{n}\), and \(f^{-1}\) defined by equation (4.42) is the inverse mapping of f.
Proof
By Lemma 4.5, for all \(m \in \mathbb {Z}_{n}\), k is a positive integer, then there is
Because of \(ed\equiv 1 ({{\,\mathrm{mod}\,}}\varphi (n))\), we can write
By (4.41), then there is
That is to say, for all \(m \in \mathbb {Z}_{n}\),
In the same way, we have
In other words,
By Lemma 1.1 of Chap. 1, f is a 1–1 correspondence of \(\mathbb {Z}_{n}\longrightarrow \mathbb {Z}_{n}\), and \(f f^{-1}=1, f^{-1}f=1\). Th Lemma holds.
Another very important application of RSA is for digital signature. From the workflow of RSA password, it can be seen that the encryption algorithm defined in formula (4.41) is based on the public key \((n_{A}, e_{A})\) of user A, and we denote f as \(f_{A}\) and the decryption algorithm defined in formula (4.42) as \(f_{A}^{-1}\). The workflow of RSA digital signature is: User A sends his digital signature to user B, that is, A sends an encrypted message to B. Let \(P_{e}(A)=(n_{A}, e_{A})\) be the public key of A and \(P_{d}(A)=(n_{A}, d_{A})\) the private key of A. Similarly, \(P_{e}(B)=(n_{B}, e_{B})\) is the public key of B and \(P_{d}(B)=(n_{B}, d_{B})\) is the private key of B. Then the digital signature sent by user A to user B is
where \(m \in \mathbb {Z}_{n_{A}}\) is the digital signature published by user A. After receiving the above digital signature of user A, user B adopts the following two different digital verification according to the two cases of \(n_{A}< n_{B}\) and \(n_{A}> n_{B}\), formula (4.43) is the real signature of user A.
-
(i)
If \(n_{A}< n_{B}\), user B first decrypts with his private key \(f_{B}^{-1}=(n_{B}, d_{B})\) and then decrypts with user A’s public key \(f_{A}=(n_{A}, e_{A})\), the verification is as follows
$$\begin{aligned} f_{A}f_{B}^{-1}(f_{B} f_{A}^{-1}(m))=f_{A} f_{A}^{-1}(m)=m. \end{aligned}$$ -
(ii)
If \(n_{A}> n_{B}\), user B uses user A’s public key \(f_{A}=(n_{A}, e_{A})\) first, then decrypt and verify with your own private key \(f_{B}^{-1}=(n_{B}, d_{B})\)
$$\begin{aligned} f_{B}^{-1} f_{A}(f_{A}^{-1}f_{B} (m))= f_{B}^{-1}f_{B}(m)=m. \end{aligned}$$
The security of RSA is the difficulty of large prime factorization based on n. When all users select the large prime numbers p and q, let \(n=pq\), then destroy p and q, only (n, e) and its own secret (n, d) key information are retained, even if (n, e) is published to the public, outsiders only know n and do not know \(\varphi (n)\), so they cannot obtain the information of private key (n, d). Because the calculation of \(\varphi (n)\) must rely on the prime factorization of n, from the product formula of Euler, it is not difficult to see
Because we have very little knowledge of prime numbers, we have not found a general term formula to give an infinite number of prime numbers, so it is undoubtedly a difficult problem to judge whether a huge integer n is prime, not to mention the prime factorization of n.
4.7.3 Discrete Logarithm
Let G be a finite group and \(b,y \in G\) be two group elements of G, let t be the minimum positive integer satisfying \(b^{t}=1\), t is called the order of b, denote as \(t=o(b)\). If there is one x, \(1 \le x \le o(b)\) such that \(y=b^{x}\), x is called the discrete logarithm of y under base b. Known \(b \in G\), \(0\le x \le o(b)\), it’s easy to calculate \(y=b^{x}\). Conversely, for any group element y, it is very difficult to find the discrete logarithm of y under base b. Therefore, using discrete logarithm to encrypt has become the most mainstream encryption algorithm in public key cryptosystem, including the famous ElGamal cryptosystem and elliptic curve cryptosystem. ElGamal cryptosystem uses the discrete logarithm on the multiplication group formed by all \(\mathbb {F}_{q}^{*}\) of nonzero elements in finite field \(\mathbb {F}_{q}\). Elliptic curve cryptography uses the discrete logarithm algorithm of Mordell group on elliptic curve. Here we mainly discuss ElGamal cryptography, and elliptic curve cryptography is discussed in Chap. 6. We first prove several basic conclusions in finite field.
Lemma 4.7
Let \(\mathbb {F}_{q}\) be a finite field of q elements and \(q=p^{n}\) be the power of prime p. \(\mathbb {F}_{q}^{*}=\mathbb {F}_{q}\backslash \{0\}\) is all the nonzero elements in \(\mathbb {F}_{q}\), then \(\mathbb {F}_{q}^{*}\) is a cyclic group of order \((q-1)\) under multiplication, and the generating element g of \(\mathbb {F}_{q}^{*}\) is called the generator of finite field \(\mathbb {F}_{q}\).
Proof
According to Lagrange theorem, the number of zeros of polynomials in any field is not greater than the degree of polynomials. The finite field \(\mathbb {F}_{q}^{*}\) is a finite group of order \((q-1)\) under multiplication. To prove that \(\mathbb {F}_{q}^{*}\) is a cyclic group, it is only proved that for any factor d of \(q-1\), \(d|q-1\), the number of solutions of equation \(x^{d}=1\) in \(\mathbb {F}_{q}^{*}\) is not greater than d. This point can be deduced from Lagrange’s theorem, because the number of zeros of polynomial \(x^{d}-1\) in the whole field \(\mathbb {F}_{q}\) is not greater than d, so the number of zeros in \(\mathbb {F}_{q}^{*}\) is not greater than d. So \(\mathbb {F}_{q}^{*}\) is a finite cyclic group. The Lemma holds.
Lemma 4.8
Let \(\mathbb {F}_{q}\) be a q-element finite field, \(q=p^{n}\), \(\mathbb {F}_{p} \subset \mathbb {F}_{q}\) is a subfield, \(\mathbb {F}_{p}^{*} < \mathbb {F}_{q}^{*}\) is a subgroup of \(\mathbb {F}_{q}^{*}\), if g is the generator of \(\mathbb {F}_{q}^{*}\), then \(g'=g^{\frac{q-1}{p-1}}\) is the generator of \(\mathbb {F}_{p}^{*}\).
Proof
g is the generator of \(\mathbb {F}_{q}^{*}\), then \(o(g)=q-1\). Let \(g'=g^{\frac{q-1}{p-1}}\), then
Thus \((g')^{p-1}=1\), that is \((g')^{p}=g'\), so \(g'\in \mathbb {F}_{p}\). Because \(\mathbb {F}_{p}^{*}\) is a cyclic group of order \(p-1\), and \(o(g')=p-1\), so \(\mathbb {F}_{p}^{*}=<g'>\), \(g'\) is the generator of \(\mathbb {F}_{p}^{*}\). The Lemma holds.
Lemma 4.9
Let \(\mathbb {F}_{q}\) be a q-element finite field, \(q=p^{n}\), for any d|n, let
and
Then we have
Proof
We know
Let \(p(x) \in A_{d}\), that is \( p(x) \in \mathbb {F}_{p}[x], \deg p(x)=d\), p(x) is an irreducible monic polynomial. Let \(\alpha \) be a root of p(x), then add a finite extension field of \(\alpha \) on \(\mathbb {F}_{p}\) and \(\mathbb {F}_{p}(\alpha )\) is a d-th finite extension on \(\mathbb {F}_{p}\). If d|n, then
so there is \(\alpha \in \mathbb {F}_{q}\). Because the zeros of p(x) are all in \(\mathbb {F}_{q}\), so there is \(p(x)|x^{q}-x\). Any p(x) in \(A_{d}\) has \(p(x)|x^{q}-x\), so
Conversely, p(x) is the first irreducible polynomial, and \(\deg p(x)=d\). If \(p(x)|x^{q}-x\), then the zeros of p(x) are all in \(\mathbb {F}_{q}\). Let \(\alpha \) be a zero point of p(x), then there is \(\mathbb {F}_{p}(\alpha )\subset \mathbb {F}_{q}\), that is \(\mathbb {F}_{p^{d}}\subset \mathbb {F}_{q}=\mathbb {F}_{p^{n}}\), so d|n. Finally,
The Lemma holds.
Lemma 4.10
\(N_{p}(d)\) represents the number of the first irreducible polynomial with degree d in \(\mathbb {F}_{p}[x]\), then
where \(\mu \) is Möbius function.
Proof
Comparing the degree of polynomials on both sides, there is
By the Möbius inverse formula,
so there is (4.45), the Lemma holds.
Corollary 4.4
If d is a prime number, the degree in \(\mathbb {F}_{p}[x]\) is d and the number of the first irreducible polynomial is \(\frac{1}{d}(p^{d}-p)\), that is
Proof
By (4.45),
The Corollary holds.
Based on the above basic conclusions about finite fields, we introduce two methods for solving discrete logarithms. The first is the Silver–Pohlig–Hellman smoothing method, and the second is the so-called exponential integration method.
Silver–Pohlig–Hellman
Let \(\mathbb {F}_{q}\) be a q-element finite field, b is the generator, that is \(\mathbb {F}_{q}^{*}=<b>\),
where \(p_{i}\) is a different prime number. p for each prime factor of \(q-1\), \(p|q-1\), if p is relatively “small", the positive integer \(q-1\) is called a smooth positive integer. Under the condition that \(q-1\) is smooth, for each prime factor p, calculate all p-th unit roots \(r_{p,j}\) in \(\mathbb {F}_{q}^{*}\), where
Denote \(R(p)=\{r_{p,j}|1\le j \le p\}\) is the root of p p subunits in \(\mathbb {F}_{q}^{*}\), then in \(\mathbb {F}_{q}^{*}\), we get a unit root table R.
Now let’s look at the calculation method of discrete logarithm in \(\mathbb {F}_{q}^{*}\). Let \(y \in \mathbb {F}_{q}^{*}\), the discrete logarithm of y under base b is m, that is \(y =b^{m}\). When y and b are given, the value of m is desired \((1 \le m \le q-1)\), by the prime factor decomposition of \(q-1\) of formula (4.46), if for each \(p_{i}^{\alpha _{i}}(1 \le i \le s)\), the minimum nonnegative residue of m under \({{\,\mathrm{mod}\,}}p_{i}^{\alpha _{i}}\) is \(m_{i}=m {{\,\mathrm{mod}\,}}p_{i}^{\alpha _{i}} \), according to the Chinese remainder theorem, there is a unique \(m {{\,\mathrm{mod}\,}}q-1\) such that
Therefore, the discrete logarithm m of y is determined. Now the question is: let \(p^{\alpha }|| q-1\), we determine \(m {{\,\mathrm{mod}\,}}p^{\alpha }\). Let
A is the minimum nonnegative residue of m \({{\,\mathrm{mod}\,}}p^{\alpha }\), let’s determine each \(m_{i}\). First, we calculate \(m_{0}\). Because \(y=b^{m}\), so
That is, \(y^{\frac{q-1}{p}}\) is a unit root in \(\mathbb {F}_{q}^{*}\), compare the unit root table R in \(\mathbb {F}_{q}^{*}\), then we have \(m_{0}=j, 1\le j \le p\), which determines \(m_{0}\). Next, calculate \(m_{1}\), let \(y_{1}=\frac{y}{b^{m_{0}}}=b^{m-m_{0}}\), therefore, the discrete logarithm of \(y_{1}\) is \(m-m_{0}\), and
so
in other words, \(y_{1}^{\frac{q-1}{p^{2}}}\) is a p subunit root of \(\mathbb {F}_{q}^{*}\), comparing the unit root table R, we can determine \(m_{1}\). Continuing with this method, we can calculate \(m_{2}, \ldots , m_{\alpha -1}\) in turn, so \(m {{\,\mathrm{mod}\,}}p^{\alpha }\) is calculated, then by the Chinese remainder theorem, the discrete logarithm m of y under b is calculated.
Exponential integral method
Let \(\mathbb {F}_{q}\) be the finite field of q element, \(q=p^{n}\), p be a relatively small prime number, and n be a large positive integer, so that the security of q can meet certain requirements. Let \(\mathbb {F}_{p}\) be the finite field of p element, we can think of \(\mathbb {F}_{q}\) as an n-th extension field of \(\mathbb {F}_{p}\), according to the finite extension theory of the field, \(\mathbb {F}_{q}\) equivalent to (isomorphism) a quotient ring of polynomial ring \(\mathbb {F}_{p}[T]\) over \(\mathbb {F}_{p}\). Let \(f(T) \in \mathbb {F}_{p}[T]\) be the first irreducible polynomial of n degree, then
Therefore, any element a in \(\mathbb {F}_{q}\) is equivalent to a polynomial a(T) on \(\mathbb {F}_{p}\), where \(\deg a(T) \le n-1.\) Let \(b \in \mathbb {F}_{q}\) be the generator of \(\mathbb {F}_{q}\), \(b=b(T)\), if \(a_{0} \in \mathbb {F}_{p}\) is a constant polynomial, \(a_{0}\) is called a constant in \(\mathbb {F}_{q}\).
By Lemma 4.8, the discrete logarithm of the constant in \(\mathbb {F}_{q}\) can be easily determined. Let \(b' \in \mathbb {F}_{p}\) be the generator of \(\mathbb {F}_{p}^{*}\), if \(m'\) is the discrete logarithm of constant \(a_{0} \in \mathbb {F}_{p}\) to base \(b'\), then by Lemma 4.8, \(m=m'\frac{q-1}{p-1}\) is the discrete logarithm of \(a_{0} \in \mathbb {F}_{q}\) under base b. Take \(m'(a_{0})\) as the discrete logarithm of \(a_{0}\) under base \(b'\), since p is small, we can easily calculate and list the discrete logarithms of all constants in \(\mathbb {F}_{q}\):
Next, we determine the discrete logarithm of a nonconstant polynomial under base b(T). Let \(1<m<n\), define
The number of irreducible polynomials in \(L_{m}\) is written as \(h_{m}\), that is \(|L_{m}|=h_{m}\). We first calculate the discrete exponent of irreducible polynomials in \(L_{m}\).
Let \(b=b(T)\) be the generator of \(\mathbb {F}_{q}^{*}\), \(b(T) \in \mathbb {F}_{p}[T]\), \(\deg b(T) \le n-1\), obviously, when t runs through all positive integers from 1 to \(q-1\), \(b^{t}(T)\) runs through all nonzero polynomials in Eq. (4.49). Appropriate choice t, let
Such that
denote the discrete logarithm of a(T) under b(T) with \(\text {ind} (a(T))\), which can be obtained from the above formula,
Because of \(\text {ind} (c(T))=t\), thus,
By (4.50), \(\text {ind} (c_{0})\) is known, therefore, the above formula is a linear equation with \(h_{m}\) variables \(\text {ind} (p(T))\). By continuously selecting the appropriate t, we can obtain \(h_{m}\) independent linear equations, that is, the \(h_{m} \times h_{m}\)-order matrix formed by the coefficients of \(h_{m}\) variables and \(h_{m}\) linear equations is reversible under \({{\,\mathrm{mod}\,}}q-1\), by Lemma 4.2, as long as its determinant and \(q-1\) are coprime. From the knowledge of linear algebra, we can calculate all \(\text {ind} (p(T))\) by solving the above linear equations, the following exponential integral table \(B_{m}\) is obtained,
With exponential integral table \(B_{m}\), the discrete logarithm of any element \(a(T) \in \mathbb {F}_{q}^{*}\) can be easily calculated. Let \(a_{1}(T)=a(T)b(T)^{t}\), select the appropriate t such that
Once the decomposition is established, there are
Thus
The discrete logarithm of a(T) is obtained.
Remark 4.1
The key to the above calculation is to select an appropriate m to obtain the exponential integral table \(B_{m}\). This m cannot be too large, because \(h_{m}\) increases exponentially with m, for example, if m is a prime number, then by Corollary 4.4,
When \(h_{m}\) is too large and calculating the exponential integral table \(B_{m}\), a matrix of order \(h_{m} \times h_{m}\) will be solved, and its computational complexity is exponential. Obviously, m cannot be too small, the selection of m depends on p and n, when \(p=2, n=127\), m’s best choice is \(m=17\). Select finite field \(\mathbb {F}_{q}\), \(q=2^{127}\), because \(q-1=2^{127}-1\) is a Mersenne prime. This is a popular option at present.
ElGamal cryptosystem
Using the computational complexity of discrete logarithm to design asymmetric cryptosystem is the basic idea of ElGamal cryptosystem. Each user randomly selects a finite field \(\mathbb {F}_{q}\), \(q=p^{n}\), p is a sufficiently large prime number, and then calculates the generator g of \(\mathbb {F}_{q}^{*}\), select the positive integer x randomly, \(1<x<q-1,\) and calculate \(y=g^{x}\), to get the public key \(P_{e}=(y, g, q)\), own private key \(P_{d}=(x, g, q)\).
Encryption algorithm: To send an encrypted message to user A, user B first corresponds each plaintext unit of plaintext space P to an element in \(\mathbb {F}_{q}^{*}\), and then encrypts each plaintext unit. Let \(m \in \mathbb {F}_{q}^{*}\) be a plaintext unit, and user B randomly selects an integer k, \(1< k< q-1\), then, the public key (y, g, q) of user A is used to encrypt m, and the encryption algorithm f is
Get cryptosystemtext \((c,c')\).
Decryption algorithm: After receiving the cryptosystemtext \((c,c')\) sent by user B, user A decrypts \((c,c')\) with its own private key (x, g, q), decryption algorithm \(f^{-1}\) is
Lemma 4.11
The encryption algorithm f defined by Eq. (4.54) is a 1–1 correspondence of \(\mathbb {F}_{q}^{*}\longrightarrow \mathbb {F}_{q}^{*}\), the inverse mapping \(f^{-1}\) of f is given by equation (4.55).
Proof
By (4.54), \(c=g^{k}, c'=my^{k},\) then
That is to say \(f^{-1}(f(m))=m\), conversely,
that is \(f(f^{-1}(c'))=c'\), therefore, f is the 1–1 correspondence of \(\mathbb {F}_{q}^{*}\longrightarrow \mathbb {F}_{q}^{*}\) and the inverse mapping of f is \(f^{-1}\). The Lemma holds.
Finally, we discuss the computational complexity over finite fields.
Lemma 4.12
\(\mathbb {F}_{q}\) is a finite field, \(q=p^{n}\), \(\alpha , \beta \in \mathbb {F}_{q}^{*}, k \ge 1\) is a positive integer, then
Proof
Let \(f(x)\in \mathbb {F}_{p}[x]\), \(\deg f(x)=n\), f(x) is a monic irreducible polynomial, then
Let \(\alpha , \beta \in \mathbb {F}_{q}^{*}\), then
The multiplication of two polynomials requires \(n^{2}\) times of \({{\,\mathrm{mod}\,}}p\) operation, and the bit operation times of each \({{\,\mathrm{mod}\,}}p\) operation is \(O(\log ^{2}p)\), so \(\alpha \cdot \beta \) needs \(O(n^{2}\log ^{2}p)=O(\log ^{2}q)\)- bit operation to get a polynomial on \(\mathbb {F}_{p}[x]\). The resulting polynomial is divided by f(x) to obtain a polynomial of degree \(\le n-1\), that is, the final result of \(\alpha \cdot \beta \), the number of bit operations required for this operation is \(O(n\log ^{3}p)\). Therefore,
the same can be estimated \(\text {Time}(\frac{\alpha }{\beta })\) and \(\text {Time}(\alpha ^{k})\). The Lemma holds.
4.7.4 Knapsack Problem
Given a pile of items with different weights, can you put all or several of these items into a backpack to make it equal to a given weight? This is a knapsack problem arising from real life. Abstract into mathematical problems: Suppose \(A=\{a_{0},a_{1}, \ldots , a_{n-1}\}\) are n sets of positive integers, N is a positive integer. Is N the sum of the elements of a subset in A? Using binary system, the knapsack problem in mathematics can be expressed as follows:
Knapsack problem: When N and \(A=\{a_{0},a_{1}, \ldots , a_{n-1}\}\) given, where each \(a_{i} \ge 1\) is a positive integer, whether there is a binary integer \(e=(e_{n-1}e_{n-2} \cdots e_{1}e_{0})_{2}\) makes the following formula true,
If e exists, it is called knapsack problem (A, N) solvable, denote as \(\psi (A, N)=e\). If \(N=0\), then \(\psi (A, 0)=0\) (each \(e_{i}=0\)) is called a trivial solution. Therefore, \(N\ge 1\) is assumed to be a positive integer.
The above knapsack problem may have solutions, no solutions or multiple solutions. It is very difficult to solve the general knapsack problem (A, N), which belongs to the “NP complete” problem. If the conjecture of \(``P \ne NP\)” holds, there is no general algorithm, and its computational complexity is polynomial of n and \(\log N\). However, under some special conditions, such as the so-called super-increasing sequence, the solution of the problem will be very easy. Next, we introduce the polynomial solution method on the premise of super-increasing sequence.
Definition 4.11
A positive integer sequence \(\{a_{i}\}_{i \ge 0}\) is called a super-increasing sequence, if each \(a_{i}(i \ge 1)\) is greater than the sum of the previous i positive integers, that is
The knapsack problem of super-increasing sequence is actually to find a monotonically decreasing index sequence \(\{i_{k}\}_{k \ge 0}\), where \(i_{k}>i_{k+1},~ 0\le i_{k} \le n-1, ~\forall ~ k \ge 0.\) First, \(i_{0}\) is defined as
Then consider \(N-a_{i_{0}}=0,\) then the algorithm is completed, that \(N=a_{i_{0}}.\) If \(N-a_{i_{0}}>0\), then define
For any \(k \ge 1\), define
If the equal sign in Eq. (4.58) holds, that is \(a_{i_{k}}=N-a_{i_{0}}-\cdots -a_{i_{k-1}}\), then the algorithm completes and obtains the solution \(N=a_{i_{0}}+a_{i_{1}}\cdots +a_{i_{k}}\) of (A, N). If \(i_{k}\) does not exist, that is
call the algorithm terminated. Obvious indicators \(i_{0}> i_{1}>\cdots> i_{k}>\cdots \). Let I be a set of some indicators, and denote the above algorithm as \(\psi \).
Lemma 4.13
Let \(A=\{a_{0},a_{1}, \ldots , a_{n-1}\}\) be a given set of positive integers, \(a_{i}(i \ge 0)\) is a super-increasing sequence, N is a positive integer. If there is a \(k \ge 0\) that makes \(\psi \) complete at k, that is \(a_{i_{k}}=N-a_{i_{0}}-\cdots -a_{i_{k-1}}\), then the knapsack problem (A, N) has a solution and the solution is
where
If there is a \(k \ge 0\), \(\psi \) that terminates at k, i.e.,
Then the knapsack problem (A, N) has no solution.
Proof
If \(\psi \) is completed at \(k \ge 0\), then
Let \(e_{i}=1\), when \(i \in I; e_{i}=0\), when\(i \not \in I\), obviously,
So \(\psi (A, N)=e=(e_{n-1}e_{n-2} \cdots e_{1}e_{0})_{2}\), if \(k \ge 0\) exists so that \(\psi \) terminates at k, that is
Then the knapsack problem (A, N) has no solution. We can prove this conclusion by means of counter-evidence. If (A, N) has a solution, you might as well make
Adjust the order, we can let \(j_{0}>j_{1}>\cdots >j_{t}.\) By the definition of \(i_{0}\), and \(a_{j_{0}} \le N\), know \(j_{0} \le i_{0}\), thus
contradict with \(N=a_{j_{0}}+a_{j_{1}}+\cdots +a_{j_{t}}\), so (A, N) has no solution. The Lemma holds.
MH knapsack public key encryption system
Merkle and Hellman first proposed an encryption method using knapsack problem in 1978, it is the first public key encryption password. Let \(A=\{a_{0},a_{1}, \ldots , a_{n-1}\}\) be a sequence of super-increasing positive integers, take p, b as two prime numbers and satisfy
Calculate \(t_{i} \equiv ba_{i}({{\,\mathrm{mod}\,}}p),~0 \le i \le n-1\), then the public key is \(t=(t_{0},t_{1}, \ldots , t_{n-1})\), private key are A and b.
Encryption algorithm: The plaintext space \(P=\mathbb {F}_{2}^{n}\), for each plaintext unit \(m=(m_{0}m_{1}\cdots m_{n-1})\in P\), encryption algorithm
where c is cryptosystemtext.
Decryption algorithm: First, use the private key \(N \equiv b^{-1}c({{\,\mathrm{mod}\,}}p), ~0\le N \le p-1\). Then use the algorithm \(\psi =f^{-1}\) of knapsack problem (A, N) to solve
to get plaintext \(m=(m_{0}m_{1}\cdots m_{n-1})\).
The correctness of MH knapsack public key cryptography is attributed to the following Lemma.
Lemma 4.14
The encryption algorithm f defined by Eq. (4.60) is a 1–1 correspondence of \(\mathbb {F}_{2}^{n}\longrightarrow \mathbb {F}_{p}\), its inverse mapping \(f^{-1}\) is given by equation (4.61).
Proof
If \(m=0\) is the zero vector in \(\mathbb {F}_{2}^{n}\), then \(c=0\), thus \(N=0\). Knapsack problem (A, 0) has a unique trivial solution \(\psi (A, 0)=0 \in \mathbb {F}_{2}^{n}\) is a zero vector. Therefore, the zero vector in \(\mathbb {F}_{2}^{n}\) is a 1–1 correspondence of the zero element in \(\mathbb {F}_{p}\). Let \(m \ne 0\), if
Then
By (4.59) and \(0 \le N < p\), to obtain
So we have
Conversely, if
then
So there is \(N \equiv b^{-1}c({{\,\mathrm{mod}\,}}p),\) that is
It can be seen that f is a 1–1 correspondence of \(\mathbb {F}_{2}^{n}\longrightarrow \mathbb {F}_{p}\) and the inverse mapping is \(f^{-1}= \psi \). The Lemma holds.
It can be seen from the above discussion that if \(A=\{a_{0},a_{1}, \ldots , a_{n-1}\}\) is not a super-increasing sequence, the decryption algorithm \(f^{-1}\) is a difficult problem of “NP complete class", so the encryption and decryption algorithm defined by MH knapsack cryptosystem is the most typical trapdoor single function. Because of this, people believe that MH knapsack public key cryptography is very secure for a long time. However, in 1982, Shamir proved that a class of nonsuper-increasing sequences can be transformed into super-increasing sequences by a simple transformation \(x\longrightarrow ax {{\,\mathrm{mod}\,}}m\), which can be solved by polynomial algorithm. Although this kind of convertible nonsuper-increasing sequence knapsack problem is quite special, it is enough to shake people’s confidence in the security of knapsack problem public key cryptosystem. It is now generally accepted that knapsack public key cryptography is no longer secure.
Shamir transform
Let \(A_{1}=\{\alpha _{0},\alpha _{1}, \ldots , \alpha _{n-1}\}\) is a super-increasing sequence of positive integers. Randomly select four positive integers \(m_{1}, a_{1}, m_{2}, a_{2}\), where
A new positive integer sequence is defined by \(m_{1}\) and \(a_{1}\),
Where \(a_{1}\alpha _{i} {{\,\mathrm{mod}\,}}m_{1}\) represents the minimum nonnegative residue of \(a_{1}\alpha _{i}\) \( {{\,\mathrm{mod}\,}}m_{1}\), that is
By the third sequence of positive integers is defined by \(m_{2}\) and \(a_{2}\),
that is
Because \(\{u_{i}\}\) is not a super-increasing sequence, if \(A_{3}\) is used for encryption, it seems to be a general knapsack problem. Its difficulty will be NP complete, but Shamir transform will prove that its decryption algorithm is polynomial.
Let \(x=(e_{n-1}e_{n-2}\cdots e_{1}e_{0})_{2}\in \mathbb {F}_{2}^{n}\) be clear text and encrypt with \(A_{3}\),
get cryptosystemtext c. If decryption is required after receiving cryptosystemtext c, it is a general knapsack problem, but the problem of using private key \((b_{1}, m_{1}, b_{2}, m_{2})\) will become quite simple, where
First, note the minimum nonnegative residue of \(b_{2}c\) under \({{\,\mathrm{mod}\,}}m_{2}\),
Because by (4.65),
By the assumption \(m_{2}>nm_{1}\) of formula (4.62), and (4.63), there is
So (4.66) holds. Then consider the minimum nonnegative residue \(N=b_{1}N_{0} {{\,\mathrm{mod}\,}}m_{1}(0 \le N <m_{1})\) of \(b_{1}N_{0}\) \({{\,\mathrm{mod}\,}}m_{1}\), by (4.63),
So there is
Since \(A_{1}\) is a super-increasing sequence, the algorithm of polynomial (see Lemma 4.13), we have
To get plaintext x.
Therefore, Shamir uses simple transformation to transform the general knapsack problem into super-incremental knapsack problem. Although \(A_{3}\) is very special, we have reason to doubt that the public key cryptography based on the general knapsack problem solving algorithm is not as secure as people think.
Exercise 4
-
1.
Explain the following terms. (1) One secret at a time, (2) Completely confidential system, (3) Unique solution distance, (4) Improve the certification system.
-
2.
Short answer:
-
(1)
What are the advantages and disadvantages of symmetric cryptosystem and asymmetric cryptosystem?
-
(2)
The goal of perfecting the certification system.
-
(1)
-
3.
It is known that the plaintext is “Friday”, and the cryptosystemtext obtained after encryption with \(m=2\)’s Hill password is “POCFKU”, find the key of Hill password.
-
4.
Find the inverse matrix \(({{\,\mathrm{mod}\,}}N)\) of the following matrix:
$$A= \left[ \begin{array}{cccc} 1 &{} 3 \\ 4 &{} 3 \end{array}\right] {{\,\mathrm{mod}\,}}5,~ A= \left[ \begin{array}{cccc} 1 &{} 3 \\ 4 &{} 3 \end{array}\right] {{\,\mathrm{mod}\,}}29,$$$$A= \left[ \begin{array}{cccc} 15 &{} 17 \\ 4 &{} 9 \end{array}\right] {{\,\mathrm{mod}\,}}26,~ A= \left[ \begin{array}{cccc} 197 &{} 62 \\ 603 &{} 271 \end{array}\right] {{\,\mathrm{mod}\,}}841.$$ -
5.
In number theory, Fibonacci number is defined as \(a_{1}=1,a_{2}=1,a_{3}=2\), when \(n>1\), \(a_{n+1}=a_{n}+a_{n-1}\). Prove
$$ \left[ \begin{array}{cccc} a_{n+1} &{} a_{n} \\ a_{n} &{} a_{n-1} \end{array}\right] = \left[ \begin{array}{cccc} 1 &{} 1 \\ 1 &{} 0 \end{array}\right] ^{n},$$and \(a_{n}\) is even if and only if 3|n. More generally, find the law of \(d|a_{n}\).
-
6.
Suppose \(N=mn\), and \((n,m)=1\). A second-order matrix \(A\in M_{2}(\mathbb {Z}_{N})\) on n\(\mathbb {Z}_{N}\), can consider \(A\in M_{2}(\mathbb {Z}_{m})\) and \(A\in M_{2}(\mathbb {Z}_{n})\), let \(A_{1}\) and \(A_{2}\) represent the elements of A in \(M_{2}(\mathbb {Z}_{m})\) and \(M_{2}(\mathbb {Z}_{n})\), then prove
-
(i)
Mapping \(A{\mathop {\longrightarrow }\limits ^{\sigma }}(A_{1},A_{2})\) is a 1–1 correspondence between \(M_{2}(\mathbb {Z}_{N}){\mathop {\longrightarrow }\limits ^{\sigma }}M_{2}(\mathbb {Z}_{m})\times M_{2}(\mathbb {Z}_{n})\).
-
(ii)
In the corresponding \(\sigma \), A is the invertible matrix \(({{\,\mathrm{mod}\,}}N)\) if and only if \(A_{1}\) is the invertible matrix \(({{\,\mathrm{mod}\,}}m)\) and \(A_{2}\) are the invertible matrix \(({{\,\mathrm{mod}\,}}n)\).
-
(i)
-
7.
Let p be a prime, \(\alpha \ge 1\), then \(A\in M_{2}(\mathbb {Z}_{p^{\alpha }})\) is a reversible square matrix if and only if \(A\in M_{2}(\mathbb {Z}_{p})\) is a reversible square matrix. By calculate, for \(\forall ~ \alpha \ge 1\), find the number of reversible matrices in \(M_{2}(\mathbb {Z}_{p^{\alpha }})\).
-
8.
Let \(\varphi (N)\) be Euler function, \(\varphi _{2} (N)\) is the number of invertible matrices in \(M_{2}(\mathbb {Z}_{N})\), calculation formula for \(\varphi _{2} (N)\): that is, write a formula for \(\varphi _{2} (N)\) similar to \(\varphi (N)\). Known \(\varphi (N)=N\prod _{p|N}(1-\frac{1}{p})\), solve \(\varphi _{2} (N)=?\)
-
9.
Let \(\varphi _{k} (N)\) be the number of k-order reversible matrices in \(M_{k}(\mathbb {Z}_{N})\) and give the calculation formula of \(\varphi _{k} (N)\).
-
10.
According to exercise 8 and exercise 9, find the order of k-dimensional affine transformation group \(G=(A,b)\) on \(\mathbb {Z}_{N}\).
-
11.
RSA is used for encryption, the alphabet of plaintext and cryptosystemtext is \(\{0,1,2,\ldots , 39\}\) 40 numbers, of which \(\{0,1,2,\ldots , 25\}\) 26 numbers are equivalent to English 26 letters. Blank \(=26\), \(\bullet =27\), \(?=28\), \(\$=29\), number \(\{0,1,2,\ldots , 9\}=\{30,31,\ldots , 39\}\). Suppose all public keys \(n_{A}\) satisfy \(40^{2}<n_{A}<40^{3}\). Plaintext unit \(m=m_{1}m_{2}\in \mathbb {Z}_{40}^{2}\), cryptosystemtext unit \(c=c_{1}c_{2}c_{3}\in \mathbb {Z}_{40}^{3}\). For any plaintext unit, \(m=m_{1}m_{2}\) corresponds to a number \(m_{2}40+m_{1}\) of \(\mathbb {Z}_{n_{A}}\), any cryptosystemtext \(c=c_{3}40^{2}+c_{2}40+c_{1}\in \mathbb {Z}_{n_{A}}\).
-
(i)
Encrypting plaintext "\(SEND \$7500\)" with public key \((n_{A},e_{A})=(2047,179)\).
-
(ii)
Factor \(n_{A}=2047\) to find the private key \((n_{A},d_{A})=?\)
-
(iii)
A password attacker can quickly find the private key \(d_{A}\) without factoring 2047, so \(n_{A}=2047\) is a pretty bad choice. Why?
-
(i)
-
12.
The computer attacks the public key \((n_{A},e_{A})=(536813567,3602561)\) and finds the private key \(d_{A}\). It shows that 29-bit \(n_{A}\) is not safe in RSA system.
-
13.
Assuming that the plaintext alphabet is \(\{0,1,\ldots , 26\}\), and the first 26 numbers are 26 letters in English, blank \(=26\). Cryptosystemtext alphabet adds \(``|"=27\) to the plaintext alphabet, a total of 28 numbers. If the plaintext unit is \(m=m_{1}m_{2}m_{3}\in \mathbb {Z}_{27}^{3}\), Cryptosystemtext unit is \(c=c_{1}c_{2}c_{3}\in \mathbb {Z}_{28}^{3}\). Then in the corresponding number of \(Z_{n_{A}}\) (see exercise 11), we need \(n_{A}\) to meet
$$19683=27^{3}<n_{A}<28^{3}=21952,$$-
(i)
If your decryption key is \((n_{A},d_{A})=(21583,20787)\), decrypt cryptosystemtext is “YSNAUOZHXXH" (blank at the end).
-
(ii)
If you know the Euler function \(\varphi (n)=21280\), calculate \(e=d^{-1} {{\,\mathrm{mod}\,}}\varphi (n)\) and factorize n.
-
(i)
-
14.
Prove: In RSA, the 35 bit integer \(n=23360947609\) is a particularly bad choice. (Hint: \(n=p\cdot q\) factorization, the size difference between p and q remains unchanged, and Fermat factorization can be used to attack.)
-
15.
Let n be a square free number, and \(de\equiv 1({{\,\mathrm{mod}\,}}\varphi (n))\). It is proved that there is congruence
$$a^{de}\equiv a({{\,\mathrm{mod}\,}}n)$$for all integers a.
-
16.
The multiplication group \(\mathbb {F}_{181}^{*}\) of finite field \(\mathbb {F}_{181}\) is generated by \(g=2\), the discrete logarithm of 153 pairs of basis 2 is calculated by smoothing factor method.
-
17.
In the knapsack problem, determine whether the following sequence is an over increasing sequence, whether the knapsack problem is solvable for a given N, and how many solutions there are:
-
(i)
\(A=\{2,3,7,20,35,69\}, N=45;\)
-
(ii)
\(A=\{1,2,5,9,20,49\}, N=73;\)
-
(iiii)
\(A=\{1,3,7,12,22,45\}, N=67\);
-
(iv)
\(A=\{2,3,6,11,21,40\}, N=39;\)
-
(v)
\(A=\{4,5,10,30,50,101\}, N=186.\)
-
(i)
-
18.
If \(A=\{a_{i}|i=0,1,2,\cdots \}\) is an over increasing sequence and \(a_{0}=1\), \(a_{i}\) is the smallest positive integer satisfies \(a_{i}\ge \sum _{j=0}^{i-1}a_{j}\), then \(a_{i}=2^{i}\) holds for \(\forall ~ i\ge 1\).
-
19.
Let \(A=\{a_{0},a_{1}, \ldots ,a_{i},\ldots \}\) be a super-increasing sequence, where \(a_{i}=2^{i}(i\ge 1)\), then for any positive integer N, Knapsack problem (A, N) has a unique solution.
-
20.
Let \(A=\{a_{0},a_{1}, \ldots , a_{i}, \ldots \}\) be a super-increasing sequence, if for any positive integer N, knapsack problem (A, N) always has a solution, prove \(a_{i}=2^{i}(i\ge 1)\).
References
Adelman, L. M., Rivest, R. L., & Shamir, A. (1978). A method for obtaining digital signatures and public-key crypto system. Communication of ACM, 21, 120–126.
Adleman, L. M. (1979). A subexponential algorithm for the discrete logarithm problem with application to cryptography. In Proceedings of the 20th Annual Symposium on the Foundations of Computer Science, pp. 55–60.
Blum, M. (2022). Coin-flipping by telephone–A protocol for solving impossible problems (pp. 133–137). Spring-Compcan: IEEE Proceeding.
Coppersmith, D. (1984). Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions in Information Theory, IT-30, 587–594.
Cover, T. M. (2003). Fundamentals of information theory. Tsinghua University Press (in Chinese).
Diffie, W., & Hellman, M. E. (1976). New direction in crytography. IEEE Transactions in Information Theory, IT-22, 644–654.
EIGamal, T. (1985). A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions in Information Theory, IT,314, 469–472.
Fait, A. & Shamir, A. (2022). How to prove yourself: Practical solutions to identifications and signature problems. In A advance in Crypology-CRYPTO’86 (Vol. 263, pp. 186–194). Springer-Verlag, LVCS.
Garey, M. R., & Johnson, D. S. (1979). Computers and intractability: A guide to the theory of NP-completeness. Freeman.
Goldreich, O. (2001). Foundation of cryptography Cambridge University Press.
Gordon, J. A. (1985). Strong prime are easy to find, advance in cryptology. In Proceedings of Euro Crypt84 (pp. 216–223). Springer.
Hellman, M. E., & Merkle, R. C. (1978). Hiding information and signatures in trap door knapascks. IEEE Transactions in Information Theory, IT-24, 525–530
Hellman, M. E. (1979). The mathematics of public-key cryptography. Scientific America, 241, 146–157.
Hill, L. S. (1931). Concerning certain linear transformation apparatus of cryptography. American Math Monthly, 38, 135–154.
Kahn, D. (1967). The codebreakers, the story of secret writing. Macmillan.
Knuth, D. E. (1973). The art of computer programming. Addision-Wesley.
Koblitz, N. (1994). A course in number theory and cryptograph. Springer-Verlag.
Kranakis, E. (1986). Primality and cryptogaphy. John Wiley-Sons.
Massey, J. L. (1983). Logarithms in finite cyclic group-Cryptographic issues. In Proceedings of the 4th Benelux Symposium on Information’s Theory, pp. 17–25.
Odlyzko, A. M. (1985). Discrete logarithms in finite fields and their cryptographic significance. In: Advance in Cryptology, Proceedings of Eurocrypt 84, pp. 224–314. Springer.
Rivest, R. L. (1985). RSA chips(past, present, and future). Advances in Cryptology, Proceedings of Eurocrypt, 84, 159–165.
Ruggiu, G. (1985). Cryptology and complexity theories, advances in cryptology. In Proceedings of Eurocrypt (Vol. 84, pp. 3–9), Springer
Schneier, B. (1996). Applied cryptography, John Wiley 8-sous.
Shamir, A. (1982). A polynomial time algorithm for breaking the basic Markle-Hellman Cryptosystem. In Proceedings of the 23rd Annual Symposium on the Foundations of Computer Science, pp. 145–152.
Shannon, C. E. (1949). Communication theory of secrecy system. The Bell System Technical Journal, 28, 656–715.
Stinson, D. R. (2003). Principles and practice of cryptography, translated by Guodeng Feng. Electronic Industry Press (in Chinese).
Trappe, W., & Washington, L. C. (2008). Cryptography and coding theory, translated by Quanlong Wang et al., people’s Posts and Telecommunications Publishing House (in Chinese).
Wah, P., & Wang, M. Z. (1984). Realization and application of Massey-Omura lock. In Proceedings of the International, Zürich Seminar(1984),175-182.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2022 The Author(s)
About this chapter
Cite this chapter
Zheng, Z. (2022). Cryptosystem and Authentication System. In: Modern Cryptography Volume 1. Financial Mathematics and Fintech. Springer, Singapore. https://doi.org/10.1007/978-981-19-0920-7_4
Download citation
DOI: https://doi.org/10.1007/978-981-19-0920-7_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-0919-1
Online ISBN: 978-981-19-0920-7
eBook Packages: Economics and FinanceEconomics and Finance (R0)