Transcript of Josh Benaloh Brian LaMacchia Winter 2011. January 6, 2011Practical Aspects of Modern Cryptography...
- Slide 1
- Josh Benaloh Brian LaMacchia Winter 2011
- Slide 2
- January 6, 2011Practical Aspects of Modern Cryptography
Cryptography is... Protecting Privacy of Data Authentication of
Identities Preservation of Integrity basically any protocols
designed to operate in an environment absent of universal trust.
2
- Slide 3
- January 6, 2011Practical Aspects of Modern Cryptography
Characters 3
- Slide 4
- January 6, 2011Practical Aspects of Modern Cryptography
Characters Alice 4
- Slide 5
- January 6, 2011Practical Aspects of Modern Cryptography
Characters Bob 5
- Slide 6
- January 6, 2011Practical Aspects of Modern Cryptography Basic
Communication Alice talking to Bob 6
- Slide 7
- January 6, 2011Practical Aspects of Modern Cryptography Another
Character Eve 7
- Slide 8
- January 6, 2011Practical Aspects of Modern Cryptography Basic
Communication Problem Eve listening to Alice talking to Bob 8
- Slide 9
- January 6, 2011Practical Aspects of Modern Cryptography
Two-Party Environments Alice Bob 9
- Slide 10
- January 6, 2011Practical Aspects of Modern Cryptography Remote
Coin Flipping Alice and Bob decide to make a decision by flipping a
coin. Alice and Bob are not in the same place. 10
- Slide 11
- January 6, 2011Practical Aspects of Modern Cryptography Ground
Rule Protocol must be asynchronous. We cannot assume simultaneous
actions. Players must take turns. 11
- Slide 12
- January 6, 2011Practical Aspects of Modern Cryptography Is
Remote Coin Flipping Possible? 12
- Slide 13
- January 6, 2011Practical Aspects of Modern Cryptography Is
Remote Coin Flipping Possible? Two-part answer: 13
- Slide 14
- January 6, 2011Practical Aspects of Modern Cryptography Is
Remote Coin Flipping Possible? Two-part answer: NO I will sketch a
formal proof. 14
- Slide 15
- January 6, 2011Practical Aspects of Modern Cryptography Is
Remote Coin Flipping Possible? Two-part answer: NO I will sketch a
formal proof. YES I will provide an effective protocol. 15
- Slide 16
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: 16
- Slide 17
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B B A BA A B BAB B B BA BA BB A AB
17
- Slide 18
- January 6, 2011Practical Aspects of Modern Cryptography Pruning
the Tree A B A B A BB A 18
- Slide 19
- January 6, 2011Practical Aspects of Modern Cryptography Pruning
the Tree A B A B A: B: 19
- Slide 20
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B B A BA A B BAB B B BA BA BB A AB
20
- Slide 21
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B B A BA A BB B BA BA BB A AB
21
- Slide 22
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B B A BA A BB B BA BA BBB 22
- Slide 23
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A BA A BB B BA BA BBB 23
- Slide 24
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A BA A B BA BA BBB 24
- Slide 25
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A BA A B A BA BBB 25
- Slide 26
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A BA A B A BA B 26
- Slide 27
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A A B A BA B 27
- Slide 28
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: BA B A BA B 28
- Slide 29
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: BAB BA B 29
- Slide 30
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: BABB 30
- Slide 31
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: A 31
- Slide 32
- January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A 32
- Slide 33
- January 6, 2011Practical Aspects of Modern Cryptography
Completing the Pruning When the pruning is complete one will end up
with either 33
- Slide 34
- January 6, 2011Practical Aspects of Modern Cryptography
Completing the Pruning When the pruning is complete one will end up
with either a winner before the protocol has begun, or 34
- Slide 35
- January 6, 2011Practical Aspects of Modern Cryptography
Completing the Pruning When the pruning is complete one will end up
with either a winner before the protocol has begun, or a useless
infinite game. 35
- Slide 36
- January 6, 2011Practical Aspects of Modern Cryptography
Conclusion of Part I Remote coin flipping is utterly impossible!!!
36
- Slide 37
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin 37
- Slide 38
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 38
- Slide 39
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 39
- Slide 40
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 40
- Slide 41
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 41
- Slide 42
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 3 7 11 15 19 42
- Slide 43
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 3 7 11 15 19 Even 43
- Slide 44
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 3 7 11 15 19 4n + 1: 4n - 1: 44
- Slide 45
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 3 7 11 15 19 Type +1: Type - 1: 45
- Slide 46
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Fact 1 Multiplying two (odd) integers of the
same type always yields a product of Type +1. (4p+1)(4q+1) =
16pq+4p+4q+1 = 4(4pq+p+q)+1 (4p1)(4q1) = 16pq4p4q+1 = 4(4pqpq)+1
46
- Slide 47
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Fact 2 There is no known method (other than
factoring) to distinguish a product of two Type +1 integers from a
product of two Type 1 integers. 47
- Slide 48
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Fact 3 Factoring large integers is believed to
be much harder than multiplying large integers. 48
- Slide 49
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin 49
- Slide 50
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin AliceBob 50
- Slide 51
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Randomly select a bit b { 1} and two
large integers P and Q both of type b. Bob 51
- Slide 52
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Randomly select a bit b { 1} and two
large integers P and Q both of type b. Compute N = PQ. Bob 52
- Slide 53
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Randomly select a bit b { 1} and two
large integers P and Q both of type b. Compute N = PQ. Send N to
Bob. Bob 53
- Slide 54
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Bob N 54
- Slide 55
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Randomly select a bit b { 1} and two
large integers P and Q both of type b. Compute N = PQ. Send N to
Bob. Bob 55
- Slide 56
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Alice Randomly select a
bit b { 1} and two large integers P and Q both of type b. Compute N
= PQ. Send N to Bob. 56
- Slide 57
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Bob b 57
- Slide 58
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Alice Randomly select a
bit b { 1} and two large integers P and Q both of type b. Compute N
= PQ. Send N to Bob. 58
- Slide 59
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large integers P and Q both of type b. Compute N = PQ.
Send N to Bob. 59
- Slide 60
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large integers P and Q both of type b. Compute N = PQ.
Send N to Bob. After receiving b from Bob, reveal P and Q. 60
- Slide 61
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Bob P,QP,Q 61
- Slide 62
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large integers P and Q both of type b. Compute N = PQ.
Send N to Bob. After receiving b from Bob, reveal P and Q. 62
- Slide 63
- January 6, 2011Practical Aspects of Modern Cryptography Lets
Play The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19
Type +1: Type - 1: 63
- Slide 64
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large integers P and Q both of type b. Compute N = PQ.
Send N to Bob. After receiving b from Bob, reveal P and Q. 64
- Slide 65
- January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large primes P and Q both of type b. Compute N = PQ.
Send N to Bob. After receiving b from Bob, reveal P and Q. 65
- Slide 66
- January 6, 2011Practical Aspects of Modern Cryptography
Checking Primality Basic result from group theory If p is a prime,
then for integers a such that 0 < a < p, then a p - 1 mod p =
1. This is almost never true when p is composite. 66
- Slide 67
- January 6, 2011Practical Aspects of Modern Cryptography How are
the Answers Reconciled? 67
- Slide 68
- January 6, 2011Practical Aspects of Modern Cryptography The
impossibility proof assumed unlimited computational ability. How
are the Answers Reconciled? 68
- Slide 69
- January 6, 2011Practical Aspects of Modern Cryptography The
impossibility proof assumed unlimited computational ability. The
protocol is not 50/50 Bob has a small advantage. How are the
Answers Reconciled? 69
- Slide 70
- January 6, 2011Practical Aspects of Modern Cryptography
Applications of Remote Flipping Remote Card Playing Internet
Gambling Various Fair Agreement Protocols 70
- Slide 71
- January 6, 2011Practical Aspects of Modern Cryptography Bit
Commitment We have implemented remote coin flipping via bit
commitment. Commitment protocols can also be used for Sealed
bidding Undisclosed contracts Authenticated predictions 71
- Slide 72
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions We have implemented bit commitment via one-way functions.
One-way functions can be used for Authentication Data integrity
Strong randomness 72
- Slide 73
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions 73
- Slide 74
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions 74
- Slide 75
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions Mathematical
75
- Slide 76
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions Mathematical
Multiplication: Z=X Y 76
- Slide 77
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions Mathematical
Multiplication: Z=X Y Modular Exponentiation: Z = Y X mod N 77
- Slide 78
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions Mathematical
Multiplication: Z=XY Modular Exponentiation: Z = Y X mod N Ugly
78
- Slide 79
- January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N 79
- Slide 80
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic 80
- Slide 81
- Modular Arithmetic Z mod N is the integer remainder when Z is
divided by N. January 6, 2011Practical Aspects of Modern
Cryptography81
- Slide 82
- Modular Arithmetic Z mod N is the integer remainder when Z is
divided by N. The Division Theorem For all integers Z and N>0,
there exist unique integers Q and R such that Z = Q N + R and 0 R
N. January 6, 2011Practical Aspects of Modern Cryptography82
- Slide 83
- Modular Arithmetic Z mod N is the integer remainder when Z is
divided by N. The Division Theorem For all integers Z and N>0,
there exist unique integers Q and R such that Z = Q N + R and 0 R
N. By definition, this unique R = Z mod N. January 6, 2011Practical
Aspects of Modern Cryptography83
- Slide 84
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic To compute (A+B) mod N, compute (A+B) and take the
result mod N. 84
- Slide 85
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic To compute (A+B) mod N, compute (A+B) and take the
result mod N. To compute (A-B) mod N, compute (A-B) and take the
result mod N. 85
- Slide 86
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic To compute (A+B) mod N, compute (A+B) and take the
result mod N. To compute (A-B) mod N, compute (A-B) and take the
result mod N. To compute (AB) mod N, compute (AB) and take the
result mod N. 86
- Slide 87
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic To compute (A+B) mod N, compute (A+B) and take the
result mod N. To compute (A-B) mod N, compute (A-B) and take the
result mod N. To compute (AB) mod N, compute (AB) and take the
result mod N. To compute (AB) mod N, 87
- Slide 88
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division 88
- Slide 89
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division What is the value of (12) mod 7? We need a solution to 2x
mod 7 = 1. 89
- Slide 90
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division What is the value of (12) mod 7? We need a solution to 2x
mod 7 = 1. Try x = 4. 90
- Slide 91
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division What is the value of (12) mod 7? We need a solution to 2x
mod 7 = 1. Try x = 4. What is the value of (75) mod 11? We need a
solution to 5x mod 11 = 7. 91
- Slide 92
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division What is the value of (12) mod 7? We need a solution to 2x
mod 7 = 1. Try x = 4. What is the value of (75) mod 11? We need a
solution to 5x mod 11 = 7. Try x = 8. 92
- Slide 93
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division 93
- Slide 94
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Is modular division always well-defined? 94
- Slide 95
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Is modular division always well-defined? (13) mod 6 = ?
95
- Slide 96
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Is modular division always well-defined? (13) mod 6 = ? 3x
mod 6 = 1 has no solution! 96
- Slide 97
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Is modular division always well-defined? (13) mod 6 = ? 3x
mod 6 = 1 has no solution! Fact (AB) mod N always has a solution
when gcd(B,N) = 1. 97
- Slide 98
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Fact 1 (AB) mod N always has a solution when gcd(B,N) = 1.
98
- Slide 99
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Fact 1 (AB) mod N always has a solution when gcd(B,N) = 1.
Fact 2 (AB) mod N never has a solution when gcd(A,B) = 1 and
gcd(B,N) 1. 99
- Slide 100
- January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors 100
- Slide 101
- January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) 101
- Slide 102
- January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) since any common
factor of A and B is also a factor of A B and since any common
factor of B and A B is also a factor of A. 102
- Slide 103
- January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(21,12) =
gcd(12,9) = gcd(9,3) = gcd(3,6) = gcd(6,3) = gcd(3,3) = gcd(3,0) =
3 103
- Slide 104
- January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) 104
- Slide 105
- January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(A, B) = gcd(B,
A kB) for any integer k. 105
- Slide 106
- January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(A, B) = gcd(B,
A kB) for any integer k. gcd(A, B) = gcd(B, A mod B) 106
- Slide 107
- January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(A, B) = gcd(B,
A kB) for any integer k. gcd(A, B) = gcd(B, A mod B) gcd(21,12) =
gcd(12,9) = gcd(9,3) = gcd(3,0) = 3 107
- Slide 108
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm Given integers A and B, find integers
X and Y such that AX + BY = gcd(A,B). 108
- Slide 109
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm Given integers A and B, find integers
X and Y such that AX + BY = gcd(A,B). When gcd(A,B) = 1, solve AX
mod B = 1, by finding X and Y such that AX + BY = gcd(A,B) = 1.
109
- Slide 110
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm Given integers A and B, find integers
X and Y such that AX + BY = gcd(A,B). When gcd(A,B) = 1, solve AX
mod B = 1, by finding X and Y such that AX + BY = gcd(A,B) = 1.
Compute (CA) mod B as C(1A) mod B. 110
- Slide 111
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm gcd(35, 8) = gcd(8, 35 mod 8) = gcd(8,
3) = gcd(3, 8 mod 3) = gcd(3, 2) = gcd(2, 3 mod 2) = gcd(2, 1) =
gcd(1, 2 mod 1) = gcd(1, 0) = 1 111
- Slide 112
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 = 8 4 + 3 112
- Slide 113
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 = 8 4 + 3 8 = 3 2 + 2 113
- Slide 114
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 = 8 4 + 3 8 = 3 2 + 2 3 = 2 1 + 1
114
- Slide 115
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 = 8 4 + 3 8 = 3 2 + 2 3 = 2 1 + 1 2
= 1 2 + 0 115
- Slide 116
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 = 8 4 + 3 3 = 35 8 4 8 = 3 2 + 2 2
= 8 3 2 3 = 2 1 + 1 1 = 3 2 1 2 = 1 2 + 0 116
- Slide 117
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 3 = 35 8 4 2 = 8 3 2 1 = 3 2 1
117
- Slide 118
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 3 = 35 8 4 2 = 8 3 2 1 = 3 2 1 = (35 8
4) (8 3 2) 1 118
- Slide 119
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 3 = 35 8 4 2 = 8 3 2 1 = 3 2 1 = (35 8
4) (8 3 2) 1 = (35 8 4) (8 (35 8 4) 2) 1 119
- Slide 120
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 3 = 35 8 4 2 = 8 3 2 1 = 3 2 1 = (35 8
4) (8 3 2) 1 = (35 8 4) (8 (35 8 4) 2) 1 = 35 3 8 13 120
- Slide 121
- January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 121
- Slide 122
- January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N 122
- Slide 123
- January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N When Z is unknown, it can be
efficiently computed. 123
- Slide 124
- January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N When X is unknown, the problem is
known as the discrete logarithm and is generally believed to be
hard to solve. 124
- Slide 125
- January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N When Y is unknown, the problem is
known as discrete root finding and is generally believed to be hard
to solve... 125
- Slide 126
- January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N unless the factorization of N is
known. 126
- Slide 127
- January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N The problem is not well-studied
for the case when N is unknown. 127
- Slide 128
- January 6, 2011Practical Aspects of Modern Cryptography
Implementation Z=Y X mod N 128
- Slide 129
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N 129
- Slide 130
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Compute Y X and then reduce mod N. 130
- Slide 131
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Compute Y X and then reduce mod N. If X, Y, and N
each are 2,048-bit integers, Y X consists of ~2 2059 bits. 131
- Slide 132
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Compute Y X and then reduce mod N. If X, Y, and N
each are 2,048-bit integers, Y X consists of ~2 2059 bits. Since
there are roughly 2 250 particles in the universe, storage is a
problem. 132
- Slide 133
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N 133
- Slide 134
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Repeatedly multiplying by Y (followed each time
by a reduction modulo N) X times solves the storage problem.
134
- Slide 135
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Repeatedly multiplying by Y (followed each time
by a reduction modulo N) X times solves the storage problem.
However, we would need to perform ~2 900 64-bit multiplications per
second to complete the computation before the sun burns out.
135
- Slide 136
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N 136
- Slide 137
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling 137
- Slide 138
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling To compute X
Y, 138
- Slide 139
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling To compute X
Y, compute Y, 2Y, 4Y, 8Y, 16Y, 139
- Slide 140
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling To compute X
Y, compute Y, 2Y, 4Y, 8Y, 16Y, and sum up those values dictated by
the binary representation of X. 140
- Slide 141
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling To compute X
Y, compute Y, 2Y, 4Y, 8Y, 16Y, and sum up those values dictated by
the binary representation of X. Example: 26Y = 2Y + 8Y + 16Y.
141
- Slide 142
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N 142
- Slide 143
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring 143
- Slide 144
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring To compute Y
X, 144
- Slide 145
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring To compute Y
X, compute Y, Y 2, Y 4, Y 8, Y 16, 145
- Slide 146
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring To compute Y
X, compute Y, Y 2, Y 4, Y 8, Y 16, and multiply those values
dictated by the binary representation of X. 146
- Slide 147
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring To compute Y
X, compute Y, Y 2, Y 4, Y 8, Y 16, and multiply those values
dictated by the binary representation of X. Example: Y 26 = Y 2 Y 8
Y 16. 147
- Slide 148
- January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N We can now perform a 2,048-bit modular
exponentiation using ~3,072 2,048-bit modular multiplications.
2,048 squarings: y, y 2, y 4, , y 2 2048 ~1024 ordinary
multiplications 148
- Slide 149
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Operations Addition and Subtraction Multiplication
Division and Remainder (Mod N) Exponentiation 149
- Slide 150
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 150
- Slide 151
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 151
- Slide 152
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 152
- Slide 153
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 153
- Slide 154
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 154
- Slide 155
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 155
- Slide 156
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition In general, adding two large integers each
consisting of n small blocks requires O(n) small-integer additions.
Large-integer subtraction is similar. 156
- Slide 157
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 157
- Slide 158
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 158
- Slide 159
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 159
- Slide 160
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 160
- Slide 161
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 161
- Slide 162
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 162
- Slide 163
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication In general, multiplying two large
integers each consisting of n small blocks requires O(n 2 )
small-integer multiplications and O(n) large-integer additions.
163
- Slide 164
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring 164
- Slide 165
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring 165
- Slide 166
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring 166
- Slide 167
- January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring Careful bookkeeping can save nearly half of
the small-integer multiplications (and nearly half of the time).
167
- Slide 168
- January 6, 2011Practical Aspects of Modern Cryptography Recall
computing Y X mod N About 2/3 of the multiplications required to
compute Y X are actually squarings. Overall, efficient squaring can
save about 1/3 of the small multiplications required for modular
exponentiation. 168
- Slide 169
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD
169
- Slide 170
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, 170
- Slide 171
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values:
171
- Slide 172
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values: AC,
AD+BC, and BD. 172
- Slide 173
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values: AC,
AD+BC, and BD. 173
- Slide 174
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values: AC,
AD+BC, and BD. 174
- Slide 175
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values: AC,
AD+BC, and BD. 175
- Slide 176
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 176
- Slide 177
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 177
- Slide 178
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 178
- Slide 179
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 179
- Slide 180
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 180
- Slide 181
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 181
- Slide 182
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 182
- Slide 183
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD 183
- Slide 184
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 184
- Slide 185
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 185
- Slide 186
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 186
- Slide 187
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 187
- Slide 188
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 188
- Slide 189
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 189
- Slide 190
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 190
- Slide 191
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 191
- Slide 192
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 192
- Slide 193
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 193
- Slide 194
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication This can be done on integers as well as on
polynomials, but its not as nice on integers because of carries.
The larger the integers, the larger the benefit. 194
- Slide 195
- January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (A 2 k +B)(C 2 k +D) = AC 2 2k + (AD+BC) 2
k + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 195
- Slide 196
- January 6, 2011Practical Aspects of Modern Cryptography Chinese
Remaindering If X = A mod P, X = B mod Q, and gcd(P,Q) = 1, then X
mod PQ can be computed as X = AQ(Q -1 mod P) + BP(P -1 mod Q).
196
- Slide 197
- January 6, 2011Practical Aspects of Modern Cryptography Chinese
Remaindering If N = PQ, then a computation mod N can be
accomplished by performing the same computation mod P and again mod
Q and then using Chinese Remaindering to derive the answer to the
mod N computation. 197
- Slide 198
- January 6, 2011Practical Aspects of Modern Cryptography Chinese
Remaindering Since modular exponentiation of n-bit integers
requires O(n 3 ) time, performing two modular exponentiations on
half size values requires only about one quarter of the time of a
single n-bit modular exponentiation. 198
- Slide 199
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. 199
- Slide 200
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is 200
- Slide 201
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is slow
201
- Slide 202
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is slow
cumbersome 202
- Slide 203
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is slow
cumbersome disgusting 203
- Slide 204
- January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is slow
cumbersome disgusting wretched 204
- Slide 205
- January 6, 2011Practical Aspects of Modern Cryptography The
Montgomery Method The Montgomery Method performs a domain transform
to a domain in which the modular reduction operation can be
achieved by multiplication and simple truncation. Since a single
modular exponentiation requires many modular multiplications and
reductions, transforming the arguments is well justified. 205
- Slide 206
- January 6, 2011Practical Aspects of Modern Cryptography
Montgomery Multiplication Let A, B, and M be n-block integers
represented in base x with 0 M x n. Let R = x n. GCD(R,M) = 1. The
Montgomery Product of A and B modulo M is the integer ABR 1 mod M.
Let M = M 1 mod R and S = ABM mod R. Fact: (AB+SM)/R ABR 1 (mod M).
206
- Slide 207
- January 6, 2011Practical Aspects of Modern Cryptography Using
the Montgomery Product The Montgomery Product ABR 1 mod M can be
computed in the time required for two ordinary large-integer
multiplications. Montgomery transform: A AR mod M. The Montgomery
product of (AR mod M) and (BR mod M) is (ABR mod M). 207
- Slide 208
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Z=Y X mod N 208
- Slide 209
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Informally, F : X Y is a one-way if Given x, y = F(x) is
easily computable. Given y, it is difficult to find any x for which
y = F(x). 209
- Slide 210
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions The family of functions F Y,N (X) = Y X mod N is believed
to be one-way for most N and Y. 210
- Slide 211
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions The family of functions F Y,N (X) = Y X mod N is believed
to be one-way for most N and Y. No one has ever proven a function
to be one-way, and doing so would, at a minimum, yield as a
consequence that P NP. 211
- Slide 212
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions When viewed as a two-argument function, the (candidate)
one-way function F N (Y,X) = Y X mod N also satisfies a useful
additional property which has been termed quasi-commutivity:
F(F(Y,X 1 ),X 2 ) = F(F(Y,X 2 ),X 1 ) since Y X 1 X 2 = Y X 2 X 1.
212
- Slide 213
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange AliceBob 213
- Slide 214
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Randomly select a large integer a
and send A = Y a mod N. Bob Randomly select a large integer b and
send B = Y b mod N. 214
- Slide 215
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Bob A B 215
- Slide 216
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Randomly select a large integer a
and send A = Y a mod N. Bob Randomly select a large integer b and
send B = Y b mod N. 216
- Slide 217
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Randomly select a large integer a
and send A = Y a mod N. Compute the key K = B a mod N. Bob Randomly
select a large integer b and send B = Y b mod N. Compute the key K
= A b mod N. 217
- Slide 218
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Randomly select a large integer a
and send A = Y a mod N. Compute the key K = B a mod N. Bob Randomly
select a large integer b and send B = Y b mod N. Compute the key K
= A b mod N. B a = Y ba = Y ab = A b 218
- Slide 219
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange 219
- Slide 220
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? 220
- Slide 221
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b 221
- Slide 222
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b but the
exchanged key is Y ab. 222
- Slide 223
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b but the
exchanged key is Y ab. Belief: Given Y, Y a, Y b it is difficult to
compute Y ab. 223
- Slide 224
- January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b but the
exchanged key is Y ab. Belief: Given Y, Y a, Y b it is difficult to
compute Y ab. Contrast with discrete logarithm assumption: Given Y,
Y a it is difficult to compute a. 224
- Slide 225
- January 6, 2011Practical Aspects of Modern Cryptography More on
Quasi-Commutivity Quasi-commutivity has additional applications.
decentralized digital signatures membership testing digital
time-stamping 225
- Slide 226
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Trap-Door Functions Z=Y X mod N 226
- Slide 227
- January 6, 2011Practical Aspects of Modern Cryptography One-Way
Trap-Door Functions Z=Y X mod N Recall that this equation is
solvable for Y if the factorization of N is known, but is believed
to be hard otherwise. 227
- Slide 228
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem AliceAnyone 228
- Slide 229
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Anyone 229
- Slide 230
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Publish the product N=PQ. Anyone 230
- Slide 231
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Publish the product N=PQ. Anyone To send message Y to
Alice, compute Z=Y X mod N. 231
- Slide 232
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Publish the product N=PQ. Anyone To send message Y to
Alice, compute Z=Y X mod N. Send Z and X to Alice. 232
- Slide 233
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Publish the product N=PQ. Use knowledge of P & Q to
compute Y. Anyone To send message Y to Alice, compute Z=Y X mod N.
Send Z and X to Alice. 233
- Slide 234
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem In practice, the exponent X is almost
always fixed to be X = 65537 = 2 16 + 1. 234
- Slide 235
- January 6, 2011Practical Aspects of Modern Cryptography Some
RSA Details When N=PQ is the product of distinct primes, Y X mod N
= Y whenever X mod (P-1)(Q-1) = 1 and 0 Y N. 235
- Slide 236
- January 6, 2011Practical Aspects of Modern Cryptography Some
RSA Details When N=PQ is the product of distinct primes, Y X mod N
= Y whenever X mod (P-1)(Q-1) = 1 and 0 Y N. Alice can easily
select integers E and D such that E D mod (P-1)(Q-1) = 1. 236
- Slide 237
- January 6, 2011Practical Aspects of Modern Cryptography Some
RSA Details Encryption: E(Y) = Y E mod N. Decryption: D(Y) = Y D
mod N. D(E(Y)) = (Y E mod N) D mod N = Y ED mod N = Y 237
- Slide 238
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures 238
- Slide 239
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property 239
- Slide 240
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property D(E(Y)) = Y ED mod N = Y 240
- Slide 241
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y))
= Y DE mod N = Y 241
- Slide 242
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y))
= Y DE mod N = Y Only Alice (knowing the factorization of N) knows
D. Hence only Alice can compute D(Y) = Y D mod N. 242
- Slide 243
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y))
= Y DE mod N = Y Only Alice (knowing the factorization of N) knows
D. Hence only Alice can compute D(Y) = Y D mod N. This D(Y) serves
as Alices signature on Y. 243
- Slide 244
- January 6, 2011Practical Aspects of Modern Cryptography Public
Key Directory 244
- Slide 245
- January 6, 2011Practical Aspects of Modern Cryptography Public
Key Directory (Recall that E is commonly fixed to be E=65537.)
245
- Slide 246
- January 6, 2011Practical Aspects of Modern Cryptography
Certificate Authority Alices public modulus is N A = 331490324840
-- signed CA. 246
- Slide 247
- January 6, 2011Practical Aspects of Modern Cryptography Trust
Chains Alice certifies Bobs key. Bob certifies Carols key. If I
trust Alice should I accept Carols key? 247
- Slide 248
- January 6, 2011Practical Aspects of Modern Cryptography
Authentication 248
- Slide 249
- January 6, 2011Practical Aspects of Modern Cryptography
Authentication How can I use RSA to authenticate someones identity?
249
- Slide 250
- January 6, 2011Practical Aspects of Modern Cryptography
Authentication How can I use RSA to authenticate someones identity?
If Alices public key E A, just pick a random message m and send E A
(m). 250
- Slide 251
- January 6, 2011Practical Aspects of Modern Cryptography
Authentication How can I use RSA to authenticate someones identity?
If Alices public key E A, just pick a random message m and send E A
(m). If m comes back, I must be talking to Alice. 251
- Slide 252
- January 6, 2011Practical Aspects of Modern Cryptography
Authentication Should Alice be happy with this method of
authentication? 252
- Slide 253
- January 6, 2011Practical Aspects of Modern Cryptography
Authentication Should Alice be happy with this method of
authentication? Bob sends Alice the authentication string y = I owe
Bob $1,000,000 - signed Alice. 253
- Slide 254
- January 6, 2011Practical Aspects of Modern Cryptography
Authentication Should Alice be happy with this method of
authentication? Bob sends Alice the authentication string y = I owe
Bob $1,000,000 - signed Alice. Alice dutifully authenticates
herself by decrypting (putting her signature on) y. 254
- Slide 255
- January 6, 2011Practical Aspects of Modern Cryptography
Authentication What if Alice only returns authentication queries
when the decryption has a certain format? 255
- Slide 256
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Cautions Is it reasonable to sign/decrypt something given to you by
someone else? Note that RSA is multiplicative. Can this property be
used/abused? 256
- Slide 257
- January 6, 2011Practical Aspects of Modern Cryptography RSA
Cautions D(Y 1 ) D(Y 2 ) = D(Y 1 Y 2 ) Thus, if Ive decrypted (or
signed) Y 1 and Y 2, Ive also decrypted (or signed) Y 1 Y 2.
257
- Slide 258
- January 6, 2011Practical Aspects of Modern Cryptography The
Hastad Attack Given E 1 (x) = x 3 mod n 1 E 2 (x) = x 3 mod n 2 E 3
(x) = x 3 mod n 3 one can easily compute x. 258
- Slide 259
- January 6, 2011Practical Aspects of Modern Cryptography The
Bleichenbacher Attack PKCS#1 Message Format: 00 01 XX XX... XX 00
YY YY... YY random non-zero bytes message 259
- Slide 260
- January 6, 2011Practical Aspects of Modern Cryptography
Man-in-the-Middle Attacks 260
- Slide 261
- January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side 261
- Slide 262
- January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side RSA can be used to encrypt any data. 262
- Slide 263
- January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side RSA can be used to encrypt any data. Public-key
(asymmetric) cryptography is very inefficient when compared to
traditional private-key (symmetric) cryptography. 263
- Slide 264
- January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side 264
- Slide 265
- January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side For efficiency, one generally uses RSA (or another
public-key algorithm) to transmit a private (symmetric) key.
265
- Slide 266
- January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side For efficiency, one generally uses RSA (or another
public-key algorithm) to transmit a private (symmetric) key. The
private session key is used to encrypt any subsequent data.
266
- Slide 267
- January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side For efficiency, one generally uses RSA (or another
public-key algorithm) to transmit a private (symmetric) key. The
private session key is used to encrypt any subsequent data. Digital
signatures are only used to sign a digest of the message. 267