Cryptography in the Computer Age How to use number theory ...Cryptography in the Computer Age How to...
Transcript of Cryptography in the Computer Age How to use number theory ...Cryptography in the Computer Age How to...
Cryptography in the Computer AgeHow to use number theory to take over the world
Dr. Stefan EricksonDept. of Mathematics & Computer Science
Colorado College
February 15, 2014
What role does cryptography play in your life?
What is Cryptography?
“The practice of the enciphering and deciphering of messages insecret code in order to render them unintelligible to all but theintended receiver.” - Encyclopedia Britannica Online
Cryptosystem = Method of encrypting information
Cryptography = Making cryptosystems
Cryptanalysis = Breaking cryptosystems
Cryptology = Cryptography + Cryptanalysis
What is Cryptography?
“The practice of the enciphering and deciphering of messages insecret code in order to render them unintelligible to all but theintended receiver.” - Encyclopedia Britannica Online
Cryptosystem = Method of encrypting information
Cryptography = Making cryptosystems
Cryptanalysis = Breaking cryptosystems
Cryptology = Cryptography + Cryptanalysis
What is Cryptography?
“The practice of the enciphering and deciphering of messages insecret code in order to render them unintelligible to all but theintended receiver.” - Encyclopedia Britannica Online
Cryptosystem = Method of encrypting information
Cryptography = Making cryptosystems
Cryptanalysis = Breaking cryptosystems
Cryptology = Cryptography + Cryptanalysis
What is Cryptography?
“The practice of the enciphering and deciphering of messages insecret code in order to render them unintelligible to all but theintended receiver.” - Encyclopedia Britannica Online
Cryptosystem = Method of encrypting information
Cryptography = Making cryptosystems
Cryptanalysis = Breaking cryptosystems
Cryptology = Cryptography + Cryptanalysis
What is Cryptography?
“The practice of the enciphering and deciphering of messages insecret code in order to render them unintelligible to all but theintended receiver.” - Encyclopedia Britannica Online
Cryptosystem = Method of encrypting information
Cryptography = Making cryptosystems
Cryptanalysis = Breaking cryptosystems
Cryptology = Cryptography + Cryptanalysis
Caesar Cipher
Caesar Cipher
Caesar Cipher
Enigma Machine
Bletchley Park
Substitution and Transposition Ciphers
Substitution
Transposition
Most modern cryptosystems use substitution and transposition.
Substitution and Transposition Ciphers
Substitution Transposition
Most modern cryptosystems use substitution and transposition.
Substitution and Transposition Ciphers
Substitution Transposition
Most modern cryptosystems use substitution and transposition.
Private Key Encryption
Private Key Encryption
Private Key: Random string of 0s and 1s.
Key = 10111001 01010011 11111011 . . .
Key is combined with Message using �:
0� 0 = 0 0� 1 = 1
1� 0 = 1 1� 1 = 0
Private Key Encryption
Private Key: Random string of 0s and 1s.
Key = 10111001 01010011 11111011 . . .
Key is combined with Message using �:
0� 0 = 0 0� 1 = 1
1� 0 = 1 1� 1 = 0
Enciphering and Deciphering
Enciphering
Message: 01010111 01001001 01001110 . . .� Key: 10111001 01010011 11111011 . . .
Cipher: 11101110 00011010 10110101 . . .
Deciphering
Cipher: 11101110 00011010 10110101 . . .� Key: 10111001 01010011 11111011 . . .
Message: 01010111 01001001 01001110 . . .
Enciphering and Deciphering
Enciphering
Message: 01010111 01001001 01001110 . . .� Key: 10111001 01010011 11111011 . . .
Cipher: 11101110 00011010 10110101 . . .
Deciphering
Cipher: 11101110 00011010 10110101 . . .� Key: 10111001 01010011 11111011 . . .
Message: 01010111 01001001 01001110 . . .
Advanced Encryption Standard (AES, 2001)
1. AddRoundKey
2. SubBytes
3. ShiftRows
4. MixColumns
I Process is repeated 10, 12, or 14 times.
I Encryption / Decryption is very fast (700MB/s per thread)
I 2128, 2192, or 2256 keys
I Number of particles in the universe ⇡ 2240
Advanced Encryption Standard (AES, 2001)
1. AddRoundKey
2. SubBytes
3. ShiftRows
4. MixColumns
I Process is repeated 10, 12, or 14 times.
I Encryption / Decryption is very fast (700MB/s per thread)
I 2128, 2192, or 2256 keys
I Number of particles in the universe ⇡ 2240
Advanced Encryption Standard (AES, 2001)
1. AddRoundKey
2. SubBytes
3. ShiftRows
4. MixColumns
I Process is repeated 10, 12, or 14 times.
I Encryption / Decryption is very fast (700MB/s per thread)
I 2128, 2192, or 2256 keys
I Number of particles in the universe ⇡ 2240
Advanced Encryption Standard (AES, 2001)
1. AddRoundKey
2. SubBytes
3. ShiftRows
4. MixColumns
I Process is repeated 10, 12, or 14 times.
I Encryption / Decryption is very fast (700MB/s per thread)
I 2128, 2192, or 2256 keys
I Number of particles in the universe ⇡ 2240
Advanced Encryption Standard (AES, 2001)
1. AddRoundKey
2. SubBytes
3. ShiftRows
4. MixColumns
I Process is repeated 10, 12, or 14 times.
I Encryption / Decryption is very fast (700MB/s per thread)
I 2128, 2192, or 2256 keys
I Number of particles in the universe ⇡ 2240
Advanced Encryption Standard (AES, 2001)
1. AddRoundKey
2. SubBytes
3. ShiftRows
4. MixColumns
I Process is repeated 10, 12, or 14 times.
I Encryption / Decryption is very fast (700MB/s per thread)
I 2128, 2192, or 2256 keys
I Number of particles in the universe ⇡ 2240
Advanced Encryption Standard (AES, 2001)
1. AddRoundKey
2. SubBytes
3. ShiftRows
4. MixColumns
I Process is repeated 10, 12, or 14 times.
I Encryption / Decryption is very fast (700MB/s per thread)
I 2128, 2192, or 2256 keys
I Number of particles in the universe ⇡ 2240
Advanced Encryption Standard (AES, 2001)
1. AddRoundKey
2. SubBytes
3. ShiftRows
4. MixColumns
I Process is repeated 10, 12, or 14 times.
I Encryption / Decryption is very fast (700MB/s per thread)
I 2128, 2192, or 2256 keys
I Number of particles in the universe ⇡ 2240
Private Key Exchange
How can private keys be safely transmitted over insecure channels(such as the Internet)?
Public Key Encryption
Key Exchange Protocols
But first: Number Theory!
Private Key Exchange
How can private keys be safely transmitted over insecure channels(such as the Internet)?
Public Key Encryption
Key Exchange Protocols
But first: Number Theory!
Private Key Exchange
How can private keys be safely transmitted over insecure channels(such as the Internet)?
Public Key Encryption
Key Exchange Protocols
But first: Number Theory!
Private Key Exchange
How can private keys be safely transmitted over insecure channels(such as the Internet)?
Public Key Encryption
Key Exchange Protocols
But first: Number Theory!
What is Number Theory?
Number theory is the study of the whole numbers.
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, . . .
I Integer solutions to equations (Pythagorean Triples)
I Patterns in sequences of numbers (Fibonacci Numbers,Pascal’s Triangle)
I Properties of the integers (Prime Numbers)
What is Number Theory?
Number theory is the study of the whole numbers.
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, . . .
I Integer solutions to equations (Pythagorean Triples)
I Patterns in sequences of numbers (Fibonacci Numbers,Pascal’s Triangle)
I Properties of the integers (Prime Numbers)
What is Number Theory?
Number theory is the study of the whole numbers.
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, . . .
I Integer solutions to equations (Pythagorean Triples)
I Patterns in sequences of numbers (Fibonacci Numbers,Pascal’s Triangle)
I Properties of the integers (Prime Numbers)
What is Number Theory?
Number theory is the study of the whole numbers.
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, . . .
I Integer solutions to equations (Pythagorean Triples)
I Patterns in sequences of numbers (Fibonacci Numbers,Pascal’s Triangle)
I Properties of the integers (Prime Numbers)
Modular Arithmetic
One way to study the (infinite) integers is to reduce it to a (finite)set of remainders.
We say that “a is congruent to b modulo n,”or
a ⌘ b (mod n)
if a and b have the same remainder whendivided by n. Equivalently, for some integer k ,
a = b + k · n.
Can perform most arithmetic operations (+, �, ⇥) modulo n.
Modular Arithmetic
One way to study the (infinite) integers is to reduce it to a (finite)set of remainders.
We say that “a is congruent to b modulo n,”or
a ⌘ b (mod n)
if a and b have the same remainder whendivided by n. Equivalently, for some integer k ,
a = b + k · n.
Can perform most arithmetic operations (+, �, ⇥) modulo n.
Modular Arithmetic
One way to study the (infinite) integers is to reduce it to a (finite)set of remainders.
We say that “a is congruent to b modulo n,”or
a ⌘ b (mod n)
if a and b have the same remainder whendivided by n. Equivalently, for some integer k ,
a = b + k · n.
Can perform most arithmetic operations (+, �, ⇥) modulo n.
Modular Arithmetic
One way to study the (infinite) integers is to reduce it to a (finite)set of remainders.
We say that “a is congruent to b modulo n,”or
a ⌘ b (mod n)
if a and b have the same remainder whendivided by n. Equivalently, for some integer k ,
a = b + k · n.
Can perform most arithmetic operations (+, �, ⇥) modulo n.
Powers Modulo n, Prime n
Modulo 7
11 ⌘ 1 21 ⌘ 2 31 ⌘ 3 41 ⌘ 4 51 ⌘ 5 61 ⌘ 612 ⌘ 1 22 ⌘ 4 32 ⌘ 2 42 ⌘ 2 52 ⌘ 4 62 ⌘ 113 ⌘ 1 23 ⌘ 1 33 ⌘ 6 43 ⌘ 1 53 ⌘ 6 63 ⌘ 614 ⌘ 1 24 ⌘ 2 34 ⌘ 4 44 ⌘ 4 54 ⌘ 2 64 ⌘ 115 ⌘ 1 25 ⌘ 4 35 ⌘ 5 45 ⌘ 2 55 ⌘ 3 65 ⌘ 616 ⌘ 1 26 ⌘ 1 36 ⌘ 1 46 ⌘ 1 56 ⌘ 1 66 ⌘ 1
......
......
......
Powers Modulo n, Prime n
Modulo 7
11 ⌘ 1 21 ⌘ 2 31 ⌘ 3 41 ⌘ 4 51 ⌘ 5 61 ⌘ 612 ⌘ 1 22 ⌘ 4 32 ⌘ 2 42 ⌘ 2 52 ⌘ 4 62 ⌘ 113 ⌘ 1 23 ⌘ 1 33 ⌘ 6 43 ⌘ 1 53 ⌘ 6 63 ⌘ 614 ⌘ 1 24 ⌘ 2 34 ⌘ 4 44 ⌘ 4 54 ⌘ 2 64 ⌘ 115 ⌘ 1 25 ⌘ 4 35 ⌘ 5 45 ⌘ 2 55 ⌘ 3 65 ⌘ 616 ⌘ 1 26 ⌘ 1 36 ⌘ 1 46 ⌘ 1 56 ⌘ 1 66 ⌘ 1
......
......
......
Powers will eventually reach 1.
Powers Modulo n, Prime n
Modulo 7
11 ⌘ 1 21 ⌘ 2 31 ⌘ 3 41 ⌘ 4 51 ⌘ 5 61 ⌘ 612 ⌘ 1 22 ⌘ 4 32 ⌘ 2 42 ⌘ 2 52 ⌘ 4 62 ⌘ 113 ⌘ 1 23 ⌘ 1 33 ⌘ 6 43 ⌘ 1 53 ⌘ 6 63 ⌘ 614 ⌘ 1 24 ⌘ 2 34 ⌘ 4 44 ⌘ 4 54 ⌘ 2 64 ⌘ 115 ⌘ 1 25 ⌘ 4 35 ⌘ 5 45 ⌘ 2 55 ⌘ 3 65 ⌘ 616 ⌘ 1 26 ⌘ 1 36 ⌘ 1 46 ⌘ 1 56 ⌘ 1 66 ⌘ 1
......
......
......
Powers will eventually reach 1.
Fermat’s Little Theorem
Theorem (Fermat, 1640)
For any prime p and integer a not divisible by p,
ap�1 ⌘ 1 (mod p)
Primality Testing
Fermat’s Little Theorem: ap�1 ⌘ 1 (mod p)
If an�1 6⌘ 1 (mod n) for some integer a, then n is composite.
Unfortunately, there are composites called absolute pseudoprimessuch that an�1 ⌘ 1 (mod n) for all integers a relatively prime to n.(First example is n = 561.)
Variations on this test can quickly identify primes hundred of digits long.
Primality Testing
Fermat’s Little Theorem: ap�1 ⌘ 1 (mod p)
If an�1 6⌘ 1 (mod n) for some integer a, then n is composite.
Unfortunately, there are composites called absolute pseudoprimessuch that an�1 ⌘ 1 (mod n) for all integers a relatively prime to n.(First example is n = 561.)
Variations on this test can quickly identify primes hundred of digits long.
Primality Testing
Fermat’s Little Theorem: ap�1 ⌘ 1 (mod p)
If an�1 6⌘ 1 (mod n) for some integer a, then n is composite.
Unfortunately, there are composites called absolute pseudoprimessuch that an�1 ⌘ 1 (mod n) for all integers a relatively prime to n.(First example is n = 561.)
Variations on this test can quickly identify primes hundred of digits long.
Powers Modulo n, Composite n
Modulo 10
11 ⌘ 1 31 ⌘ 3 71 ⌘ 7 91 ⌘ 912 ⌘ 1 32 ⌘ 9 72 ⌘ 9 92 ⌘ 113 ⌘ 1 33 ⌘ 7 73 ⌘ 3 93 ⌘ 914 ⌘ 1 34 ⌘ 1 74 ⌘ 1 94 ⌘ 1
......
......
Powers Modulo n, Composite n
Modulo 10
11 ⌘ 1 31 ⌘ 3 71 ⌘ 7 91 ⌘ 912 ⌘ 1 32 ⌘ 9 72 ⌘ 9 92 ⌘ 113 ⌘ 1 33 ⌘ 7 73 ⌘ 3 93 ⌘ 914 ⌘ 1 34 ⌘ 1 74 ⌘ 1 94 ⌘ 1
......
......
If the integer a is relatively prime to n, the powers of a willeventually reach 1.
Powers Modulo n, Composite n
Modulo 10
11 ⌘ 1 31 ⌘ 3 71 ⌘ 7 91 ⌘ 912 ⌘ 1 32 ⌘ 9 72 ⌘ 9 92 ⌘ 113 ⌘ 1 33 ⌘ 7 73 ⌘ 3 93 ⌘ 914 ⌘ 1 34 ⌘ 1 74 ⌘ 1 94 ⌘ 1
......
......
If the integer a is relatively prime to n, the powers of a willeventually reach 1.
Euler’s Theorem
Theorem (Euler, 1763)
For any integer n and integer a relatively prime to n,
a�(n) ⌘ 1 (mod n)
where �(n) is the number of integers between 1 and n with nocommon factors with n.
�(n) depends on the prime factorization of n.In particular, if n = p · q for two primes p and q, then
�(n) = (p � 1) · (q � 1)
Euler’s Theorem
Theorem (Euler, 1763)
For any integer n and integer a relatively prime to n,
a�(n) ⌘ 1 (mod n)
where �(n) is the number of integers between 1 and n with nocommon factors with n.
�(n) depends on the prime factorization of n.In particular, if n = p · q for two primes p and q, then
�(n) = (p � 1) · (q � 1)
Public Key Encryption
RSA (Rivest, Shamir, Adleman, 1978)
Alice’s Public KeyChooses two random primes p, q.
Computes n = p · q and'(n) = (p � 1) · (q � 1).
Chooses some encrypting key e.Solve d · e ⌘ 1 (mod '(n)).
BobWants to send message M.Computes C ⌘ Me (mod n).
Sends C to Alice.Alice
Computes M ⌘ Cd (mod n).
Public Key: (e, n) Private Key: (d , n)
Why does it work? Euler’s Theorem:
Cd ⌘ (Me)d ⌘ Md ·e ⌘ M1+k·�(n)
⌘ M1 ·�M�(n)
�k ⌘ M · (1)k ⌘ M (mod n)
RSA (Rivest, Shamir, Adleman, 1978)
Alice’s Public KeyChooses two random primes p, q.
Computes n = p · q and'(n) = (p � 1) · (q � 1).
Chooses some encrypting key e.Solve d · e ⌘ 1 (mod '(n)).
BobWants to send message M.Computes C ⌘ Me (mod n).
Sends C to Alice.Alice
Computes M ⌘ Cd (mod n).
Public Key: (e, n) Private Key: (d , n)
Why does it work? Euler’s Theorem:
Cd ⌘ (Me)d ⌘ Md ·e ⌘ M1+k·�(n)
⌘ M1 ·�M�(n)
�k ⌘ M · (1)k ⌘ M (mod n)
RSA (Rivest, Shamir, Adleman, 1978)
Alice’s Public KeyChooses two random primes p, q.
Computes n = p · q and'(n) = (p � 1) · (q � 1).
Chooses some encrypting key e.
Solve d · e ⌘ 1 (mod '(n)).
BobWants to send message M.Computes C ⌘ Me (mod n).
Sends C to Alice.Alice
Computes M ⌘ Cd (mod n).
Public Key: (e, n) Private Key: (d , n)
Why does it work? Euler’s Theorem:
Cd ⌘ (Me)d ⌘ Md ·e ⌘ M1+k·�(n)
⌘ M1 ·�M�(n)
�k ⌘ M · (1)k ⌘ M (mod n)
RSA (Rivest, Shamir, Adleman, 1978)
Alice’s Public KeyChooses two random primes p, q.
Computes n = p · q and'(n) = (p � 1) · (q � 1).
Chooses some encrypting key e.Solve d · e ⌘ 1 (mod '(n)).
BobWants to send message M.Computes C ⌘ Me (mod n).
Sends C to Alice.Alice
Computes M ⌘ Cd (mod n).
Public Key: (e, n) Private Key: (d , n)
Why does it work? Euler’s Theorem:
Cd ⌘ (Me)d ⌘ Md ·e ⌘ M1+k·�(n)
⌘ M1 ·�M�(n)
�k ⌘ M · (1)k ⌘ M (mod n)
RSA (Rivest, Shamir, Adleman, 1978)
Alice’s Public KeyChooses two random primes p, q.
Computes n = p · q and'(n) = (p � 1) · (q � 1).
Chooses some encrypting key e.Solve d · e ⌘ 1 (mod '(n)).
BobWants to send message M.Computes C ⌘ Me (mod n).
Sends C to Alice.Alice
Computes M ⌘ Cd (mod n).
Public Key: (e, n) Private Key: (d , n)
Why does it work? Euler’s Theorem:
Cd ⌘ (Me)d ⌘ Md ·e ⌘ M1+k·�(n)
⌘ M1 ·�M�(n)
�k ⌘ M · (1)k ⌘ M (mod n)
RSA (Rivest, Shamir, Adleman, 1978)
Alice’s Public KeyChooses two random primes p, q.
Computes n = p · q and'(n) = (p � 1) · (q � 1).
Chooses some encrypting key e.Solve d · e ⌘ 1 (mod '(n)).
BobWants to send message M.Computes C ⌘ Me (mod n).
Sends C to Alice.Alice
Computes M ⌘ Cd (mod n).
Public Key: (e, n) Private Key: (d , n)
Why does it work? Euler’s Theorem:
Cd ⌘ (Me)d ⌘ Md ·e ⌘ M1+k·�(n)
⌘ M1 ·�M�(n)
�k ⌘ M · (1)k ⌘ M (mod n)
RSA Problem
RSA Problem: Given n and e, solve d · e ⌘ 1 (mod '(n)).
Note: This is very easy if you know the prime factors of n, usingthe Euclidean Algorithm.
Factoring Problem: Given n = p · q, find p and q.
Best known factoring algorithm: General Number Field Sieve
RSA Problem
RSA Problem: Given n and e, solve d · e ⌘ 1 (mod '(n)).
Note: This is very easy if you know the prime factors of n, usingthe Euclidean Algorithm.
Factoring Problem: Given n = p · q, find p and q.
Best known factoring algorithm: General Number Field Sieve
RSA Problem
RSA Problem: Given n and e, solve d · e ⌘ 1 (mod '(n)).
Note: This is very easy if you know the prime factors of n, usingthe Euclidean Algorithm.
Factoring Problem: Given n = p · q, find p and q.
Best known factoring algorithm: General Number Field Sieve
RSA Problem
RSA Problem: Given n and e, solve d · e ⌘ 1 (mod '(n)).
Note: This is very easy if you know the prime factors of n, usingthe Euclidean Algorithm.
Factoring Problem: Given n = p · q, find p and q.
Best known factoring algorithm: General Number Field Sieve
Factoring Large Numbers
Largest number ever factored is 232 digits (December 12, 2009):
1230186684530117755130494958384962720772853569595334792197
3224521517264005072636575187452021997864693899564749427740
6384592519255732630345373154826850791702612214291346167042
9214311602221240479274737794080665351419597459856902143413
=
3347807169895689878604416984821269081770479498371376856891
2431388982883793878002287614711652531743087737814467999489
⇥3674604366679959042824463379962795263227915816434308764267
6032283815739666511279233373417143396810270092798736308917
For secure RSA, n must be at least 300 digits long, 600 digits arerecommended.
Factoring Large Numbers
Largest number ever factored is 232 digits (December 12, 2009):
1230186684530117755130494958384962720772853569595334792197
3224521517264005072636575187452021997864693899564749427740
6384592519255732630345373154826850791702612214291346167042
9214311602221240479274737794080665351419597459856902143413
=
3347807169895689878604416984821269081770479498371376856891
2431388982883793878002287614711652531743087737814467999489
⇥3674604366679959042824463379962795263227915816434308764267
6032283815739666511279233373417143396810270092798736308917
For secure RSA, n must be at least 300 digits long, 600 digits arerecommended.
Factoring Large Numbers
Largest number ever factored is 232 digits (December 12, 2009):
1230186684530117755130494958384962720772853569595334792197
3224521517264005072636575187452021997864693899564749427740
6384592519255732630345373154826850791702612214291346167042
9214311602221240479274737794080665351419597459856902143413
=
3347807169895689878604416984821269081770479498371376856891
2431388982883793878002287614711652531743087737814467999489
⇥3674604366679959042824463379962795263227915816434308764267
6032283815739666511279233373417143396810270092798736308917
For secure RSA, n must be at least 300 digits long, 600 digits arerecommended.
Key Exchange Protocol
Di�e-Hellman Key Exchange (1976)
Alice and Bob decide on a large prime p and a base number g .
AliceChooses random number a.Calculates A ⌘ ga (mod p).
Sends A to Bob.
BobChooses random number b.Calculates B ⌘ gb (mod p).
Sends B to Alice.
Calculates K ⌘ Ba (mod p). Calculates K ⌘ Ab (mod p).
Secret Key: K ⌘ Ba ⌘ Ab ⌘ gab (mod p)
Di�e-Hellman ProblemGiven p, g , A ⌘ ga,B ⌘ gb (mod p), find gab (mod p).
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Di�e-Hellman Key Exchange (1976)
Alice and Bob decide on a large prime p and a base number g .
AliceChooses random number a.Calculates A ⌘ ga (mod p).
Sends A to Bob.
BobChooses random number b.Calculates B ⌘ gb (mod p).
Sends B to Alice.
Calculates K ⌘ Ba (mod p). Calculates K ⌘ Ab (mod p).
Secret Key: K ⌘ Ba ⌘ Ab ⌘ gab (mod p)
Di�e-Hellman ProblemGiven p, g , A ⌘ ga,B ⌘ gb (mod p), find gab (mod p).
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Di�e-Hellman Key Exchange (1976)
Alice and Bob decide on a large prime p and a base number g .
AliceChooses random number a.Calculates A ⌘ ga (mod p).
Sends A to Bob.
BobChooses random number b.Calculates B ⌘ gb (mod p).
Sends B to Alice.
Calculates K ⌘ Ba (mod p). Calculates K ⌘ Ab (mod p).
Secret Key: K ⌘ Ba ⌘ Ab ⌘ gab (mod p)
Di�e-Hellman ProblemGiven p, g , A ⌘ ga,B ⌘ gb (mod p), find gab (mod p).
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Di�e-Hellman Key Exchange (1976)
Alice and Bob decide on a large prime p and a base number g .
AliceChooses random number a.Calculates A ⌘ ga (mod p).
Sends A to Bob.
BobChooses random number b.Calculates B ⌘ gb (mod p).
Sends B to Alice.
Calculates K ⌘ Ba (mod p). Calculates K ⌘ Ab (mod p).
Secret Key: K ⌘ Ba ⌘ Ab ⌘ gab (mod p)
Di�e-Hellman ProblemGiven p, g , A ⌘ ga,B ⌘ gb (mod p), find gab (mod p).
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Di�e-Hellman Key Exchange (1976)
Alice and Bob decide on a large prime p and a base number g .
AliceChooses random number a.Calculates A ⌘ ga (mod p).
Sends A to Bob.
BobChooses random number b.Calculates B ⌘ gb (mod p).
Sends B to Alice.
Calculates K ⌘ Ba (mod p). Calculates K ⌘ Ab (mod p).
Secret Key: K ⌘ Ba ⌘ Ab ⌘ gab (mod p)
Di�e-Hellman ProblemGiven p, g , A ⌘ ga,B ⌘ gb (mod p), find gab (mod p).
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Di�e-Hellman Key Exchange (1976)
Alice and Bob decide on a large prime p and a base number g .
AliceChooses random number a.Calculates A ⌘ ga (mod p).
Sends A to Bob.
BobChooses random number b.Calculates B ⌘ gb (mod p).
Sends B to Alice.
Calculates K ⌘ Ba (mod p). Calculates K ⌘ Ab (mod p).
Secret Key: K ⌘ Ba ⌘ Ab ⌘ gab (mod p)
Di�e-Hellman ProblemGiven p, g , A ⌘ ga,B ⌘ gb (mod p), find gab (mod p).
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Di�e-Hellman Key Exchange (1976)
Alice and Bob decide on a large prime p and a base number g .
AliceChooses random number a.Calculates A ⌘ ga (mod p).
Sends A to Bob.
BobChooses random number b.Calculates B ⌘ gb (mod p).
Sends B to Alice.
Calculates K ⌘ Ba (mod p). Calculates K ⌘ Ab (mod p).
Secret Key: K ⌘ Ba ⌘ Ab ⌘ gab (mod p)
Di�e-Hellman ProblemGiven p, g , A ⌘ ga,B ⌘ gb (mod p), find gab (mod p).
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Discrete Logarithm Problem
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Given g and A = ga in the real numbers:
A = ga
logA = log(ga)
logA = a log(g)
a =logA
log g
MUCH harder modulo p, since the powers of g “wrap around” andproduce essentially random numbers between 1 and p � 1.
Best known attack: Index Calculus (p should be 1000 digits)
Discrete Logarithm Problem
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Given g and A = ga in the real numbers:
A = ga
logA = log(ga)
logA = a log(g)
a =logA
log g
MUCH harder modulo p, since the powers of g “wrap around” andproduce essentially random numbers between 1 and p � 1.
Best known attack: Index Calculus (p should be 1000 digits)
Discrete Logarithm Problem
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Given g and A = ga in the real numbers:
A = ga
logA = log(ga)
logA = a log(g)
a =logA
log g
MUCH harder modulo p, since the powers of g “wrap around” andproduce essentially random numbers between 1 and p � 1.
Best known attack: Index Calculus (p should be 1000 digits)
Discrete Logarithm Problem
Discrete Logarithm ProblemGiven p, g , and A ⌘ ga (mod p), find a.
Given g and A = ga in the real numbers:
A = ga
logA = log(ga)
logA = a log(g)
a =logA
log g
MUCH harder modulo p, since the powers of g “wrap around” andproduce essentially random numbers between 1 and p � 1.
Best known attack: Index Calculus (p should be 1000 digits)
RSA and Di�e-Hellman
Advantages:
I Easy to implement
I Universal (> 90% of all key exchanges)
Disadvantages:
I Large modulus =) SLOW (on the order of seconds)
I Someone could find a faster algorithm for factoring or discretelogarithms.
Necessary to find a better, faster way of exchanging keys.
RSA and Di�e-Hellman
Advantages:
I Easy to implement
I Universal (> 90% of all key exchanges)
Disadvantages:
I Large modulus =) SLOW (on the order of seconds)
I Someone could find a faster algorithm for factoring or discretelogarithms.
Necessary to find a better, faster way of exchanging keys.
RSA and Di�e-Hellman
Advantages:
I Easy to implement
I Universal (> 90% of all key exchanges)
Disadvantages:
I Large modulus =) SLOW (on the order of seconds)
I Someone could find a faster algorithm for factoring or discretelogarithms.
Necessary to find a better, faster way of exchanging keys.
RSA and Di�e-Hellman
Advantages:
I Easy to implement
I Universal (> 90% of all key exchanges)
Disadvantages:
I Large modulus =) SLOW (on the order of seconds)
I Someone could find a faster algorithm for factoring or discretelogarithms.
Necessary to find a better, faster way of exchanging keys.
RSA and Di�e-Hellman
Advantages:
I Easy to implement
I Universal (> 90% of all key exchanges)
Disadvantages:
I Large modulus =) SLOW (on the order of seconds)
I Someone could find a faster algorithm for factoring or discretelogarithms.
Necessary to find a better, faster way of exchanging keys.
Elliptic Curve Cryptography
Elliptic Curves: y2 = x3 + Ax + B
Elliptic Curve Cryptography
Elliptic Curves: y2 = x3 + Ax + B
Addition Law on Elliptic Curves
Two points P1
, P2
determine a line, which intersects the curve at athird point P
3
. The sum P1
+ P2
is the reflection across x-axis.
This addition law turns elliptic curves in an abelian group. In orderto avoid infinite groups or round-o↵ errors, the coordinates (x , y)come from a finite field (usually the integers modulo a large prime).
Elliptic Curve Di�e-Hellman
Alice and Bob choose an elliptic curve E , prime p, and point P .
AliceChooses random number a.
Calculates A = a · P .Sends A to Bob.
BobChooses random number b.
Calculates B = b · P .Sends B to Alice.
Calculates K = a · B . Calculates K = b · A.
Secret Key: K = a · B = b · A = (ab) · P
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Elliptic Curve Di�e-Hellman
Alice and Bob choose an elliptic curve E , prime p, and point P .
AliceChooses random number a.
Calculates A = a · P .Sends A to Bob.
BobChooses random number b.
Calculates B = b · P .Sends B to Alice.
Calculates K = a · B . Calculates K = b · A.
Secret Key: K = a · B = b · A = (ab) · P
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Elliptic Curve Di�e-Hellman
Alice and Bob choose an elliptic curve E , prime p, and point P .
AliceChooses random number a.
Calculates A = a · P .Sends A to Bob.
BobChooses random number b.
Calculates B = b · P .Sends B to Alice.
Calculates K = a · B . Calculates K = b · A.
Secret Key: K = a · B = b · A = (ab) · P
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Elliptic Curve Di�e-Hellman
Alice and Bob choose an elliptic curve E , prime p, and point P .
AliceChooses random number a.
Calculates A = a · P .Sends A to Bob.
BobChooses random number b.
Calculates B = b · P .Sends B to Alice.
Calculates K = a · B . Calculates K = b · A.
Secret Key: K = a · B = b · A = (ab) · P
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Elliptic Curve Di�e-Hellman
Alice and Bob choose an elliptic curve E , prime p, and point P .
AliceChooses random number a.
Calculates A = a · P .Sends A to Bob.
BobChooses random number b.
Calculates B = b · P .Sends B to Alice.
Calculates K = a · B . Calculates K = b · A.
Secret Key: K = a · B = b · A = (ab) · P
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Elliptic Curve Di�e-Hellman
Alice and Bob choose an elliptic curve E , prime p, and point P .
AliceChooses random number a.
Calculates A = a · P .Sends A to Bob.
BobChooses random number b.
Calculates B = b · P .Sends B to Alice.
Calculates K = a · B . Calculates K = b · A.
Secret Key: K = a · B = b · A = (ab) · P
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Elliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Best known attacks on Elliptic Curves:
I Baby-Step Giant-Step
I Pollard’s Rho Method
I Pollard’s Kangaroo Method
All these algorithms run in O(pp) = O(e1/2 (log p)) time.
Must use primes that are ⇡ 80 digits long.
Elliptic Curve Di�e-Hellman runs in milliseconds on moderncomputers.
Elliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Best known attacks on Elliptic Curves:
I Baby-Step Giant-Step
I Pollard’s Rho Method
I Pollard’s Kangaroo Method
All these algorithms run in O(pp) = O(e1/2 (log p)) time.
Must use primes that are ⇡ 80 digits long.
Elliptic Curve Di�e-Hellman runs in milliseconds on moderncomputers.
Elliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Best known attacks on Elliptic Curves:
I Baby-Step Giant-Step
I Pollard’s Rho Method
I Pollard’s Kangaroo Method
All these algorithms run in O(pp) = O(e1/2 (log p)) time.
Must use primes that are ⇡ 80 digits long.
Elliptic Curve Di�e-Hellman runs in milliseconds on moderncomputers.
Elliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Best known attacks on Elliptic Curves:
I Baby-Step Giant-Step
I Pollard’s Rho Method
I Pollard’s Kangaroo Method
All these algorithms run in O(pp) = O(e1/2 (log p)) time.
Must use primes that are ⇡ 80 digits long.
Elliptic Curve Di�e-Hellman runs in milliseconds on moderncomputers.
Elliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Best known attacks on Elliptic Curves:
I Baby-Step Giant-Step
I Pollard’s Rho Method
I Pollard’s Kangaroo Method
All these algorithms run in O(pp) = O(e1/2 (log p)) time.
Must use primes that are ⇡ 80 digits long.
Elliptic Curve Di�e-Hellman runs in milliseconds on moderncomputers.
Elliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm ProblemGiven E , P , and A = a · P , find a.
Best known attacks on Elliptic Curves:
I Baby-Step Giant-Step
I Pollard’s Rho Method
I Pollard’s Kangaroo Method
All these algorithms run in O(pp) = O(e1/2 (log p)) time.
Must use primes that are ⇡ 80 digits long.
Elliptic Curve Di�e-Hellman runs in milliseconds on moderncomputers.
Quantum Computers
Quantum computers make use entanglement of “qubits,” arrangedin a probabilistic superposition of all possible states.
I Polynomial-time factoring and discrete logarithm algorithms.
I Would break virtually every public-key and key-exchangecryptosystem.
I Only small number of entangled qubits have been created.
Post-quantum cryptography are based on problems not currentlysolvable by quantum computers (lattice-based, code-based,multivariate cryptography).
Quantum Computers
Quantum computers make use entanglement of “qubits,” arrangedin a probabilistic superposition of all possible states.
I Polynomial-time factoring and discrete logarithm algorithms.
I Would break virtually every public-key and key-exchangecryptosystem.
I Only small number of entangled qubits have been created.
Post-quantum cryptography are based on problems not currentlysolvable by quantum computers (lattice-based, code-based,multivariate cryptography).
Quantum Computers
Quantum computers make use entanglement of “qubits,” arrangedin a probabilistic superposition of all possible states.
I Polynomial-time factoring and discrete logarithm algorithms.
I Would break virtually every public-key and key-exchangecryptosystem.
I Only small number of entangled qubits have been created.
Post-quantum cryptography are based on problems not currentlysolvable by quantum computers (lattice-based, code-based,multivariate cryptography).
Quantum Computers
Quantum computers make use entanglement of “qubits,” arrangedin a probabilistic superposition of all possible states.
I Polynomial-time factoring and discrete logarithm algorithms.
I Would break virtually every public-key and key-exchangecryptosystem.
I Only small number of entangled qubits have been created.
Post-quantum cryptography are based on problems not currentlysolvable by quantum computers (lattice-based, code-based,multivariate cryptography).
Quantum Computers
Quantum computers make use entanglement of “qubits,” arrangedin a probabilistic superposition of all possible states.
I Polynomial-time factoring and discrete logarithm algorithms.
I Would break virtually every public-key and key-exchangecryptosystem.
I Only small number of entangled qubits have been created.
Post-quantum cryptography are based on problems not currentlysolvable by quantum computers (lattice-based, code-based,multivariate cryptography).
Where Does Cryptography Go Wrong?
I Cryptographic Primitive
I Protocol
I Implementation
I Adminstration
I User
Where Does Cryptography Go Wrong?
I Cryptographic Primitive
I Protocol
I Implementation
I Adminstration
I User
Where Does Cryptography Go Wrong?
I Cryptographic Primitive
I Protocol
I Implementation
I Adminstration
I User
Where Does Cryptography Go Wrong?
I Cryptographic Primitive
I Protocol
I Implementation
I Adminstration
I User
Where Does Cryptography Go Wrong?
I Cryptographic Primitive
I Protocol
I Implementation
I Adminstration
I User
Cryptographic Primitive
SHA-1 Hash Function
I Hash functions are one-way functions which produce a digital“fingerprint.”
I Hash functions are used to prevent forged digital signatures.
I In 2005, a collision (two identical fingerprints) was found inSHA-1 which is 2000 times faster than exhaustive search.
Cryptographic Primitive
SHA-1 Hash Function
I Hash functions are one-way functions which produce a digital“fingerprint.”
I Hash functions are used to prevent forged digital signatures.
I In 2005, a collision (two identical fingerprints) was found inSHA-1 which is 2000 times faster than exhaustive search.
Cryptographic Primitive
SHA-1 Hash Function
I Hash functions are one-way functions which produce a digital“fingerprint.”
I Hash functions are used to prevent forged digital signatures.
I In 2005, a collision (two identical fingerprints) was found inSHA-1 which is 2000 times faster than exhaustive search.
Protocol
Impersonation
I Eve substitutes her public key for Alice’s key.
I Bob looks up Alice’s key, encrypts using Eve’s key.
I Eve intercepts Bob’s coded message and decrypts it.
I Eve could then use Alice’s key to send a false message,made to look like the message came from Bob.
Protocol
Impersonation
I Eve substitutes her public key for Alice’s key.
I Bob looks up Alice’s key, encrypts using Eve’s key.
I Eve intercepts Bob’s coded message and decrypts it.
I Eve could then use Alice’s key to send a false message,made to look like the message came from Bob.
Protocol
Impersonation
I Eve substitutes her public key for Alice’s key.
I Bob looks up Alice’s key, encrypts using Eve’s key.
I Eve intercepts Bob’s coded message and decrypts it.
I Eve could then use Alice’s key to send a false message,made to look like the message came from Bob.
Protocol
Impersonation
I Eve substitutes her public key for Alice’s key.
I Bob looks up Alice’s key, encrypts using Eve’s key.
I Eve intercepts Bob’s coded message and decrypts it.
I Eve could then use Alice’s key to send a false message,made to look like the message came from Bob.
Implementation
Weak Key Generation
I Predictable information (such as date or IP address) used inkey generation.
I Pseudo-random number generator uses same seed multipletimes.
I Study showed that 0.2% of RSA keys shared a commonprime.
I Snowden leaks revealed that NSA gave $10 million to RSA toweaken their random number generator.
Implementation
Weak Key Generation
I Predictable information (such as date or IP address) used inkey generation.
I Pseudo-random number generator uses same seed multipletimes.
I Study showed that 0.2% of RSA keys shared a commonprime.
I Snowden leaks revealed that NSA gave $10 million to RSA toweaken their random number generator.
Implementation
Weak Key Generation
I Predictable information (such as date or IP address) used inkey generation.
I Pseudo-random number generator uses same seed multipletimes.
I Study showed that 0.2% of RSA keys shared a commonprime.
I Snowden leaks revealed that NSA gave $10 million to RSA toweaken their random number generator.
Implementation
Weak Key Generation
I Predictable information (such as date or IP address) used inkey generation.
I Pseudo-random number generator uses same seed multipletimes.
I Study showed that 0.2% of RSA keys shared a commonprime.
I Snowden leaks revealed that NSA gave $10 million to RSA toweaken their random number generator.
Adminstration
Failure to install:
I system patches and upgrades
I anti-virus software and upgrades
I network upgrades
I firewalls
I encryption software
I physical security
Also vulnerable to system administrators creating back doors, falseaccounts, etc.
Adminstration
Failure to install:
I system patches and upgrades
I anti-virus software and upgrades
I network upgrades
I firewalls
I encryption software
I physical security
Also vulnerable to system administrators creating back doors, falseaccounts, etc.
Adminstration
Failure to install:
I system patches and upgrades
I anti-virus software and upgrades
I network upgrades
I firewalls
I encryption software
I physical security
Also vulnerable to system administrators creating back doors, falseaccounts, etc.
Adminstration
Failure to install:
I system patches and upgrades
I anti-virus software and upgrades
I network upgrades
I firewalls
I encryption software
I physical security
Also vulnerable to system administrators creating back doors, falseaccounts, etc.
Adminstration
Failure to install:
I system patches and upgrades
I anti-virus software and upgrades
I network upgrades
I firewalls
I encryption software
I physical security
Also vulnerable to system administrators creating back doors, falseaccounts, etc.
Adminstration
Failure to install:
I system patches and upgrades
I anti-virus software and upgrades
I network upgrades
I firewalls
I encryption software
I physical security
Also vulnerable to system administrators creating back doors, falseaccounts, etc.
Adminstration
Failure to install:
I system patches and upgrades
I anti-virus software and upgrades
I network upgrades
I firewalls
I encryption software
I physical security
Also vulnerable to system administrators creating back doors, falseaccounts, etc.
User
I Improper administration of personal computers.
I Poor choice, default, or no password.
I Using same password on many systems or for too long a time.
I Losing computers with sensitive data.
I “Phishing” scams.
I Inserting “found” CDs or flash drives into personal computers.
User
I Improper administration of personal computers.
I Poor choice, default, or no password.
I Using same password on many systems or for too long a time.
I Losing computers with sensitive data.
I “Phishing” scams.
I Inserting “found” CDs or flash drives into personal computers.
User
I Improper administration of personal computers.
I Poor choice, default, or no password.
I Using same password on many systems or for too long a time.
I Losing computers with sensitive data.
I “Phishing” scams.
I Inserting “found” CDs or flash drives into personal computers.
User
I Improper administration of personal computers.
I Poor choice, default, or no password.
I Using same password on many systems or for too long a time.
I Losing computers with sensitive data.
I “Phishing” scams.
I Inserting “found” CDs or flash drives into personal computers.
User
I Improper administration of personal computers.
I Poor choice, default, or no password.
I Using same password on many systems or for too long a time.
I Losing computers with sensitive data.
I “Phishing” scams.
I Inserting “found” CDs or flash drives into personal computers.
User
I Improper administration of personal computers.
I Poor choice, default, or no password.
I Using same password on many systems or for too long a time.
I Losing computers with sensitive data.
I “Phishing” scams.
I Inserting “found” CDs or flash drives into personal computers.
Edward Snowden Leaks
I Much of the information gathered by the NSA is metadata:when, where, by whom, and to whom communication is made.
I Most NSA spying finds ways around cryptography (backdoors,capturing information before encryption, directly obtainedfrom companies).
I Pseudo-random number generator used in RSA was likelycompromised by NSA.
I Cryptographic primitive (RSA, DH, ECDH) appears not to bebroken by NSA.
Edward Snowden Leaks
I Much of the information gathered by the NSA is metadata:when, where, by whom, and to whom communication is made.
I Most NSA spying finds ways around cryptography (backdoors,capturing information before encryption, directly obtainedfrom companies).
I Pseudo-random number generator used in RSA was likelycompromised by NSA.
I Cryptographic primitive (RSA, DH, ECDH) appears not to bebroken by NSA.
Edward Snowden Leaks
I Much of the information gathered by the NSA is metadata:when, where, by whom, and to whom communication is made.
I Most NSA spying finds ways around cryptography (backdoors,capturing information before encryption, directly obtainedfrom companies).
I Pseudo-random number generator used in RSA was likelycompromised by NSA.
I Cryptographic primitive (RSA, DH, ECDH) appears not to bebroken by NSA.
Edward Snowden Leaks
I Much of the information gathered by the NSA is metadata:when, where, by whom, and to whom communication is made.
I Most NSA spying finds ways around cryptography (backdoors,capturing information before encryption, directly obtainedfrom companies).
I Pseudo-random number generator used in RSA was likelycompromised by NSA.
I Cryptographic primitive (RSA, DH, ECDH) appears not to bebroken by NSA.
Conclusion
I Cryptography, which plays a crucial role in cybersecurity, isbased on hard problems in number theory.
I Human nature is hard to change, so we must design systemsthat are resistant to malicious attacks.
I Our society has to decide the proper balance between security,privacy, and convenience.
I Our security and privacy come down to trust.
Conclusion
I Cryptography, which plays a crucial role in cybersecurity, isbased on hard problems in number theory.
I Human nature is hard to change, so we must design systemsthat are resistant to malicious attacks.
I Our society has to decide the proper balance between security,privacy, and convenience.
I Our security and privacy come down to trust.
Conclusion
I Cryptography, which plays a crucial role in cybersecurity, isbased on hard problems in number theory.
I Human nature is hard to change, so we must design systemsthat are resistant to malicious attacks.
I Our society has to decide the proper balance between security,privacy, and convenience.
I Our security and privacy come down to trust.
Conclusion
I Cryptography, which plays a crucial role in cybersecurity, isbased on hard problems in number theory.
I Human nature is hard to change, so we must design systemsthat are resistant to malicious attacks.
I Our society has to decide the proper balance between security,privacy, and convenience.
I Our security and privacy come down to trust.