Undergraduate Texts in Mathematics Editors S.Axler rw Gehring K.A. Ribet Springer NewYork Berlin Heidelberg HongKong London Milan Paris Tokyo http://avaxhome.ws/blogs/ChrisRedfield UndergraduateTextsin Mathematics Abbott: Understanding Analysis. Childs:AConcrete Introduction to Anglin: Mathematics:AConcise History HigherAlgebra.Second edition. andPhilosophy. Chung/AitSahlia: Elementary Probability ReadingsinMathematics. Theory:WithStochastic Processes and Anglin/Lambek:TheHeritageof anIntroduction toMathematical Thales. Finance. Fourthedition. ReadingsinMathematics. Cox/Little/O'Shea: Ideals, Varieties, Apostol: Introduction toAnalytic andAlgorithms.Second edition. NumberTheory.Second edition. Croom: BasicConcepts ofAlgebraic Armstrong: BasicTopology. Topology. Armstrong:GroupsandSymmetry. Curtis: LinearAlgebra:AnIntroductory Axler: LinearAlgebraDoneRight. Approach.Fourth edition. Secondedition. Daepp/Gorkin:Reading, Writing,and Beardon: Limits:ANewApproachto Proving:ACloser Lookat RealAnalysis. Mathematics. BaklNewman: ComplexAnalysis. Devlin:TheJoyofSets:Fundamentals Secondedition. ofContemporarySetTheory. BanchofflWermer: LinearAlgebra Second edition. Through Geometry.Secondedition. Dlxmler:GeneralTopology. Berberian: AFirstCourseinReal Driver:WhyMath? Analysis. Ebbinghaus/FlumlThomas: Bix: ConicsandCubics:A Mathematical Logic.Second edition. Concrete Introduction toAlgebraic Edgar: Measure,Topology,andFractal Curves. Geometry. Bremaud:AnIntroduction to Elaydi:AnIntroduction toDifference Probabilistic Modeling. Equations.Second edition. Bressoud: Factorization andPrimality Erdos/Suranyi: Topics intheTheory of Testing. Numbers. Bressoud:Second YearCalculus. Estep: Practical AnalysisinOneVariable. ReadingsinMathematics. Exner: AnAccompaniment toHigher Brickman:Mathematical Introduction Mathematics. toLinearProgrammingandGame Exner: InsideCalculus. Theory. Fine/Rosenberger: TheFundamental Browder: Mathematical Analysis: TheoryofAlgebra. AnIntroduction. Fischer: Intermediate RealAnalysis. Buchmann: Introduction to Flanigan/Kazdan: Calculus Two:Linear Cryptography, Secondedition. andNonlinear Functions.Second Buskes/van Rooij: Topological Spaces: edition. FromDistancetoNeighborhood. Fleming: Functions ofSeveral Variables. Callahan:TheGeometryofSpacetime: Second edition. AnIntroduction toSpecialandGeneral Foulds:Combinatorial Optimization for Relavitity. Undergraduates. Carter/van Brunt:The Lebesgue Foulds:Optimization Techniques:An Stieltjes Integral:APractical Introduction. Introduction. (continuedafterindex) Cederberg:ACourse inModem Geometries.Secondedition. Johannes Buchmann Introduction to Cryptography Second Edition , Springer JohannesA.Buchmann DepartmentofComputerScience 'TechnicalUniversity, Darmstadt Hochschulstr, 10 64289Darmstadt Germany EditorialBoard S.Alder F.w.Gehring K.A.Ribet MathematicsDepartment MathematicsDepartment MathematicsDepartment San FranciscoState East Hall UniversityofCalifornia University UniversityofMichigan Berkeley San Francisco,CA94132 Ann Arbor,MI48109 Berkeley, CA94720-3840 USA USA USA [email protected] [email protected] [email protected] Cover:The factorizationofRSA-576,a576-bitor 174-digitprimenumber,wasthe goalofan openchallengesponsoredby RSALaboratories(Bedford,Mass.).RSA-576wasfactoredbya teamofresearchersinGermanyand othercountriesin December, 2003. MathematicsSubjectClassification(2000):94-01,94A60,11T7l Library ofCongressCatalogingin PublicationData Buchmann,Johannes. IntroductiontocryptographyI JohannesBuchmann.- [2nded.]. p.ern.- (Undergraduatetexts in mathematics) Includesbibliographicalreferencesandindex. ISBN0-387-21156-X(hardcover: alk.paper)- ISBN0-387-20756-2(softcover: alk.paper) 1.Codingtheory. 2.Cryptography. I.Title. 11Series. QA268.B832004 003'.54-dc22 2004041657 ISBN0-387-21156-X Printedonacid-freepaper. Germanedition:EinfurungindieKryptographieII.'Springer-Verlag, Heidelberg,1999.11.'2004, 2001Springer-VerlagNY,LLC Allrightsreserved.This work may notbe translatedorcopiedinwhole or inpartwithout the written permissionofthe publisher(Springer-VerlagNewYork,LLC,175FifthAvenue, NewYork,NY10010,USA),except forbriefexcerptsinconnectionwith reviewsorscholarly analysis.Usein connectionwith any form ofinformationstorage andretrieval,electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafterdevelopedisforbidden. The use inthis publicationoftrade names,trademarks,service marks,and similarterms, eveniftheyare not identifiedassuch,isnot tobe takenasan expression ofopinionasto whetherornot theyare subjecttoproprietaryrights. PrintedintheUnited States ofAmerica (BP/EB) 98654321 SPIN10991503(hardcover) - SPIN10963999(softcover) Springer-Verlagisapart ofSpringerScience+BusinessMedia springeronline.com For Almut, Daniel, andJan Contents Preface for the Second Edition xiii Preface xv 1 Integers 1 1.1 Basics. . . . . .. . . . .. 1 1.2 Divisibility . . . . . . . . . 3 1.3 Representation of Integers 4 1.4 0-and Q-Notation . . . . . 6 1.5 Cost ofAddition, Multiplication, and Division with Remainder . . . . . . . . . 7 1.6 Polynomial Time . . . . . 9 1.7 Greatest Common Divisor 9 1.8 Euclidean Algorithm ... 12 1.9 Extended Euclidean Algorithm . 16 1.10 Analysis ofthe Extended Euclidean Algorithm 18 1.11 Factoring into Primes 22 1.12 Exercises . . . . . . . . . . . . . . . 24 2 Congruences and Residue Class Rings 29 2.1 Congruences . 29 .. Vll V111 Contents 2.2 Semigroups . 32 2.3 Groups . 34 2.4 Residue Class Ring . 35 2.5 Fields . 36 2.6 Division in the Residue Class Ring . 36 2.7 Analysis ofthe Operations in the Residue Class Ring 38 2.8 Multiplicative Group ofResidues mod m 39 2.9 Order ofGroup Elements 41 2.10 Subgroups . 42 2.11 Fermat's Little Theorem 44 2.12 Fast Exponentiation . . . 45 2.13 Fast Evaluation of Power Products 48 2.14 Computation ofElement Orders . 49 2.15 The Chinese RemainderTheorem 51 2.16 Decomposition ofthe Residue Class Ring 53 2.17 AFormula for the Eulercp-Function 55 2.18 Polynomials . . . . . . . . . 56 2.19 Polynomials over Fields. . . . . . . 58 2.20 Construction ofFinite Fields . . . . 61 2.21 The Structure of the Unit Group of Finite Fields 65 2.22 Structure ofthe Multiplicative Group of Residues Modulo a Prime Number 66 2.23 Exercises . 67 3 Encryption 71 3.1 Encryption Schemes . 71 3.2 Symmetric and Asymmetric Cryptosystems 73 3.3 Cryptanalysis . . . . 74 3.4 Alphabets and Words 77 3.5 Permutations . . . . . 80 3.6 BlockCiphers . . . . 81 3.7 Multiple Encryption . 82 3.8 The Use of BlockCiphers 83 3.9 Stream Ciphers ... .. 93 3.10 The Affine Cipher . . . . 95 3.11 Matrices and Linear Maps 97 3.12 Affine Linear BlockCiphers 102 3.13 Vigenere, Hill, and Permutation Ciphers 103 Contents 3.14 Cryptanalysis ofAffine Linear BlockCiphers . 104 3.15 Secure Cryptosystems . 105 3.16 Exercises . .. . . ... .. . III 4 Probability and Perfect Secrecy 115 4.1 Probability . ... ... 115 4.2 Conditional Probability 117 4.3 Birthday Paradox . . . . 118 4.4 PerfectSecrecy . . . . . 119 4.5 Vernam One-Time Pad 123 4.6 Random Numbers . . . 124 4.7 Pseudorandom Numbers 124 4.8 Exercises . . . ... ... 125 5 DES 127 5.1 Feistel Ciphers . 127 5.2 DESAlgorithm. 128 5.3 An Example . . 134 5.4 Security of DES 136 5.5 Exercises . . .. 137 6 AES 139 6.1 Notation . . . 139 6.2 Cipher .... 140 6.3 KeyExpansion 145 6.4 An Example 146 6.5 InvCipher 148 6.6 Exercises . . 148 7 Prime Number Generation 151 7.1 ThaI Division . . . . . 151 7.2 FermatTest . . . . . . 153 7.3 Carmichael Numbers 154 7.4 Miller-RabinTest . 156 7.5 Random Primes 159 7.6 Exercises ... . . 160