Slide 1: Welcome. Today we will discuss cryptography. Lets consider two problems. In the first problem, you have a lot of data.

(). , . kol. : .

Hunyng (dji). Jntin, wmen hu toln mm xu. Wmen li kol ling g wnt. D y g: N yu hndu shj.

Slide 2: Here is an example: you study biology and medicine and have a LOT of DNA data

1(or bi ru shuo): wbng

1Zh sh yg lzi: N xux shngw h yxu, bng yu hodu hodu de DNA shj.

Almost everyone gives you their DNA data. You want to do some important calculations. You could save lives!

lizhng.2wnjimng

Chbdu, mi grnli gi ni tmen de DNA shj. N xing yo zu (yxi) zhngyo de jsun.2 N ky wnji shngmng.

However, it is too much work for you to do yourself!You need others to help, but can you trust them?

ling,3 :4xingxn

Dnsh, zhge jsun ling ti dle (yu ti du shj, 3 n de dinno ti mnle): N bnng zj zule.4 N hi yo bi de rn bngmng, dnsh n nng xingxn tmen ne?

Is it ethical to send the data?

5Fsnghh

Fsng shj shbsh hh dod?

Slide 3: How does one share work? Cloud computing: You send the data to the cloud. The Cloud is a bunch of other computers and cell phones, etc. The others in the cloud do your calculations, and then rain down the answer.

1 Cloud Computing (). 23 d'n.

D y g wnt: N znme gn bi de rn yq zu jsun? 1 Wmen yng Cloud Computing (yn jsun). N fsng n de shj do yn. Ng yn sh hndu bi de dinno gn shuj, dng dng. 2 Bi de dinno zi yn lmin zu n de jsun, 3 zhhu d'n xi y huli.

Slide 4: However, there is still a problem: Can you trust others? Here is an idea: If you could send the data so that they could do the calculations but not see the data, then there is no problem. Can we mess up the data in some way so that they cant read it? This question is hard, so we will return to it later.

dnxn: 1 xingxn2nirng3nng lun, . 4:rngrnsho

Dnsh, hi yu yg dnxn: 1 N nng bnng xingxn bi de rn? 2 Rgu ni hu gi nxi yn de rn n de shj rng tmen ky zu n xing yo de jsun, dnsh kn b do zhge shj, n mi wnt. Wmen ky gi tmen nng lun de shj, suy tmen bnng d t. Qngwn: Yu miyu knng wf kn do shj, dn rngrn ky zu jsun ne? Zhge sh hn nn de wnt, suy wmen sho hu hu toln t.

Slide 5: Second question: Right now, the bank keeps track of your transactions and verifies your account balance. Suppose that you do not trust banks, and you want to collectively keep records on the internet. You want a decentralized system, and this is the idea of Bitcoin.

1 zngjnxngynzhngzhnghy'Jishxingxnwng(bocn)jl. hu. 2 Bitcoin.

D r g wnt: 1 Xinzi, ynhng gnzng n de jioy h jnxng ynzhng nn de zhngh y'. Jish n b xingxn ynhng, n xing yo zi wng lshng yq gn bi de rn (bocn) zhxi jioy jl. N xing yo yg q zhngxn hu de ynhng. 2 Zh jishBitcoin de xingf.

Slide 6: In the implementation of Bitcoin, a transaction is sent and verified by a collective group of computers. Here validation is needed to check that the transaction really occurred. Then, once all of the computers agree, it is added to a new block of transactions which is then added to the chain of all transactions (this is the Blockchain). There is no central entity (like the bank) with the authority to change transactions. Transactions added to the Blockchain are unable to be changed. Nobody has the authority to decide to freeze your assets (banks sometimes freeze your money if they think you are doing something illegal), but nobody can correct mistakes, either (banks correct errors or thefts, for example). Cryptography is used in two main places in Cryptocurrency: Firstly, the transactions need to be verified. These are signed with a private key to verify your identity (otherwise people could steal your money by pretending to be you!). We will talk about private and public keys later. Secondly, blocks are put onto the blockchain by hashing the data from the previous block, which prevents someone adding a block invalidating all of the information.

shxinBitcoin, 1 (/Cloud computing) , 2jt ynzhng. xynzhngzhngsh . , y, bi fngblock(); blockbi linjiyuguchnglin;blockchain ().3 Bitcoin/Blockchainsht (chuntng)qunxingnggi, wnchngbi qxio.4 dngjizchn (dngjijudfifshqng)jizhng cuw (jicuzngkun). Shxin Bitcoin 5ynzhng. qin sqinfuz qtjizhungtu zu. sho/s. bitcoinbi fnglin,sn liwxio.

Wile shxinBitcoin, 1 n de dinno fsng yg jioy do wng lshng (Zh jish yn/Cloud computing chbdu yyng),2 yxi dinnomen jt ynzhng zhge jioy. Wmen xyo zhxi ynzhng q zhngsh jioy zhn de f shng le. Nme, dji du tngy zhhu, jioy bi fng r yg xn deblock(q kui); rnhu zhge xn deblock bi linji do yu suyu jioy guchng de lin shng; zh jish suwi deblockchain (q kui lin).3 Bitcoin/Blockchain miyu zhng yng sht (ynhng sh chuntng de jioy zhngyng) yu qunxin q gnggi jioy, suy wnchng jioy bnng bi qxio. Miyu zhng yng de rn ky dngji n de zchn (br shu yu shhu ynhng hu dngji n de qin rgu tmen jud n zi zu fif de shqng), dnsh y miyu rn ky jizhng cuw (ynhng hu jizhng cu de jioy y ky hu gi n zngkun). Shxin Bitcoin de shhu zi ling g dfng shyngle mm xu: 5 D yg: Jioy ydng ynzhngle. N de jioy ydng qinmngle: N shyng n mm xu de"s yo"qinmng (fuz qt rn ky jizhung n tu zu n de qin). Wmen sho hu hu toln mm xu de"gng yoshi/s yoshi. Zi zu"bitcoin de shhu d r g mm xu de yngf: Q kui bi fng zi lin shng de shhu, xn de shj ydng gnqin yg q kui de shj yq sn li, suy huirn bnng jir y g xn de q kui, sh yqin de shj wxio.

Slide 7: What is cryptography? How do you do cryptography? Can you safely send data? Can someone see what youre doing? Can you trust them? After sending the data, can the recipient do the calculations you want, but still have the data stay safe?

123xingxn4jishu, boch

Shnme sh mm xu? N znme zu mm xu? Ky nqun fsng shj ma? Yu huirn knng kn do n fsng de shj ma? N kb ky xingxn tmen? Shj fsng de yhu, jishu shj de rn kb ky zu n xing yo de jsun, dnsh shj boch nqun ne?

Slide 8: Lets begin with the question of how to do cryptography. The idea of modern cryptography is to find a one-way function, a math problem which is hard to solve, but easy to check if an answer is given to you.

12disone-way functions; 3one-way function , jijujio ynjid4shoone-way function

Wmen yo kish xing y xing mm xu znme zule. Xindi mm xu de zhngxn sxing sh zhodo suwi deone-way functions;1 ygone-way function sh yg hn nn de shxu wnt, dnsh n jiju ng shxu wnt yhu, n bi de rn ky hn rngy jio yn n de jid. Wmen sho hu hu kn doone-way function de lzi.

Slide 9: These questions are too hard to begin with, so lets go back to the beginning and consider cryptography from the beginning, going back through history. You want to send an important message. You can give it to a courier, but can you trust the courier? What if someone intercepts it in between?

. cngxlsh1zhng2bd3xing4lnji

Zhxi wnt ti nny kishle, suy wmen yo hu do guq. Wmen yo cng kish xu, xux mm xu de lsh. N xing yo fsng hn zhngyo de xnx. N ky b t gi kuid, dnsh b zhdo n hu b hu xingxn t. Rgu yurn zi zhngjin lnji t ne?

Slide 10: Well start a long, long time ago

Wmen kish do hnji yqin.

Slide 11: Caesar wanted to send a message, but he didnt want his enemy to steal it. For example, maybe hes coordinating an attack, and it would put him at a disadvantage if the enemy knew this information. Caesars solution: the Caesar cipher; every letter is shifted to another letter, 3, 5, or so to the right. But where does the letter z go to? We use clock arithmetic.

Caesar zhngdlnjiCaesarxitio gngjdshzhndu. 1 CaesarjidCaesar cipher; 2biya d. zbi fngclock arithmetic (sunshmodular arithmetic

Caesar xing yo fsng yg zhngyo de xnx, dnsh t bxing drn lnji t. Lr, Caesar xing yo xitio gngj. Rgu t de drn zhdo t xing yo zu de, n t hu shq zhndu. Caesar de jid: Suwi deCaesar cipher; mi yg zm du bi yu yle sn g, w g, dng dng zm. Wmen ky shu zma ji sn dngy zm d. Qngwn: Zmz bi fng do nlle? Wmen shyng suwi declock arithmetic (shzhng sunsh; Y ky shu modular arithmetic).

Slide 12: On a clock, 1 oclock and 13 oclock are the same. When doing Caesar ciphers we do the same thing. In other words, z plus 3 equals c. If a clock has 24 hours, then one oclock and 13 oclock are not the same, but one oclock and 25 oclock are still the same. What if a clock had 26 hours (like the 26 letters in the English alphabet)? Or 7 hours? Or 11 hours?

1Caesar cipher, z c.2, .3 (ling)Huzh? Huzh?

Zi shzhng shng, ydin gn shsn din yyngle. ZuCaesar cipher de shhu, wmen zu yyng de shqng: Zmz ji sn dngy zmc. Rgu shzhng yu rshs xiosh, n ydin gn shsn din ji b yyngle, dnsh ydin gn rshw din hish yyng de. Rgu shzhng yu rshli xiosh (h yngwn zm de shling y yng) ne? Huzh q g xiosh ne? Huzh shy g xiosh ne?

Slide 13: Lets try some modular arithmetic. If a clock has 8 hours and starts at 7 oclock and runs for two hours, when does it end (what time does the clock say?)? Seven plus 2 is nine, so .. it says one oclock on the clock. We say that 7+2 and 1 are congruent modulo 8 if they have the same time on an 8-hour clock.

1,modular arithmetic.2,3 , , jish(?)? 4, 5 . zh,() congruent modulo .is congruent to(mod ).

Wmen sun sun kn, zumodular arithmetic. Rgu shzhng yu b g xiosh, n kish shngk de shjin sh q din, shngk ling g xiosh, n zhge k shnme shhu jishle (shnme shjin zi shzhng shngle?)? Q ji r dngy ji, suy ydin zi shzhng shng. Ynwi ji gn y zi b g xiosh de shzhng zi yyng de wizh, suy wmen shu q ji r (dngy ji) gn y shcongruent modulo b. Wmen xi q ji ris congruent to y (mod b).

Slide 14: Heres the next example. Every non-leap year has 365 days. Last year, your birthday was on a Wednesday. Every week has 7 days. Three hundred sixty-four is 52 times 7; the remainder equals one, so there is a shift of one day, and your birthday will be on Thursday this year.

1: 2fi rn. 3, jingzhu? 4. 5chng; 6y, zhuny. jing7.

Xi yg lzi: Mi yg fi rnnin yu snbi lishw tin. Rgu n qnin de shngr zi xngqsn, n jnnin de shngr jing zi yzhu zhng de n ytin? Mi zhu yu qtin. Snbi lishs dngy q chng ywsh'r; ysh dngy y, suy n shngr zhunyle ytin. N n jnnin de shngr jing zixngqs.

Slide 15: Can you solve the following congruences? Give it a try.

1jiju? ! : x . : x . : x .

N kb ky jiju yxi de wnt? N sh shkn! D y g wnt: X dngylng. D r g wnt: X dngy r. D sn g wnt: X dngy li.

Slide 16: Ok. Since you are now comfortable with modular arithmetic, lets try to encrypt a message. We choose a shift of 10. The original message is attack at midnight. We first convert every letter to a number. Then we add 10 to each number and convert back into letters. We finally send lddlnu ld wsnxsqrd (we take out the spaces when we send it). The recipient reverses these steps. In practice, a ring which matched the beginning and ending letters was used to do the encoding/decoding. This is where the term decoder ring comes from.

. xgunmodular arithmetic, Caesar Cipher. 1biy. 2Caesaryunshattack at midnight. :3 jinghun. : , . , 4kddkmu kd wsnxsqrd(, shnchkngg). 5jinfn zhunzhu. shjinppijishxunzhun hi .decoder ringyun.

Hole. Ynwi nmen xinzi xgunlemodular arithmetic, suy wmen ky shyng ygCaesar Cipher wi yg xnx jim zu zu kn. Wmen yo mi g zm bi yu yle sh g zm. Caesar de yunsh xnx shattack at midnight. D yb: Wmen jing mi g zm zhunhun wi shz. Xi y b: Mi g shz yo ji sh, rnhu zhunhun hu do zm. Zuhu, wmen fsng de shlddlnu ld wsnxsqrd(fsng de shhu, wmen shnch kngg). Shu jin rn fn zhunle zhxi bzhu. Zi shjin zhng, tmen shyng yg ppi yunsh h jish zm de xunzhun hi. Zh shdecoder ring de liyun.

Slide 17: Lets try an easier example and do it ourselves. The secret message is hi. h is 8, i is 9. We then add 20 to each number. What do we send? Try it yourself. You send

1. 2mmhi.3 h, i., , 4. , ? 5. 6: 7bc.

Wmen xinzi zj zu yg rngy de lzi sh shkn. Wmen mm de xiox shhi. Zm'h'dngy b ho, zm'i'dngy ji ho. Rnhu, mi yg shz yo ji rsh, suy wmen yu rshb gn rshji. Zuhu, wmen fsng de sh shnme? N zj sh shkn. N fsng de sh: bc.

Slide 18: Heres another secret message. Can you decode his message? It is harder without knowing the shift. Since you came to my talk, Ill give you the secret information.

,. 1jimtio? yyun, . ynjing, 2. chngx. rambling in maths.

Xinzi, wmen kn lng yg mm xiox. N hu b hu jim zh tio xiox ne? Rgu n b zhdo zhuny du yun, n hn nn. Ynwi nmen li zhl kngu w de ynjing, suy w gi n zh mm de xnx. W xi yg xio de hu gi wmen zhge d'n de dinno chngx. T jish rambling in maths

Slide 19: Caesars code has a problem. What happens if someone steals the data? They could try to guess the shift. If they guess correctly, they will know it, because they can read the text. How can one guess? Some English letters occur more often, so you can find the most frequent letters and guess that these are d, t, or e. Maybe you can just replace letters instead? But then one can still guess based on frequency.

Caesar cipher . 1qiq,2 ciczhunyyun. 3ci,nirngd. ?4 , , 'd, t, e. 5: . 6gnjcic.

Caesar cipher yu yg wnt. Rgu yurn qiq n de xnx, nme tmen ky cic n zhunyle du yun. Rgu tmen ci dule, tmen ji zhdo xnx de nirngle, ynwi tmen ky d do wnbn. Znme ky ci ci knle ne? Ynwi yngwn yu chngchng shyng de zm, suy n hu zhodo zi xnx lmin shyng zudu de zm, rnhu ci ci zhge zm sh zm'd', zm't', hish zm'e'. Lng yg xingf: N zhyo zu yg zm ppi. Dn rnmen hi ky gnj chngchng shyng de zm cic t.

Slide 20: Another attempt: make a random matching of letters. The Spartans wrapped leather containing letters around a long rod. If the width of the rod was correct, it spelled a word, but if the width was incorrect, then it wouldnt make sense. People can still attack these methods by looking for the most common letters, though.

: 1Suj jn. 2Spartan jndugn, zhuwipg. Pg. gnqukund,yu. kund, yu. 3,pnl.

Lngwi yg lzi yng btng de fngf jim: Suj jnxng zm de ppi. Spartan de jndu shyng chng de gn, zi t zhuwi bo shng pg. Pg shng yu zm. Rgu n de gn yu zhngqu de kund, nme n ky yud zhge xnx. Rgu kund bdu, ji bnng yud t. Dnsh, huirn hish ky jsun zm pnl.

Slide 21: Lets try something different.

.

Wmen li sh sh lngwi yg.

Slide 22: Weve discussed the problems with random replacement/matching. Does every letter always have to go to the same letter, though? Maybe we could have multiple choices for each letter to be changed to. The Grand Chiffre in the royal court of France changed syllables to multiple choices of other similar-sounding syllables.

1Sujyjngtoln. 2zhunhun?3 xxunz zhunhun. 4gngtngGrand Chiffrejingynji (5zhunhunmm xtng) zhunhunshngynynji.6

Suj ppi de wnt wmen yjng tolnle. Dnsh yg zm ydng yo mi c zhunhun do yyng de zm ma? Yx mi g zm yu knng yu hndu xunz li zhun hun t. Fgu gngtng shyng deGrand Chiffre jing mi g ynji (t bsh zm zhunhun de mm xtng) zhunhun chng du g shngyn chbdu yyng de ynji.

Slide 23: Why is this better? Guessing is harder, and frequent letters/syllables get shared among more choices. Do new problems arise? Every letter has many possible outputs, so you need to know when to switch. If a and b both sometimes go to e, then how does the receiver decide if an e is really an a or a b? Caesar cipher didnt have this problem because the change was unique. If you use a simple method to change choices, then people in the middle can also figure it out.

1Caesar cipher? ,ci (ynji)xxunzgngxing. ? 2xxunz,hqihun xunz. 'a''b'zhunhun'e', juzhunhun' e'yunbn'a''b'? Caesar cipher wizhunhun,. juhunxunz,hunxunz.

Zhge mm xtng wishnme bCaesar cipher gng hole? Zi zhge mm xtng, huirn ci du zm gng nn chngchng shyng de zm (hi yu ynji) y zi xdu xunz zhng gngxing. Dnsh zhge mm xtng yu xn de wnt ma? Ynwi mi g zm yu xdu xunz, suy n ydng yo zhdo hsh qihun xunz. Rgu zma h zmb du zhunhun doe le, nme shu xnx de rn znme judng zhge zi zhunhun xnx zhng dee zi yunbn de xnx zhng sha hishb? Ynwi Caesar cipher yu wiy de zhunhun, suy t miyu zhge wnt. Rgu n yng rngy de fngf li judng shnme shhu hun bi de xunz, nme huirn zi zhngjin y hu zhdo n hun bi de xunz.

Slide 24: This type of cryptosystem is called a polycipher. One example of a polycipher is a repetitive usage of Caesar cipher. In this system, the first letter is shifted a certain number of places, then the next is shifted another number of places, and so on. For example, we can shift 3 spaces, then 11 spaces, then 5 spaces, and repeat. Lets try this with the original message Here is a message. The encrypted message is kpwhtxdxjvdfjp. The original message has a lot of es, but they are distinct in the encrypted message. We therefore conclude that it is better than the Caesar cipher. However, people in the middle can guess the length of the repeating period of the shifts, and then they can again do frequency counts to attack this cipher just like Caesar cipher.

xhunxtngpolycipher. 1Caesar cipher. polycipher,zhunywizh,zhunylingwizh, . , zhunywizh, zhunywizh, zhunywizh, chngfzhunyd. yunsh2Here is a message xtng. h hunk, e hunp, 3kpwhtxdxjvdfjp. Yunsh'e', .YncCaesar cipher. 4Rn'r, cicchngf zhuq, ,shuCaesar cipher shgngj.

Shyng xdu zhunhun de mm xtng jiopolycipher. Yg lzi sh du c shyngCaesar cipher. Zi zhgepolycipher l, d yg zm yo zhuny yu j g wizh, rnhu xi y g zm yo zhuny yu btng shling de wizh, dng dng. Lr, d y g zm yu knng zhuny yu sn g wizh, d r g zm zhuny yu shy g wizh, d sn g zm zhuny yu w g wizh, zhhu wmen chngf zhxi zhuny de chngd. Xinzi wmen de yunsh xnx shHere is a message, wmen yng zhge mm xtng zu zu kn. h zhunhun dok, e zhunhun dop, dng dng Jim de xiox shkpwhtxdxjvdfjp. Yunsh de xnx yu hndu zme, dnsh zi jim de xiox zhng tmen sh btng de. Ync wmen kn do t bCaesar cipher gng ho. Rn'r, rgu zhngjin de rn ky cic wmen yng de chngf zhuq de chngd, nme tmen hi ky zhodo chngchng shyng de zm (rnhu, zhge mm xtng yu knng shudo gnCaesar cipher tngyng fngsh de gngj).

Slide 25: Lets move to cryptography in more recent times.

Wmen xinzi toln gng jnq de mm xu.

Slide 26: The next attempt is to try to make too many choices for guessing to work. An example was Germanys Enigma machine. This was an automated machine that changed the output each time that you put in an input. Therefore, each letter would have a different output each time that you entered it.

chngsh1xunz rngwcic.Enigma machine. 2. q, xunchln. 3 chlnxun, n .

Xi yc chngsh: Wmen shyng hn du de xunz rng rn wf cic. Yg yqin de lzi sh dgu deEnigma machine. Zh sh ygzdng de mm j. Zi zhge jq lmin, yu xunzhun de chln. Ynwi n mi c n do yg zm t de chln yo xunzhun, suy mi c n do yyng de zm yu knng btng de zm chlile.

Slide 27: How does an Enigma machine work? First, you hit a key on the keyboard. The letter on this key is matched to another letter via a plugboard (the plugboard has one matching that never changes). Then this letter is matched to another one on the first rotor, which is in turn connected to a letter on the second rotor, and finally this letter is connected to another letter on the third rotor. Then the output is matched with another letter on a reflector (this is essentially the same as the plugboard). After this, it comes back through the rotors again. The rotors turn in the same way as adding with carry.

Enigma machine ? , jinpn jin. Tngchjin bn, jinpn jin (g). 2, xing. xing, xing. 3, shfnsh bnxing (fnsh bnchjin bn). 4, shyu tng.5 , xunzhun.6 xunzhun, xunzhun, xunzhun, xunzhun. jnwi.

Enigma machine sh rh gngzu de ne? Kish de shhu, n n yg jinpn jin. Tnggu ygchjin bn, zhge jinpn jin shng de zm y lngwi yg zm ppi (zhge chjin bn de ppi sh gdng de). Rnhu, zhge zm y d yg zhunz shng de lngwi yg zm xing ppi. D yg zhunz shng de zm y d r g zhunz shng de lngwi yg zm xing ppi, rnhu t y d sn g zhunz shng de lngwi y g zm xing ppi. Xi yb, zh geshch de zm y fnsh bn shng de lngwi y g zm xing ppi (zhge fnsh bn h chjinbn zu de shqng chbdu yyng). Rnhu, shch de zm yu tnggu zhunz hulile. Zuhu, d y g zhunz xunzhunle. T xunzhun d rshli g zm yhu, n d r g zhunz y xunzhunle, d r g zhunz xunzhun d rshli g zm de shhu, d sn g zhunz y xunzhunle. Zh jish di jn wi jif de fngf.

Slide 28: The process is symmetrical because of the reflector. Hence to decrypt, one only needs to set the rotors to the same starting position and then type the encrypted message into the machine. Because of this symmetry, the Germans constructed the Enigma machine so that it would never match a letter back to itself.

1fnsh bn, guchngchn.1 , jim, xmxunzhunshzhq, bshq. 2Enigmajzhngchn, gujin.

Ynwi fnsh bn, zhge guchng sh duchn de. Ync, n xing yo jim jim de xiox, zh xyo yng yg ym yyng xunzhun zhunz shzh de jq, b jim de xiox shr jq. YnwiEnigma jyu zh zhng duchnxng, dgu gujin tsh, sh zm bnng zj ppi.

Slide 29: Enigma was eventually broken by finding the rotor settings with the help of automation (many different possibilities were guessed simultaneously). But checking all possibilities with brute force would have been impossible (there are too many possibilities). One of the reasons Enigma was eventually broken were based on the symmetries, which reduced the number of possibilities. Not allowing a letter to be matched to itself reduced the number of possible choices, correct guesses reduce the choices further, and combining this with other symmetries allowed the British to reduce the number of possible choices to something that they could handle. They also used common signals sent by the Germans to look for patterns and test their guesses, working backwards.

zhng,pEnigma. qEnigmashzh (shzhxng). , Enigma shzhxng, shtshzh. 2pEnigma yunynduchn xng. duchn xng, shzhxngjin. 3, xngjin. Zhngqucicjnjinshzhxng. 4jincicxng. 5, cshcicbngxing.

Zuzhng, ynggu rn dpleEnigma de jim. Tmen yng zdng de j qci doEnigma zhunz de shzh (ng zdng jhu tngsh cic hndu zhunz shzhde knng xng). Dnsh, ynwiEnigma yu ti du shzh deknng xng, suy tmen bnng sht cic mi yg zhunz shzh. tmen dpEnigma deyg yunyn sh t de duchn xng. Ynwi t yu duchn xng, suy zhunz shzh deknng xng jin sho. Yn wi yg zm bnng zj ppi, suy knng xng y hu jinsho. Zhngqu de cic ky jnyb jinsho shzh de knng xng. Ynggu rn yng zhge fngf jinsho tmen cic de knng xng. Tmen y zhdo dgu mitin fsng de xnx, suy tmen y hu csh tmen de cic bng xinghu gngzu.

Slide 30: Automated machines for encryption and decryption brought about major changes in cryptography.

jimgibin.

Ky jim y jim de zdng j qi gei mm xudi li le hndugibin.

Slide 31: When constructing the Enigma machine, the Germans didnt expect others to use an automated search. They made some choices which would not have been best with automated searches. Why? Computers search differently than humans

1shjEnigma, dushuqshzhxng. shzhxng, shjEnigma. ?2 li. 3kxudun.kxu, x. 4x.5 rnlisusu, gibin.

Dgu shjEnigma de shhu, tmen mi xingdo dushu hu shyng zdng de jq zho ddo zhunz shzh deknng xng. Rgu tmen zhdo bi de rn yng zdng j zhodo zhunz shzh deknng xng, tmen hu shj b yyng deEnigma. Wishnme? Dinno zhodo de fngf h rnli zhodo de fngf b yyng. Zh jish dinno kxu de kidun. Dinno kxu kish de shhu, tmen zhn de zi shxu x zu gngzu. Xinzi tmen yu zj dex . Ynwi dinno h rnli susu de fngf btng, suy mm xu y ydng gibin.

Slide 32: The advent of computers brought about a new method of cryptography. The basic idea is to find a mathematical operation which is easy to do in one direction, but hard to do in reverse. The operation is encryption, while the reverse is the decryption. Of course, it needs to be possible to do the decryption (reverse direction) with extra secret information. Here is an example: If you multiply 3571 and 6997, you can follow an easy series of steps (we all learned this is school, and computers are even better at this than us) and get 24986287. On the other hand, if I only give you the number 24986287, then can you find the original two numbers? If I give you one of the numbers, then you can find the other, but without either number it is hard to find them.

chxin1ynsun, dindoynsun.2 , ynsun.jim, dindo. Dngrn, nnggunzhunynsun.3 mm, fn xingynsunynggi.4 J: . (, shnzhrnli), , . , , , ? qzhng, . .

Dinno de chxin di lile xn de mm xu fngf. Tmen xn de xingf rxi: Zhodo yg shxu ynsun n ky rngy zu, dnsh dindo zhge ynsun hn nn. N xing yo jim de shhu, n zu zhge ynsun. N xing yo jim de shhu, n yo dindo t. Dngrn, n de pngyu knng nnggu nzhun zhge ynsun. Rgu tmen zhdo mm, fn xing ynsun ynggi hn rngy. J yg lzi: W gi n snqin wbi qshy h liqin jibi jishq. N hu chng y zhxi shz (wmen du zi xuxio xu znme zule, dinno shnzh b rnli zu d gng ho), yxi b yhu, n zhdo zh dngy rsjibli'rbq. Dn lng y fngmin, rgu w gi n rsjibli'rbq, wn n n ling g shz ky chng y yq dngy zhge shz, n n zh b zhdo znme zu ne? Rgu w gi n qzhng de yg shz, n n hu zhodo lngwi yg. Dnsh rgu yg shz y b gi n ji hn nn zhodo tmen.

Slide 33: Is the question posed at the end of the previous slide well-defined? Are there other pairs of integers which can be multiplied to get this number? A better question would be to ask if you can find all such pairs. It turns out that these questions are essentially equivalent. What we are trying to find is all divisors of a given integer. A prime number is an integer which is only divisible by itself and one. By successively dividing out by a prime number, we can break up a number into a product of many primes; this is known as the prime factorization. An encryption method known as RSA uses the fact that multiplication is easy but prime factorization is hard. Heres an easier question to start withcan you even find all prime numbers?

hundngyy? chng? 1: chng y? xingtng.ch sh (,divisors). 2s sh (prime number)zhngsh, ch sh.3 ,s sh ch sh, chs sh ch sh, . Chngfguchngprime factorization. 4RSA prime factorization. 5cng: ?

Zi shng yg hundng pin zuhu de wnt yuyy ma? Yu knng yu lngwi y du shz ky chng y yq dngy zhge shz ma? Gng ho de wnt sh: N hu b hu zhodo suyu de shung shz ky chng y yq dngy zhge shz. Dnsh zhxi wnt sh xingtng de. Wmen yo zhodo de jio ch sh (zi yngwn, wmen shudivisors). Yg s sh (zi yngwn shuprime number) sh yg zhngsh, t de ch sh zhyu zj gn y. Rgu n yu yg zhngsh, n ky zhodo yg s sh ch sh, rnhu n ch y zhge s sh ch sh, ddo yg xn de sh. Chngf zhge guchng gi n zh zhngsh suwi deprime factorization. Yg jioRSA de mm xtng de xingf sh chngf sh rngy dnshprime factorization hn nn. Wmen cng gng rngy de wnt kish: N nng b nng zhodo mi g s sh ma?

Slide 34: Eratosthenes had an idea how to find every prime number up to a fixed bound. Since prime numbers are those numbers which are not divisible by any number but themselves, he would cross out all numbers that are multiples of another number. Here is an example where the primes up to 120. We start with 2 and cross out all even numbers. After that, the first number which is not crossed out is 3, and we see that it is prime. We cross out all multiples of three, and continue in this way until weve found all of the primes up to 120.

1Eratosthenes chogujis shs shch shhu dioch shhu dios shs shxioy2s shs shhu dioyncs shbishs shs shhu dios shchngfxioys sh

Eratosthenes yu yg xingf ky zhodo b chogu yg shng ji de mi g s sh. Ynwi t zhdo s sh sh miyu bi de ch sh de zhngsh, suy t hu dio yu bi de ch sh de zhngsh, xi yg hi mi hu dio de sh sh s sh. Zhl yu zhodo mi g s sh xioy ybi rsh de lzi: r sh s sh, suy mi g shung sh bsh s sh, rnhu sn hi mi hu dio, ync t sh s sh. Ynwi jishsn de bish, suy t bsh s sh. Shw y bsh s sh, dng dng. Ynwi xi yg hi mi hu dio de zhngsh sh w, suy t sh s sh. Wmen chngf zhge fngf do ybi yshsn (t sh zud de xioy ybi rsh de s sh).

Slide 35: Now that we know it is possible to find all primes, lets consider how to find the prime factorization of a number (that is to say, finding how to write it as a product of primes). Lets consider the example of 144. We first note that it is even (i.e., it is a multiple of 2), and we divide by 2. We keep dividing by 2 until we get 9, and then we note that 9 is 3 times 3, so we get the prime factorization given here.

s shprime factorization (, bioshs shchngj). 1: prime factorization. 2shungsh, ch.3 ddo, ch. 4, . 5 . m.

Xinzi wmen zhdo mi g s sh znme zhodole. Wmen xi yg wnt sh rgu n yu yg zhngsh rh zhodo t deprime factorization (y jish shu, t sh rh biosh wi s sh de chngj). Lr: Wmen yo zhodo ybi sshs deprime factorization. Ynwi t sh shungsh, wmen yng r ch t. Yn wi ddo de hish shungsh, suy wmen hi ky yng r ch t. Wmen zu le s c yhu, ddo ji. T jish sn chng y sn. Suy ybi sshs dngy r de s c m chng y sn de r c m.

Slide 36: Lets try to find the prime factorization of 481 now. It is odd, or in other words 2 does not divide iviede check that 3 does not divide it. Long division shows that 5, 7, and 11 do not divide it. We finally find that 13 divides it, and 481=13x37. Checking that 37 is prime, we see that this is precisely its prime factorization.

: 1s shfnji, prime factorization. 2. 3 .4.5.6 .7 ! chng y. s shprime factorization.

Xi yg lzi: Wmen xing yo sbi bshy e s sh fnji, zhodo t deprime factorization. T sh dnsh. Sn miyu fn t. W y miyu. Q y miyu. Shy y miyu. Shsn fn t! Sbi bshy dngy shsn chng y snshq. Ynwi snshq sh s sh suy zh jish t deprime factorization.

Slide 37: Lets try to find the prime factorization of some larger numbers. Heres an example. 2 doesnt divide, 3 doesnt divide, 5 doesnt divide. Ok, this could take a while Finally we find that 1039 divides this number.

1, chl. 2. 3, , , . , 4 , ch sh. 5.6 : s sh? ch sh, pngfnggnch sh,s sh.

Xinzi, wmen sh shyng zhge fngf chl gng d de zhngsh. Zhl yu yg lzi. r miyu fn t, sn miyu fn t, w y miyu fn t, dng dng. Hole, zhge fngf knng zu hnjizuhu, wmen zhodo yg ch sh. Yqin lng snshji fn t. Qngwn: Sh'r wn qqin wbi sshji sh s sh, ma? Ynwi rgu t yu btng zj de ch sh, ydng yu b t zj de pngfnggn gng xio de ch sh, suy t jish s sh.

Slide 38: Were now going to see how this is used in cryptography. We saw in the previous slide that prime factorization is slow when the primes are large. RSA is a cryptographic system which uses this idea. (it is called RSA because Rivest, Shamir, and Adleman created it). How does RSA work? We start out by choosing two large prime numbers. We multiply the numbers together and send the answer to other people. This is freely-available (public) information, and we call this the public key. One needs the secret original primes to unlock the key (or do a long calculation); we call this secret information the private key.

, toln. 1hundng, dngs shynzbinprime factorization bin. RSA (Rivest, Shamir, Adlemanchungzo, R-S-A). 2RSA ? 3, xunzs shjingxing4B d'ngng5yunshs sh. 6s sh, s. , x.

Xinzi, wmen yo toln t zi mm xu de yngf. Zi shng yg hundng pin, wmen kn do dng s sh ynz bin d de shhu prime factorization ji bin mnle. RSA mm xtng ji shyngle zhge xingf (ynwi Rivest, Shamir, h Adleman chungzole t, suy wmen jio t R-S-A). RSA sh znme zu ne? Kish de shhu, wmen xunz ling g hn d de s sh. Rnhu, wmen jing zh ling g shz xing chng. B d'n fasong gi mi grn. Zh jish gnggng xnx, jish suwi de gng yoshi. Xing yo yng zhge"gng yoshi" dki jim de xnx de shhu, n ydng yo zhdo yunsh de ling g s sh. Zh ling g s sh sh mm s de xnx, jish s yoshi. N b zhdo tmen de shhu, n n ji xyo zu hn chng shjin de jsun.

Slide 39: Lets get into some details. Suppose that Alice wants to send a message to Bob. First, she looks up Bobs public key. The next step is to use this key to encrypt the information (this is similar to locking your front door). When the message arrives, Bob then uses his private key to unlock the message (i.e., decrypt the message). Although people in the middle can see the message, they cannot read the original message. The beauty of this encryption system is that Alice and Bob did not have to share any secret information beforehand! This is different than the other encryption methods that we have seen.

, RSAxji. s1AliceBob, Bob.2 , Bob3 (lissudnggngy). Bob4ssu(jim)5Surnjngrnshqngtqinjiohunmm xnxxuxYncbjio

Xinzi, wmen xu yxi RSA fngf de xji. D yg wnt: Gng yoshi/s yoshi znme shyngne? RguAlice xing yo giBob fsng xiox, t d yb sh zhodoBob de gng yoshi. Xi y b, t shyngBob de gng yoshi jim xiox (zh lis y sudng n gngy de mn). Jim de xiox doBob de shhu, t yng t des yoshi ji su zhge xiox (y jish shu t jim xiox). Surn zi zhngjin de rn ky kndo jim de xiox, dnsh tmen bnng d t. Zhge mm xtng zu jngrn de shqng jish tmen byng tqin jiohun mm xnx. Zh gn wmen xux de lngwi y g mm xtng btng. Ync t bjio ho.

Slide 40: Lets see a few more details about RSA. How does one specifically encrypt and decrypt the message in RSA? Firstly, you transform your message into numbers. The public key is a pair of integers e and N.

shnrxji12Jingzhunhum. 3eN. 4xioxm e m (modulo N, 5modular arithmetic). 6SNs shfnjid. d med m modulo N m

N wmen gng shnr d kn yxi RSA de xji. N znme jim? N znme jim? D y b: Jing n de xio x zhunhu wi shz, zhge sh z wmen jiom. Gng yoshi sh y du zhngshe hN. Jim de xiox shm de e c m (modulo N, ng ysi sh wmen yngmodular arithmetic). S yoshi sh ngN de s sh fnji h yg zhngshd. d de ysi sh m dee chng yd c mmodulo N ji dngy m .

Slide 41: What are these numbers we used? N is the product of two primes. The number e is randomly chosen, and it is possible to compute d once you know e and the two prime numbers whose product is N. How do you compute it? The so-called Chinese remainder theorem tells you that you only need to find the answer modulo each prime divisor. Another theorem Fermats little theorem states that m to the power p is congruent to m modulo p for every prime p. If you have an encrypted message, how do you decrypt it? You raise it to the power d, since the encrypted message is m to the power e modulo N and m to the power d times e is equal to m modulo N.

12N s shchngj3esuj xunz4echngjNs shd. Chinese remiainder theorem m amm modulo N dng qi jn dngm amm modulo Ns shynz5Fermats little theorem ps shm pmm modulo p. 6jimm em modulo N rqi m edm modulo Njimdm modulo N. 7xng jychngjNd.

Wmen yng de shz sh shnme?N sh ling g s sh de chngj. N gshze sh suj xunz de. Rgu n zhdoe h chngj dngyN de ling g s sh de shhu, n keyi jsunch ngd. Znme jsun ne? Suwi deChinese remiainder theorem shumng m de a cm dngym modulo N dng qi jn dng m de a cm dngym modulo N de mi yg s sh ynz. Suwi deFermats little theorem shumng rgup sh s sh, nm de p cm dngym modulo p. Rgu n yu yg jim de xiox, n znme jim t ne? Ynwi jim de xiox dngym de e cm modulo N rqi m de e chng yd cm dngym modulo N, suy jim de fngf sh jsun jim xiox de d cm modulo N. Zhge mm xtng de nqun xng jy miyu chngj dngyN de ling g s sh yo jsundhn nn.

Slide 42: Here is an example of the RSA method. Lets take the primes 17 and 13. Their product is 221. Fermats little theorem tells us that m to the power 16 equals one modulo 17 and m to the power 12 equals one modulo 13. An easy calculation implies that m to the power 48 is congruent to one modulo both 17 and 13, and the Chinese remainder theorem then tells us that m to the power 48 is congruent to one modulo 221.

1RSAxunzs sh2chngj 3Fermats little theoremm mmodulo 4m mmodulo 5mcmmodulo modulo 6Chinese Remainder Theorem modulo

Zh sh yg RSA fngf de lzi. Wmen xunz de ling g s sh sh shq h shsn. Tmen de chngj jish rbi rshy. Fermats little theorem shumngm de shli cm dngy y modulo shq,m de sh'r cm dngy y modulo shsn. Wmen hn rngy jsun chm de sshb cm dngy y modulo shq h t y dngy y modulo shsn. NgChinese Remainder Theorem shumng t ji dngy y modulo rbi rshy.

Slide 43: We next choose e=11. The number d that we want to find should satisfy d times e equal to 1 modulo 48. However, this turns out to be equivalent to d times e congruent to 1 modulo 16 and also 1 modulo 3. Which d satisfies the congruence d times e congruent to 1 modulo 16? Since 11 times 3 is 33, which is congruent to 1 modulo 16 (and there are not other solutions), we see that d must be congruent to 11 modulo 16. Since e is 2 modulo 3, d must also be 2 modulo 3. Combining these, we obtain that d is congruent to 35 modulo 48. Now lets encrypt a message with this choice. Lets say that the message is 12. We take 12 to the power 11 and find that this is 142 modulo 221. To decrypt this message, we take 142 to the power 35 and compute that this is 12 modulo 221.

1xunze2d mnzedmodulo edmodulo,edmodulomodulo . d mnzedmodulo ? modulo (qtd'n), dmodulo.3 e modulo , dmodulo . H, d'ndmodulo . rngxunztio4cmmodulo jimcmmodulo

Wmen xunz nge dngy shy. Wmen xing yo zho ded mnz e chng yd dngy ymodulo sshb. Ynwie chng yd dngy ymodulo sshb, suye chng yd jish ymodulo shli ysh ymodulo sn. N ygd mnze chng yd dngy ymodulo shli ne? Ynwi sn chng y shy dngy snshsn dngy ymodulo shli (y miyu qt de d'nle), suyd ydng dngy san modulo shli. e dngy r modulo sn, suyd y ydng dngy rmodulo sn. H zi yq yq, wmen de d'n shd dngy snshwmodulo sshb. Xinzi, rng wmen shyng zhge xunz jim ytio xiox. Rgu wmen de xiox jish sh'r, wmen jsun sh'r de shy cm dngy ybi ssh'rmodulo rbi rshy. Wmen xing yo jim de shhu, wmen jsun ybi ssh'r de snshwc m dngy sh'rmodulo rbi rshy.

Slide 44: There are other one-way functions. One example is elliptic curve cryptography. What is an elliptic curve, and what is the associated one-way function? These are (essentially) solutions to equations y squared equal to f(x), where f(x) is a polynomial of degree 3. Some points on this curve (that is to say solutions (x,y)) are (0,0), (1,0), (-1,0), (2,\sqrt{6}) (-2,\sqrt{6}), and so on.

qtone-way functions. 1Elliptic Curveelliptic curveone-way function? 2(x,y),mnz ycmf(x) . f(x) duxingsh. 3elliptic curve: ycmxcmjin x. 4elliptic curve(dngsh de ji): (,), (,), (f,), (, pngfnggn), (f, ) elliptic curve.

Hi yu qt yxi one-way functions. Yg lzi sh suwi deElliptic Curve mm xu xtng. Shnme sh zhgeelliptic curve ne? T deone-way function sh shnme ne? T jish mi g du (x,y), t mnz y de r c m dngy f(x). F(x) sh snc duxingsh. Lrelliptic curve: Y de r cm dngy x de sn cm jin x. Wmen zhodo yxi zi zhgeelliptic curve shng de din (din de ysi jish zhge dng sh de ji): (Lng, lng), (y, lng), (f y, lng), (r, li de pngfnggn), (f r, li de pngfnggn) ji zi zhgeelliptic curve shng.

Slide 45: We can graph the solutions like this. Between any two points on the curve, there is a unique line. This line hits the curve in a unique third point. This third point comes from the fact that the polynomial has degree three.

1huzhelliptic curve. 2Tngguelliptic curveytiowiyxin. 3tiowiyelliptic curve. tngshelliptic curvecnziduxingsh.

Women ky zhyng huzh zhxielliptic curve shng de din. Tnggu mi ling gzielliptic curve shng de din yu ytio wiy de xin. Zi zh tio xinshng hi yu wiy lngwi d sn g zielliptic curve shng de din. Zh d sn g tngsh zielliptic curve h xinshng de din de cnzi sh ynwi zhge duxingsh de csh sh sn.

Slide 46: Elliptic curves have an addition law. This is called an addition law because it acts a lot like addition of integers. How does the addition work between two points on the elliptic curve? We find the third point lying on the line between these two points and the elliptic curve and then rotate around the x-axis. We also add a point at infinity

1Elliptic curves addition law. bi chngaddition law. elliptic curve,? 2jngguelliptic curve,3 wirox-zhu. 4elliptic curveqing. 5elliptic curveqing. ?

Elliptic curves yu ygaddition law. T bi chng wiaddition law sh ynwi ling g din jif h ling g zhng sh de jif hn xing. Rgu n yu ling g zielliptic curve shng de din, n znme ji tmen ne? Wmen zhodo d sn g zi jnggu tmen de xin helliptic curve shng de din, rnhu wirox-zhu xunzhun. Wmen y shu zielliptic curve shng yu yg din zi wqing. Zielliptic curve shng de wqing din h zhng sh de lng hn xing. Wishnme?

Slide 47: How does one add another point to infinity? For a point P, we choose the vertical line through P to be the line between infinity and P. If we write P=(x,y), then the other point this line is (-x,y). After rotating around the x-axis, we get (x,y), which is the point P. This helps us to understand why we say that infinity on the elliptic curve is like zero in the integers.

1Elliptic curvewqingelliptic curvexing ? 2Pwqingxing, tio jngguPchujnggu.3P(x,y),(x,y). 4Wirox-zhu(x,y).5P. 6, ljiwqing.

Elliptic curve shng de wqing din h lngwi yg zielliptic curve shng de din xing ji ne? Rgu n xing yo yg din P gn wqing din xing ji, wmen shu n tio jnggu din P de chuxin sh jnggu zh ling g din de xin. Rgu P dngy (x,y), zi zhge xin yyu (f x,y). Wirox-zhu xunzhun do (x,y). Zh jish ng din P. Xinzi, wmen lji wishnme wmen shu wqing din gn zhng sh de lng hn xing.

Slide 48: As an example for the addition law, lets consider $y^2=x^3+x-1$. This elliptic curve has the points (1,1) and (2,3). The line y=2x-1 goes through these two points. By solving the equation defining the elliptic curve and the line simultaneously, we see that the third point on this line and the elliptic curve has x equal to 1.

1Elliptic curve: 2xunz ycmxcmxjindngyelliptic curve. 3(,)(,)elliptic curve. 4ychng y xjindngy. elliptic curvemnzelliptic curve dngyfngchngdngyfngchng. 5jifngchngz, x-zubio.

Elliptic curve ji f de lzi: Wmen xunz y de r cm dngy x de sn c m ji x jin y dngy deelliptic curve. Din (y, y) h (r, sn) zi zhgeelliptic curve shng. Zh ling g din du zi y dngy r chng y x jin y dngy de xin shng. D sn g zielliptic curve h xinshng de din y dng mnzelliptic curve dngy de fngchng h xin dngy de fngchng. Wmen ji zhge fngchng z, kn do d sn g din de x-zubio dngy y.

Slide 49: Altogether, we see that adding the points (1,1) and (2,3) on the elliptic curve yields the point (1,-1). Since the line connecting the points (1,1) and (1,-1) is a vertical line, we have (1,1) plus (1,-1) equal to the point at infinity (which we call zero on the elliptic curve). Since (1,1) plus (1,-1) equals zero on the elliptic curve, we call the point (1,-1) the negative of the point (1,1). Can one add a point to itself? If so, how does one do it? Weve seen above that (1,1) plus (2,3) equals (1,1) on the elliptic curve.

1, , elliptic curve (,) (,) (,f). 2(,)(, f)tio chu, (,)(, f)elliptic curvewqing(elliptic curve addition law). (,)(, f)elliptic curve addition law, 3elliptic curve(, f) f(,). 4: elliptic curvexing? , ?5,elliptic curve (,) (,) f (,), chngxnnpiywizhe (,)(,)(,).

Yq, wmen xinzi kn do, zielliptic curve shng de din (y, y) jidin (r, sn) dngy (y, f y). Ynwi du (y, y) h (y, f y) de xin jish ytio chuxin, suy (y, y) ji (y, f y) dngyelliptic curve shng de wqing din (zh sh suwi deelliptic curve addition law de lng). Ynwi (y, y) ji (y, f y) dngyelliptic curve addition law de lng, suy zielliptic curve shng wmen jio din (y, f y) f de din (y, y). Qngwn: Ygelliptic curve shng de din ky h zj xing jim? Rgu t ky, n znme zu ne? Zi qinmin, wmen kn do zielliptic curve shng de (y, y) ji shng (r, sn) dngy f (y, y), suy chngxn npi ywizhe (y, y) ji (y, y) dngy f (r, sn).

Slide 50: Does addition of a point with itself also have a geometric meaning? Is there a line that passes through the point twice? There isnt, but if we choose another point really close to this point, then we can draw a line between these two points. If we keep picking closer and closer points, then we end up with a line that is called the tangent line.

1xingshfujyujhyy2jngguxunzhutiojnggu3xunzyuyuzhnghutiotangent linetiojngguelliptic curve

Yg din h zj xing ji shfu jyu jh yy ne? Yu jnggu zhge din ling c de xin ma? Miyu, dnsh rgu wmen xunz lngwi yg hn jn de din, rnhu wmen ky hu y tio xin jnggu zh ling g din. Rgu wmen hi zi xunz do zhge din yu li yu jn de din, n women zuzhng ky hud n tio suwi detangent line. Zh tio xin jnggu zhge din, y y"elliptic curve xing qi.

Slide 51: What is three times the point (1,1) (by this, we mean the point added to itself 3 times). We have already computed that twice the point (1,1) equals the point (2,-3). Hence we want to add (1,1) to (2,-3).A short calculation gives that the line going through these two points is y equal to -4x+5. Combining this equation with the equation for the elliptic curve yields that x=1,2, or 13. Since the other two points have x=1 and x=2, we conclude that x=13 for the third point. We can compute y=-47 from the equation for the line.

1chngybnshnchngyf. 2 Yncf3gosjngguyfchngy x4fngchngelliptic curvefngchngjudngxxxxfngchngyf.

Sn chng y n din (y, y) dngy shnme (sn chng y (y, y) de ysi jish (y, y) gi ji bnshn snc)? r chng y (y, y) wmen yjng jsunle. T dngy (r, f sn). Ync wmen xing yo jsunle sh (y, y) ji (r, f sn). Yg xio de jsun gos wmen jnggu zh ling g din de xin sh y dngy f s chng y x ji w. Zhge fngchng gnelliptic curve de fngchng yq judngle x dngy y, r, hish shsn. Ynwi lngwi ling g din yu x dngy y h x dngy r, suy d sn g din ydng sh x dngy shsn de. Wmen shyng xin de fngchng zhodo y dngy f sshq.

Slide 52: Altogether, we get that three time (1,1) is (13,-47). If you want to compute 4 times (1,1), 5 times (1,1), and so forth, you can use the same method. The method is repetitive, so it is very easy to teach a computer how to compute n times a point on the elliptic curve (where n is a positive integer). Heres a question: How fast, can you compute 100 times the point (1,1)?

1, (,)(, f). 2 (,), (,), , 3. chngf, 4nelliptic curve(nzhng zhngsh). 5:(,),?

Yq, wmen jsunle sn chng y (y, y) dngy (shsn, f sshq). Rgu n xing yo jsun s chng y (y, y), w chng y (y, y), dng dng, ky yng yyng de fngf. Ynwi zhge fngf sh hn chngf de, suy hn rngy jio yg dinno znme jsun n chng y yg zielliptic curve shng de din (ng n jish yg zhng zhngsh). Qngwn: Ybi chng y (y, y), N ky du kui jsunle chli?

Slide 53: If you follow the method given before, you would have to add 100 times to compute 100 times a point. You can instead multiply by 2, then multiply that point by 2 to get 4 times the original point, then multiply that point by 2 to get 8 times the original point, and so on. Using this, 100 times the point is 64 times the point plus 32 times the point plus 4 times the point. We only need 8 sums to do this calculation! It is much less than 100!. In computer science, this type of trick is usually very helpful in speeding up computations.

1, x. . bielliptic curvechngf. 2biyunsh. biyunshyunsh,. 3,bi.4 ,.! chngf,chngf! k,zhngli sjuqiosd.

Rgu n yng yqin gi de fngf, n n xyo zu zhge jif ybi c. Zhge hn mn. Dnsh jibi zielliptic curve shng de din y ky chngf zule. Jibi ng din ling c ddo s chng y yunsh de din. Jibi s chng y yunsh de din ddo b chng y yunsh de din, dng dng. Yn wi ybi dngy lishs ji snsh'r ji s, suy wmen zhyo jibi li c. Yq, zu b g jif ji. Zhge b yqin xu de fngf gng kui! Y qin de fngf yo chngf ybi c, zhge fngf zh chngf b c! Zi jsun kxu zhng, zh zhngli s de juqio ky jikui jsun sd hndu.

Slide 54: It helped to write 100 in a different way. What did we do to write it this way? We wrote its binary representation to get a faster algorithm. What is binary representation? Here a, b, c, and d are all zero or one. Every positive integer has a unique binary representation. For example 1011 in binary equals 11.

hundngzhngchi1jn zh bioshynsunfzjn zh bioshbinary representationjn zh biosha,b,c,dwiyjn zh biosh3jn zh bioshncmelliptic curvexyojibi4nncm, 5.

Zi shng g hundng pin zhng, ybi de lngwi yzhng zhng btng de fn chi chi bngle wmen hndu mng. Wmen znme xi t ne? Wmen xi t suwi de r jn zh biosh, ddole yg gng kui de ynsun fz (zi yngwn r jn zh biosh jiobinary representation). Jn zh biosh sh shnme? Zhl de zma, zmb, zmc, y zmd du sh lng hish y. Mi g zhng zhngsh yu wiy de r jn zh biosh. Lr: Y lng yy zi r jn zh biosh zhng dngy shy. Rgu n xing yo r de n c m chng y yi ge zielliptic curve shng de din, n zh xyo jibi n c. Ynwi n b r de n c m zhn de gng xio hndu, suy zhge fngf zhn de jikui wmen de jsunle.

Slide 55: So what is the one-way function associated to elliptic curves? If I give you 1000 times a point on the elliptic curve, can you compute the original point? Above we saw that it is easy to compute 1000 times a point when given the point, but the reverse direction seems to be hard, and hence this is a one-way function. The public and private keys are usually smaller with elliptic curve cryptography, but it is harder to implement. This is often the cryptography usually used in Blockchain.

1elliptic curveone-way function? 2elliptic curve, yunsh, yunsh? elliptic curve,nizhun,3 one-way function. 4 elliptic curvechcns yoshichungjinshsh5 elliptic curveq kuilinjngchng.

N shnme shelliptic curve shyng deone-way function ne? Rgu w gi n yqin chng y yg zielliptic curve shng de din, dnsh miyu gi n zhge yunsh de din, n kb ky jsun zhge yunsh de din? Wmen yjng kn do yqin chng y yg zielliptic curve shng de din znme jsunle, dnsh nizhun zhge jsun rnmen jud hn nnle, suy zhge ji sh ygone-way function. Elliptic curve yng de mm xtng yu b RSA gng xio chcn de gng yoshi y s yoshi, suy zhxi yoshi ky hn kui chungjin. T de wnt sh t zi dinno shng gng nn shshle.Elliptic curve mm xtng sh zi q kui lin shng jngchng shyng de mm xtng.

Slide 56: Is there a way to send a private key to share with someone else (these are usually called session keys because they are used together in shared sessions and both people can quickly encrypt and decrypt messages with the private key) without meeting that person beforehand to share the secret information? If I send you the private key, then someone else might steal it in between and replace it with their own; after this, they can pretend to be me. Heres an idea: Maybe I can send you a private key encrypted with your public key (then it is locked so that only you can open it). How do you know that someone in between didnt send you the private key, pretending to be me? You can send back a confirmation encrypted with my public key to verify that Im really me. This is how session keys are sent.

1bnfs yoshiqt2tngchngbi chngsession keys, gngxinghuhuwxqtgngxing 3xings yoshihuirnqiq; jizhung chng 5Yxs yoshibi su zh6 7s yoshijizhung 8hufjio ynsession keys.

Yu miyu bnf fsng yg s yoshi y qt rn yq shyng (zhxi tngchng bi chng wisession keys, ynwi tmen zi gngxing huhu zhng yq shyng d, ling g rn du ky yng s yoshi gng kui de fsng jim han jim xiox), wx shxin y qt rn gngxing mm xnx? Rgu w xing n fsng s yoshi, nme zi zhngjin de huirn knng hu qiq t, rnhu yng t zj de s yoshi; yhu, tmen ky jizhung chng w. Yg xingf: Yx w ky gi n f yg yng n de gng yoshi jim de s yoshi (rnhu t bi su zh sh gunble, zhyu n ky dki t). N znme zhdo zhngjin yurn miyu gi n f s yoshi, jizhung sh w? Nn ky f hu y fn yng w de gng yoshi jim de huf, jio yn w zhn de sh w. Zh sh rh fsngsession keys.

Slide 57: Lets return to one of the difficult questions that we considered at the beginning.

kol

Wmen hu do wmen kish de shhu kol dyg wnt.

Slide 58: Remember that we wanted to share a big calculation, but keep the data secret. Can you trust other people? If others use our encrypted data, can they still do the calculations that we want? If they can how can they do it?

1gngxing. 2xing34

N jd, wmen yo gngxing yg hn d de jsun, dnsh hi yo bom shj. N nng xingxn bi de rn ma? Rgu bi de rn shyng wmen jim de xiox, tmen hi ky zu wmen xing yo de jsun ma? Rgu tmen ky, n znme zu ne?

Slide 59: For some data m, we write the encrypted message as E(m). We would like other people to add and multiply and get the correct answer when we decrypt the message after they do these operations. We would like to give people E(m) and E(n) and have them compute E(n) plus E(m) and E(n) times E(m). When we receive the answer, we should decrypt it and get either m plus n or m times n. Hence we would like to find a cryptosystem which satisfies the two equations below. Encryption which satisfies these two identities is known as homomorphic encryption.

1yunshm. E(m). 2 E(m)E(n), E(m)E(n) E(m)E(n). 3d'njimjimshjmnmnzdng sh.4 mnzdng shhomomorphic encryption.

Wmen jio yunsh de shjm. Rgu wmen shyng yg mm xtng jim t, wmen jio t E(m). Wmen xing yo de sh gi bi de rn E(m) h E(n), rnhu tmen ky jsun E(m) ji E(n) han E(m) chng y E(n). Tmen de d'n huli de shhu, wmen jim t, jim de shj jish m ji n han m chng y n. Suy, wmen xing yo zhodo yg mm xtng, t mnz yxi ling g dng sh. Shyng yg mnz y zh ling g dng sh de mm xtng li jim jiu sh suwi dehomomorphic encryption.

Slide 60: Is homomorphic encryption possible? Have we seen any examples? Caesar cipher doesnt satisfy either equality. RSA satisfies homomorphic multiplication, but not homomorphic addition.

1homomorphic encryptionjingu2Caesar cipher3RSA"homomorphic""homomorphic"

Yu knng zuhomomorphic encryption ma? Wmen jingu zhyng de lzi ma? Caesar cipher bnng zu chngf han jif. Yng RSA de shhu, wmen ky zu"homomorphic"de chngf, dnsh bnng zu"homomorphic"de jif.

Slide 61: There are some rules for the encryption method of course. If someone in the middle sees a lot of encrypted data, they still shouldnt be able to guess which one is zero and which one is one. There is a big problem, however: the rules given two slides ago imply that E(0)=0.

1guz2cic3hundngdng shywizhe E()

Ydng yu yxi guz: shd mm xtng sh nqun de, rgu zi zhngjin de huirn kn do hndu jim de xiox, tmen bnng cic n yg sh lng han n yg sh y. Wmen kui kn do yg d de wnt: Ling zhng hundng pin shng de dng sh ywizhe E(lng) ydng dngylng.

Slide 62: Since 0 always gets encrypted to itself, you can always recognize it. Can we build a cryptosystem where homomorphic encryption is mostly true?

1rnch2chungjinmnzhomomorphic encryptiondng sh3mnzdng shxingxnd'n

Ynwi jim de lng jish lng, suy rnmen ky rnch t. Wmen nng bnng chungjin yg mm xtng, t jim de shj ddu mnzhomomorphic encryption de dng sh ne? Rgu t zh ddu mnz zhxi dng sh, n n kb ky xingxn t de d'n ma?

Slide 63: In 2009, Gentry found that one can add a little bit of noise to get almost homomorphic encryption. The noise is small compared to the answer, so it can be removed/cancelled later. Repeated calculations increase the noise, but it can be done many times before the noise gets too big to cancel it. This leads to homomorphic encryption, but it is quite slow.

1Gentry tnggu tinjizoyn, homomorphic encryption. 2zoynd'nsho huy chxiochChngfzngjizoyn3dngzoynd'nzoynxtng, miyu gunxle4yunbnxiochzoyn homomorphic encryption, 5

r lng lng ji nin, Gentry fxin ky tnggu tinji yxi zoyn, chbdu zu ddohomomorphic encryption. Zhxi zoyn b d'n gng xio hndu, suy t hi ky sho hu y ch (t xioch y ky shu). Chngf jsun hu zngji zoyn. Dng zoyn ti d de shhu, n wmen b zhdo n yg sh d'n, n yg sh zoyn. Yng zhge mm xtng, n hu zu hndu jsun, miyu gunxle. N ky zu hndu jsun, rnhu hu gi yunbn de rn, suy t/t hu xioch zoyn, n n zi zu hndu jsunle. Yng zhge xingf ky ddohomomorphic encryption, dnsh t hi zi hn mn.

Slide 64: The idea is based on the following observation: you can send something that you interpret as zero but other people dont. For example, both midnight and noon are zero on a clock. If you didnt know how many hours a clock had, though, then you wouldn't know that 0, 12, and 24 were all the same thing. So you send the data in one way, but interpret it differently yourself. This is the basis of Gentrys idea.

1jish2jish3Wy456 biosh, 7Gentryjch

Zhge xingf shyng yxi kish din: N ky fsng birn n jish wi dngylng de shj, dnsh rgu tmen yng tmen yng zj de jish, n tmen b zhdo t dngylng. Lr: Wy h zhngw zi shzhng shng do sh lngdin, dnsh rgu bi de rnli b zhdo n de shzhng yu sh'r g xiosh, n tmen y b zhdo lng, sh'r, h rshs du sh yyng shjinle. Suy wmen fsng shj j rn yg biosh, dnsh wmen zj du shj de jish sh btng de. Zh jish Gentry xingf de jch.

Slide 65: There are now LOTS of zeros, so we can pick a different way to write zero each time we send a message. Someone would have to figure out that these are all zero to recognize it. Of course, this pattern is too simple (like Caesar Cipher), so people in the middle can recognize it.

1xun zhikn d dngrnshzhn2mshjindnleCaesar ciphernndcic

Suy wmen xinzi yu hodu hodu de lng sh. Mi c wmen yu xn de wmen xing yo jim de xnx, wmen xun zhi bu tng de lng. Rgu birn xing yo kn d dng wmen jim de xiox, tmen ydng rnsh zhxi btng de lng zhn de du sh lng. Ynwi zhge msh ti jindnle (hanCaesar cipher de nnd ch b du yyng), suy bi de rn ky cic n yg sh lng.

Slide 66: We hence need to combine this trick with some other ideas. We have to also do something to the data so that it isnt clear that it is 0, 12, 24, etc. (but the changed cryptosystem still needs to satisfy the identities of homomorphic encryption). Most methods either dont appear to be safe or they are too slow to do any practical calculations.

1Yncjih2gibingibinrngrnmnzhomomorphic encryptiondng sh3bfnshj.

Ync wmen xyo jih zhge xingf gn bi de xingf. Wmen yo gibin zhge shj, shd birn b zhdo t sh lng, sh'r, rshs, dng dng (dnsh zhge gibin shj de mm xtng rngrn xyo mnzhomomorphic encryption de dng sh!). D bfn fngf b nqun jish zu shj jsun ti mnle.

Slide 67: Its time to get back to work and find the answer! Thank you very much for coming to the talk. I hope that you enjoyed it. Are there any questions?

xnzhoynjing. xwngN wmen yo huq gngzu, h xnzho d'nle. Xixi dji li tnggu w de ynjing. W xwng nmen xhun t. Nmen hi yu wnt ma?

12