Products of Small Primes in Cryptology, Coding and Theoretical Computer Science

1
Products of Small Primes in Cryptology, Coding
and Theoretical Computer Science

• David Naccache
• ENS

2
Gödel Numbering

• In 1930, Kurt Gödel proved that  
•  In any consistent formalization of mathematics
  that is sufficiently strong to define the concept
  of natural numbers, one can construct a statement
  that can be neither proved nor disproved within
  that system.
• This is Gödels famous incompleteness theorem

3
Gödels Theorem

• Very much simplified, the proof of this theorem
  is the following. Encode (assign a positive
  integer to) each propositional calculus symbol
• Logical symbols Encoding (integers ? 12) Meaning
• 1 not
• ? 2 for all
• ? 3 if, then
• ? 4 and
• ? 5 or
• ( 6
• ) 7

4
For Integers gt 10

• Predicates symbols are encoded by multiples of 3
• Symbol Encoding
• P 12
• Q 15
• R 18
• Variables are encoded by integers ? 1 mod 3
• Symbol Encoding
• x 13
• y 16
• z 19
• Propositional symbols are encoded by integers ? 2
  mod 3
• Symbol Encoding
• E 14
• F 17
• G 20

5
Gödels Numbering
Arithmetical statements are assigned unique Gödel
numbers. This is based on a simple code which
essentially reads prime1character1 ?
prime2character2 ? For example the statement
?x, P(x) Becomes 22 ? 316 ? 512 ? 76 ? 1116 ?
137 1425984443333518566466656284965353630175781
2500 Because character?2, characterx16,
characterP12, character( 6,
characterx16, character)7 We say that
1422500 is the Gödel Number (GN) of ?x, P(x)
6
This Lecture Is About
Applications of Gödels way of encoding
information prime1character1 ?
prime2character2 ?
7
Back to Gödels Theorem
Sequences of statements are also assigned Gödel
numbers. e.g. if aGN(?x,P(x)),
bGN(?x,P(x)), cGN(? x,Q(x)P(x)) Then the
sequence of statements ?x,P(x) ?x,P(x)
? x,Q(x)P(x) gets the GN 2a ? 3b ? 5c, which
we will call d. The proof of the incompleteness
theorem depends on the fact that, in formal
arithmetic, some statement sequences logically
entail (prove) other statements.
8
Gödels Theorem
For example it might be shown that a, b, and c
together, (i.e. d), prove e. Because this is a
demonstrable relationship between numbers it is
entitled to its own symbol, for example R. R(v,x)
would then mean "x proves v". In the case where x
and v are Gödel numbers e and d we would say
R(e,d). Put more simply R(e,d) means the
sequence of statements which GN is d is the proof
of the statement which GN is e.
9
Gödels Punchline
The punchline is that we can write the statement
?x,R(v,x) which means no proposition of type v
can be proved The Gödel number for this
statement would be 22 ? 316 ? 51 ? 718 ? 116 ?
1312 ? 1716 ? 197 but we will just call it r.
Now if we consider the statement ?x,R(r,x) we
will realise that it says no proposition that
says 'no proposition of type v can be proved' can
be proved. This collapses into the statement
this proposition cannot be proved, which is
inconsistent, because if it is provable then it
is not provable, and vice versa.
10
More Than Forty Years Pass
public key
message
Diffie and Hellman invent public-key
cryptography.
encryption algorithm
secret key
ciphertext
decryption algorithm
11
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new
revolutionary manner to create a unique pair of
physical objects.
12
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new
revolutionary manner to create a unique pair of
physical objects.
13
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new
revolutionary manner to create a unique pair of
physical objects.
14
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new
revolutionary manner to create a unique pair of
physical objects.
15
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new
revolutionary manner to create a unique pair of
physical objects.
16
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new
revolutionary manner to create a unique pair of
physical objects.
17
Diffie-Hellman Key Exchange
Diffie and Hellman also proposed a new
revolutionary manner to create a unique pair of
physical objects.
18
Diffie-Hellman Key Exchange
In reality, Diffie and Hellman provided a
mathematical analogy to the protocol that we have
just illustrated. Their solution is based on the
assumption that the following problem (known as
the Discrete Logarithm Problem) is hard Given
g, a, p find x such that gx a mod p pick
random x pick random y compute agx mod
p compute bgy mod p send a send
b compute kbx mod p compute kay mod p
19
Discrete Log Gödel Encryption
Generate a public large prime integer p, select
a large secret s and publish the public keys
v1,,vk where vis pi mod p where pi stands for
the ith prime (p12, p23, p35,) To encrypt a
message m (whose bits we denote m1,,mk) the
sender computes the ciphertext c v1m1??
vkmk mod p c is decrypted by computing dcs
mod p p1m1?? pkmk and factoring the
result over the integers to determine m.
20
Discrete Log Gödel Encryption
For this to work we need to have that p1??
pkltp The security of this cryptosystem is based
on the hardness of the discrete logarithm
problem Generate and public large prime p,
select a large secret s and publish the public
keys v1,,vk where vis pi mod p where pi
stands for the ith prime (p12, p23,
p35,) Discrete Logarithm Problem Given g,
a, p find x such that gx a mod p
21
A Toy Example
22
As We Are In an ECC Conference
We must say something about ECs.
23
As We Are In an ECC Conference
We must say something about ECs. Can the
previous encryption scheme run on an EC?
24
As We Are In an ECC Conference
We must say something about ECs. Can the
previous encryption scheme run on an EC? Answer
is yes, but only in theory
25
As We Are In an ECC Conference
We must say something about ECs. Can the
previous encryption scheme run on an EC? Answer
is yes, but only in theory We might use,
instead of small primes, small rational points on
an EC. Publish s pi as public keys.
26
As We Are In an ECC Conference
We must say something about ECs. Can the
previous encryption scheme run on an EC? Answer
is yes, but only in theory We might use,
instead of small primes, small rational points on
an EC. Publish s pi as public keys. As we get
the ciphertext and multiply it over the curve by
the inverse of s how do we see which rational
points are in there?! Use height and projective
coordinates!
27
As We Are In an ECC Conference
Get ciphertext multiply by inverse of s and
attempt to subtract each rational point from the
result. Height decreases ? good guess Height
increases ? bad guess
28
Problem
We do not know ECs with enough independent small
rational points on them. World record is 28.
Meaning that we could encode 28 message bits
in a 10000 bit ciphertext (plaintext too small to
be secure). This can be improved slightly by
using signed rational points (bandwidth improves
to 28 log2 3). We can also shoot for low
density message encoding - which allows to stuff
more bits into the ciphertext using only 28
points but the price of ciphertext size
explosion. Any more elegant ideas to make this
fly?
29
Gödel Error-Correction
Gödels encoding can also be used for error
correction. In a very inefficient but yet rather
curious way Before we proceed a few reminders
about error correcting codes.
30
Ideal Communication
31
Ideal Communication
32
Ideal Communication
33
Ideal Communication
Ideal Noiseless World
34
Real Communication
35
Real Communication
36
Real Communication
37
Real Communication
38
Real Communication
39
Real Communication
?!!
40
Real Communication
41
Real Communication
Reality
42
Error Correcting Codes
encoding algorithm
43
Error Correcting Codes
44
Error Correcting Codes
45
Error Correcting Codes
46
Error Correcting Codes
47
Error Correcting Codes
48
Error Correcting Codes
49
Error Correcting Codes
decoding algorithm
50
Error Correcting Codes
A bit of terminology. The number of errors
correctable by a code is called the codes
correction capacity (denoted t). The ratio
between the length of the encoded message and the
original message (in our example 1.47/5) is
called the codes expansion rate (denoted r).
51
Gödel Error Correction
Generate a large prime p, here again pi stands
for the ith prime (p12, p23, p35,) To encode
a message m (whose bits we denote m1,,mk)
the sender computes c p1m1?? pkmk mod
p While the couple c,m is sent over the noisy
channel, we start by assuming that errors
occurred only in m. Upon reception of c,m the
receiver can compute c p1m1?? pkmk mod
p And divide-out all the common (unflipped bits)
of m and m Let dc/c mod p
52
Gödel Error Correction
We now use the extended Euclidean algorithm to
write d as a modular ratio of two integers A, B
of size ?p Let sA/B mod p Now, if there
hasnt been too many errors, A and B factor over
the integers into products of small primes.
53
Gödel Error Correction
We now use the extended Euclidean algorithm to
write d as a modular ratio of two integers A, B
of size ?p Let sA/B mod p Now, if there
hasnt been too many errors, A and B factor over
the integers into products of small primes. The
primes present in A encode the bits set to 1 in m
and reset to 0 in m. The primes present in B
encode the bits equal to 0 in m that flipped into
1 in m.
54
Parameter Sizes
To correct t errors in a k-bit message the size
of p should be 2pk2tlt p lt4pk2t We simply bound
the worst case where all errors affect the end of
the message. Now using the fact that pk?k log k
we get that log2 p ? 2t log(k log k) / log
2 Which gives a simple relation - allowing to
instantiate the code given a desired t and k.
55
Remember
While the couple c,m is sent over the noisy
channel, we start by assuming that errors
occurred only in m. What if c gets corrupted, or
if both c and m get corrupted?
56
Protecting c
The solution consists in repeating the procedure
recursively by sending not only c (that we will
denote now c(m) given that it is a function of m)
but m, c(m), c(c(m)), c(c(c(c(m)))) As
after each application of c a smaller prime p
will be used the size of the successive nested
c-s decreases. Assuming that no errors occurred
in the last c(c(c(c(m)))) the decoding
procedure runs backwards until errors in m are
corrected. It remains to correct
uc(c(c(c(m)))) against errors. But since u is
small it suffices to replicate it 2t1 times and
use a majority vote to spot the errors in u.
57
Variants

• - In the paper (available on line) - we propose a
  more efficient variant (better expansion rate)
  but where with negligibly little probability the
  receiver might not be able to correct errors.
• Instead of nesting c-s one can transmit m,RM(c)
  where RM stands for a classic Reed-Muller code
  (for instance).
• The receiver then corrects the errors in RM(c),
  recovers c and proceeds as we previously
  described.
• For some t,k values sending m,RM(c) happens
  to be more economic than sending RM(m).

58
m, RM(c) versus RM(m)
For some t,k values sending m,RM(c)
happens to be more economic than sending RM(m).
e.g to protect against 31 errors a 5812 bit
message, Reed Muller will transmit 8192
bits. Sending m,RM(c) costs only 7860 bits.
59
m, RM(c) versus RM(m)
In general the sending of m,RM(c) will be more
economic for long messages over not too noisy
channels. RM(m) will perform better than
m,RM(c) as noise increases or message size
decreases. The comparison to Reed-Muller is just
illustrative (other error- correcting codes can
be benchmarked here as well).
60
Comparing Permuted Objects
Products of small primes were also exploited in
the literature to determine, in a very
constrained space, if a list of integers L1
contains exactly the same elements as list
L2. The comparison algorithm is probabilistic
and very simple.
61
As a Conclusion
We have seen in this lecture that the simple
message encoding format devised by Gödel can give
birth to
p1m1 ? p2m2 ?
62
As a Conclusion
We have seen in this lecture that the simple
message encoding format devised by Gödel can give
birth to
p1m1 ? p2m2 ?
a proof of the incompleteness theorem
63
As a Conclusion
We have seen in this lecture that the simple
message encoding format devised by Gödel can give
birth to
public key cryptosystems
p1m1 ? p2m2 ?
a proof of the incompleteness theorem
64
As a Conclusion
We have seen in this lecture that the simple
message encoding format devised by Gödel can give
birth to
public key cryptosystems
error correcting schemes
p1m1 ? p2m2 ?
An ingredient in the proof of the incompleteness
theorem
65
As a Conclusion
The small prime factors theme (a.k.a.
smoothness) is also useful for attacking schemes
(index calculus algorithms). We didnt overview
this in this lecture.
Point counting on elliptic curves (Schoofs
algorithm)
factoring algorithms
discrete log algorithms
p1m1 ? p2m2 ?
Desmedt-Odlyzko attack on RSA
66
THANK YOU