Josh Benaloh Brian LaMacchia Winter 2011. January 6, 2011Practical Aspects of Modern Cryptography...

267
Practical Aspects of Modern Cryptography Josh Benaloh Brian LaMacchia Winter 2011

  • date post

    19-Dec-2015

  • Category

    Documents

  • view

    215

  • download

    0

TAGS:

Transcript of Josh Benaloh Brian LaMacchia Winter 2011. January 6, 2011Practical Aspects of Modern Cryptography...

  • Slide 1
  • Josh Benaloh Brian LaMacchia Winter 2011
  • Slide 2
  • January 6, 2011Practical Aspects of Modern Cryptography Cryptography is... Protecting Privacy of Data Authentication of Identities Preservation of Integrity basically any protocols designed to operate in an environment absent of universal trust. 2
  • Slide 3
  • January 6, 2011Practical Aspects of Modern Cryptography Characters 3
  • Slide 4
  • January 6, 2011Practical Aspects of Modern Cryptography Characters Alice 4
  • Slide 5
  • January 6, 2011Practical Aspects of Modern Cryptography Characters Bob 5
  • Slide 6
  • January 6, 2011Practical Aspects of Modern Cryptography Basic Communication Alice talking to Bob 6
  • Slide 7
  • January 6, 2011Practical Aspects of Modern Cryptography Another Character Eve 7
  • Slide 8
  • January 6, 2011Practical Aspects of Modern Cryptography Basic Communication Problem Eve listening to Alice talking to Bob 8
  • Slide 9
  • January 6, 2011Practical Aspects of Modern Cryptography Two-Party Environments Alice Bob 9
  • Slide 10
  • January 6, 2011Practical Aspects of Modern Cryptography Remote Coin Flipping Alice and Bob decide to make a decision by flipping a coin. Alice and Bob are not in the same place. 10
  • Slide 11
  • January 6, 2011Practical Aspects of Modern Cryptography Ground Rule Protocol must be asynchronous. We cannot assume simultaneous actions. Players must take turns. 11
  • Slide 12
  • January 6, 2011Practical Aspects of Modern Cryptography Is Remote Coin Flipping Possible? 12
  • Slide 13
  • January 6, 2011Practical Aspects of Modern Cryptography Is Remote Coin Flipping Possible? Two-part answer: 13
  • Slide 14
  • January 6, 2011Practical Aspects of Modern Cryptography Is Remote Coin Flipping Possible? Two-part answer: NO I will sketch a formal proof. 14
  • Slide 15
  • January 6, 2011Practical Aspects of Modern Cryptography Is Remote Coin Flipping Possible? Two-part answer: NO I will sketch a formal proof. YES I will provide an effective protocol. 15
  • Slide 16
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: 16
  • Slide 17
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: B B A BA A B BAB B B BA BA BB A AB 17
  • Slide 18
  • January 6, 2011Practical Aspects of Modern Cryptography Pruning the Tree A B A B A BB A 18
  • Slide 19
  • January 6, 2011Practical Aspects of Modern Cryptography Pruning the Tree A B A B A: B: 19
  • Slide 20
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: B B A BA A B BAB B B BA BA BB A AB 20
  • Slide 21
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: B B A BA A BB B BA BA BB A AB 21
  • Slide 22
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: B B A BA A BB B BA BA BBB 22
  • Slide 23
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: B A BA A BB B BA BA BBB 23
  • Slide 24
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: B A BA A B BA BA BBB 24
  • Slide 25
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: B A BA A B A BA BBB 25
  • Slide 26
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: B A BA A B A BA B 26
  • Slide 27
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: B A A B A BA B 27
  • Slide 28
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: BA B A BA B 28
  • Slide 29
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: BAB BA B 29
  • Slide 30
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: BABB 30
  • Slide 31
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A: B: A: B: A 31
  • Slide 32
  • January 6, 2011Practical Aspects of Modern Cryptography A Protocol Flow Tree A 32
  • Slide 33
  • January 6, 2011Practical Aspects of Modern Cryptography Completing the Pruning When the pruning is complete one will end up with either 33
  • Slide 34
  • January 6, 2011Practical Aspects of Modern Cryptography Completing the Pruning When the pruning is complete one will end up with either a winner before the protocol has begun, or 34
  • Slide 35
  • January 6, 2011Practical Aspects of Modern Cryptography Completing the Pruning When the pruning is complete one will end up with either a winner before the protocol has begun, or a useless infinite game. 35
  • Slide 36
  • January 6, 2011Practical Aspects of Modern Cryptography Conclusion of Part I Remote coin flipping is utterly impossible!!! 36
  • Slide 37
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin 37
  • Slide 38
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin The INTEGERS 38
  • Slide 39
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin The INTEGERS 0 4 8 12 16 39
  • Slide 40
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 40
  • Slide 41
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 41
  • Slide 42
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 42
  • Slide 43
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 Even 43
  • Slide 44
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 4n + 1: 4n - 1: 44
  • Slide 45
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 Type +1: Type - 1: 45
  • Slide 46
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Fact 1 Multiplying two (odd) integers of the same type always yields a product of Type +1. (4p+1)(4q+1) = 16pq+4p+4q+1 = 4(4pq+p+q)+1 (4p1)(4q1) = 16pq4p4q+1 = 4(4pqpq)+1 46
  • Slide 47
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Fact 2 There is no known method (other than factoring) to distinguish a product of two Type +1 integers from a product of two Type 1 integers. 47
  • Slide 48
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Fact 3 Factoring large integers is believed to be much harder than multiplying large integers. 48
  • Slide 49
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin 49
  • Slide 50
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin AliceBob 50
  • Slide 51
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Bob 51
  • Slide 52
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Compute N = PQ. Bob 52
  • Slide 53
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Compute N = PQ. Send N to Bob. Bob 53
  • Slide 54
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Alice Bob N 54
  • Slide 55
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Compute N = PQ. Send N to Bob. Bob 55
  • Slide 56
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Bob After receiving N from Alice, guess the value of b and send this guess to Alice. Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Compute N = PQ. Send N to Bob. 56
  • Slide 57
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Alice Bob b 57
  • Slide 58
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Bob After receiving N from Alice, guess the value of b and send this guess to Alice. Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Compute N = PQ. Send N to Bob. 58
  • Slide 59
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Bob After receiving N from Alice, guess the value of b and send this guess to Alice. Bob wins if and only if he correctly guesses the value of b. Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Compute N = PQ. Send N to Bob. 59
  • Slide 60
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Bob After receiving N from Alice, guess the value of b and send this guess to Alice. Bob wins if and only if he correctly guesses the value of b. Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Compute N = PQ. Send N to Bob. After receiving b from Bob, reveal P and Q. 60
  • Slide 61
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Alice Bob P,QP,Q 61
  • Slide 62
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Bob After receiving N from Alice, guess the value of b and send this guess to Alice. Bob wins if and only if he correctly guesses the value of b. Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Compute N = PQ. Send N to Bob. After receiving b from Bob, reveal P and Q. 62
  • Slide 63
  • January 6, 2011Practical Aspects of Modern Cryptography Lets Play The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 Type +1: Type - 1: 63
  • Slide 64
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Bob After receiving N from Alice, guess the value of b and send this guess to Alice. Bob wins if and only if he correctly guesses the value of b. Alice Randomly select a bit b { 1} and two large integers P and Q both of type b. Compute N = PQ. Send N to Bob. After receiving b from Bob, reveal P and Q. 64
  • Slide 65
  • January 6, 2011Practical Aspects of Modern Cryptography How to Remotely Flip a Coin Bob After receiving N from Alice, guess the value of b and send this guess to Alice. Bob wins if and only if he correctly guesses the value of b. Alice Randomly select a bit b { 1} and two large primes P and Q both of type b. Compute N = PQ. Send N to Bob. After receiving b from Bob, reveal P and Q. 65
  • Slide 66
  • January 6, 2011Practical Aspects of Modern Cryptography Checking Primality Basic result from group theory If p is a prime, then for integers a such that 0 < a < p, then a p - 1 mod p = 1. This is almost never true when p is composite. 66
  • Slide 67
  • January 6, 2011Practical Aspects of Modern Cryptography How are the Answers Reconciled? 67
  • Slide 68
  • January 6, 2011Practical Aspects of Modern Cryptography The impossibility proof assumed unlimited computational ability. How are the Answers Reconciled? 68
  • Slide 69
  • January 6, 2011Practical Aspects of Modern Cryptography The impossibility proof assumed unlimited computational ability. The protocol is not 50/50 Bob has a small advantage. How are the Answers Reconciled? 69
  • Slide 70
  • January 6, 2011Practical Aspects of Modern Cryptography Applications of Remote Flipping Remote Card Playing Internet Gambling Various Fair Agreement Protocols 70
  • Slide 71
  • January 6, 2011Practical Aspects of Modern Cryptography Bit Commitment We have implemented remote coin flipping via bit commitment. Commitment protocols can also be used for Sealed bidding Undisclosed contracts Authenticated predictions 71
  • Slide 72
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions We have implemented bit commitment via one-way functions. One-way functions can be used for Authentication Data integrity Strong randomness 72
  • Slide 73
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions 73
  • Slide 74
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions Two basic classes of one-way functions 74
  • Slide 75
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions Two basic classes of one-way functions Mathematical 75
  • Slide 76
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions Two basic classes of one-way functions Mathematical Multiplication: Z=X Y 76
  • Slide 77
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions Two basic classes of one-way functions Mathematical Multiplication: Z=X Y Modular Exponentiation: Z = Y X mod N 77
  • Slide 78
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions Two basic classes of one-way functions Mathematical Multiplication: Z=XY Modular Exponentiation: Z = Y X mod N Ugly 78
  • Slide 79
  • January 6, 2011Practical Aspects of Modern Cryptography The Fundamental Equation Z=Y X mod N 79
  • Slide 80
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Arithmetic 80
  • Slide 81
  • Modular Arithmetic Z mod N is the integer remainder when Z is divided by N. January 6, 2011Practical Aspects of Modern Cryptography81
  • Slide 82
  • Modular Arithmetic Z mod N is the integer remainder when Z is divided by N. The Division Theorem For all integers Z and N>0, there exist unique integers Q and R such that Z = Q N + R and 0 R N. January 6, 2011Practical Aspects of Modern Cryptography82
  • Slide 83
  • Modular Arithmetic Z mod N is the integer remainder when Z is divided by N. The Division Theorem For all integers Z and N>0, there exist unique integers Q and R such that Z = Q N + R and 0 R N. By definition, this unique R = Z mod N. January 6, 2011Practical Aspects of Modern Cryptography83
  • Slide 84
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Arithmetic To compute (A+B) mod N, compute (A+B) and take the result mod N. 84
  • Slide 85
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Arithmetic To compute (A+B) mod N, compute (A+B) and take the result mod N. To compute (A-B) mod N, compute (A-B) and take the result mod N. 85
  • Slide 86
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Arithmetic To compute (A+B) mod N, compute (A+B) and take the result mod N. To compute (A-B) mod N, compute (A-B) and take the result mod N. To compute (AB) mod N, compute (AB) and take the result mod N. 86
  • Slide 87
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Arithmetic To compute (A+B) mod N, compute (A+B) and take the result mod N. To compute (A-B) mod N, compute (A-B) and take the result mod N. To compute (AB) mod N, compute (AB) and take the result mod N. To compute (AB) mod N, 87
  • Slide 88
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division 88
  • Slide 89
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division What is the value of (12) mod 7? We need a solution to 2x mod 7 = 1. 89
  • Slide 90
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division What is the value of (12) mod 7? We need a solution to 2x mod 7 = 1. Try x = 4. 90
  • Slide 91
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division What is the value of (12) mod 7? We need a solution to 2x mod 7 = 1. Try x = 4. What is the value of (75) mod 11? We need a solution to 5x mod 11 = 7. 91
  • Slide 92
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division What is the value of (12) mod 7? We need a solution to 2x mod 7 = 1. Try x = 4. What is the value of (75) mod 11? We need a solution to 5x mod 11 = 7. Try x = 8. 92
  • Slide 93
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division 93
  • Slide 94
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division Is modular division always well-defined? 94
  • Slide 95
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division Is modular division always well-defined? (13) mod 6 = ? 95
  • Slide 96
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division Is modular division always well-defined? (13) mod 6 = ? 3x mod 6 = 1 has no solution! 96
  • Slide 97
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division Is modular division always well-defined? (13) mod 6 = ? 3x mod 6 = 1 has no solution! Fact (AB) mod N always has a solution when gcd(B,N) = 1. 97
  • Slide 98
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division Fact 1 (AB) mod N always has a solution when gcd(B,N) = 1. 98
  • Slide 99
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Division Fact 1 (AB) mod N always has a solution when gcd(B,N) = 1. Fact 2 (AB) mod N never has a solution when gcd(A,B) = 1 and gcd(B,N) 1. 99
  • Slide 100
  • January 6, 2011Practical Aspects of Modern Cryptography Greatest Common Divisors 100
  • Slide 101
  • January 6, 2011Practical Aspects of Modern Cryptography Greatest Common Divisors gcd(A, B) = gcd(B, A B) 101
  • Slide 102
  • January 6, 2011Practical Aspects of Modern Cryptography Greatest Common Divisors gcd(A, B) = gcd(B, A B) since any common factor of A and B is also a factor of A B and since any common factor of B and A B is also a factor of A. 102
  • Slide 103
  • January 6, 2011Practical Aspects of Modern Cryptography Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(21,12) = gcd(12,9) = gcd(9,3) = gcd(3,6) = gcd(6,3) = gcd(3,3) = gcd(3,0) = 3 103
  • Slide 104
  • January 6, 2011Practical Aspects of Modern Cryptography Greatest Common Divisors gcd(A, B) = gcd(B, A B) 104
  • Slide 105
  • January 6, 2011Practical Aspects of Modern Cryptography Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(A, B) = gcd(B, A kB) for any integer k. 105
  • Slide 106
  • January 6, 2011Practical Aspects of Modern Cryptography Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(A, B) = gcd(B, A kB) for any integer k. gcd(A, B) = gcd(B, A mod B) 106
  • Slide 107
  • January 6, 2011Practical Aspects of Modern Cryptography Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(A, B) = gcd(B, A kB) for any integer k. gcd(A, B) = gcd(B, A mod B) gcd(21,12) = gcd(12,9) = gcd(9,3) = gcd(3,0) = 3 107
  • Slide 108
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm Given integers A and B, find integers X and Y such that AX + BY = gcd(A,B). 108
  • Slide 109
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm Given integers A and B, find integers X and Y such that AX + BY = gcd(A,B). When gcd(A,B) = 1, solve AX mod B = 1, by finding X and Y such that AX + BY = gcd(A,B) = 1. 109
  • Slide 110
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm Given integers A and B, find integers X and Y such that AX + BY = gcd(A,B). When gcd(A,B) = 1, solve AX mod B = 1, by finding X and Y such that AX + BY = gcd(A,B) = 1. Compute (CA) mod B as C(1A) mod B. 110
  • Slide 111
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm gcd(35, 8) = gcd(8, 35 mod 8) = gcd(8, 3) = gcd(3, 8 mod 3) = gcd(3, 2) = gcd(2, 3 mod 2) = gcd(2, 1) = gcd(1, 2 mod 1) = gcd(1, 0) = 1 111
  • Slide 112
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 35 = 8 4 + 3 112
  • Slide 113
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 35 = 8 4 + 3 8 = 3 2 + 2 113
  • Slide 114
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 35 = 8 4 + 3 8 = 3 2 + 2 3 = 2 1 + 1 114
  • Slide 115
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 35 = 8 4 + 3 8 = 3 2 + 2 3 = 2 1 + 1 2 = 1 2 + 0 115
  • Slide 116
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 35 = 8 4 + 3 3 = 35 8 4 8 = 3 2 + 2 2 = 8 3 2 3 = 2 1 + 1 1 = 3 2 1 2 = 1 2 + 0 116
  • Slide 117
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 3 = 35 8 4 2 = 8 3 2 1 = 3 2 1 117
  • Slide 118
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 3 = 35 8 4 2 = 8 3 2 1 = 3 2 1 = (35 8 4) (8 3 2) 1 118
  • Slide 119
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 3 = 35 8 4 2 = 8 3 2 1 = 3 2 1 = (35 8 4) (8 3 2) 1 = (35 8 4) (8 (35 8 4) 2) 1 119
  • Slide 120
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 3 = 35 8 4 2 = 8 3 2 1 = 3 2 1 = (35 8 4) (8 3 2) 1 = (35 8 4) (8 (35 8 4) 2) 1 = 35 3 8 13 120
  • Slide 121
  • January 6, 2011Practical Aspects of Modern Cryptography Extended Euclidean Algorithm 121
  • Slide 122
  • January 6, 2011Practical Aspects of Modern Cryptography The Fundamental Equation Z=Y X mod N 122
  • Slide 123
  • January 6, 2011Practical Aspects of Modern Cryptography The Fundamental Equation Z=Y X mod N When Z is unknown, it can be efficiently computed. 123
  • Slide 124
  • January 6, 2011Practical Aspects of Modern Cryptography The Fundamental Equation Z=Y X mod N When X is unknown, the problem is known as the discrete logarithm and is generally believed to be hard to solve. 124
  • Slide 125
  • January 6, 2011Practical Aspects of Modern Cryptography The Fundamental Equation Z=Y X mod N When Y is unknown, the problem is known as discrete root finding and is generally believed to be hard to solve... 125
  • Slide 126
  • January 6, 2011Practical Aspects of Modern Cryptography The Fundamental Equation Z=Y X mod N unless the factorization of N is known. 126
  • Slide 127
  • January 6, 2011Practical Aspects of Modern Cryptography The Fundamental Equation Z=Y X mod N The problem is not well-studied for the case when N is unknown. 127
  • Slide 128
  • January 6, 2011Practical Aspects of Modern Cryptography Implementation Z=Y X mod N 128
  • Slide 129
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N 129
  • Slide 130
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Compute Y X and then reduce mod N. 130
  • Slide 131
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Compute Y X and then reduce mod N. If X, Y, and N each are 2,048-bit integers, Y X consists of ~2 2059 bits. 131
  • Slide 132
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Compute Y X and then reduce mod N. If X, Y, and N each are 2,048-bit integers, Y X consists of ~2 2059 bits. Since there are roughly 2 250 particles in the universe, storage is a problem. 132
  • Slide 133
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N 133
  • Slide 134
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Repeatedly multiplying by Y (followed each time by a reduction modulo N) X times solves the storage problem. 134
  • Slide 135
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Repeatedly multiplying by Y (followed each time by a reduction modulo N) X times solves the storage problem. However, we would need to perform ~2 900 64-bit multiplications per second to complete the computation before the sun burns out. 135
  • Slide 136
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N 136
  • Slide 137
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Multiplication by Repeated Doubling 137
  • Slide 138
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Multiplication by Repeated Doubling To compute X Y, 138
  • Slide 139
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Multiplication by Repeated Doubling To compute X Y, compute Y, 2Y, 4Y, 8Y, 16Y, 139
  • Slide 140
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Multiplication by Repeated Doubling To compute X Y, compute Y, 2Y, 4Y, 8Y, 16Y, and sum up those values dictated by the binary representation of X. 140
  • Slide 141
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Multiplication by Repeated Doubling To compute X Y, compute Y, 2Y, 4Y, 8Y, 16Y, and sum up those values dictated by the binary representation of X. Example: 26Y = 2Y + 8Y + 16Y. 141
  • Slide 142
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N 142
  • Slide 143
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Exponentiation by Repeated Squaring 143
  • Slide 144
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Exponentiation by Repeated Squaring To compute Y X, 144
  • Slide 145
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Exponentiation by Repeated Squaring To compute Y X, compute Y, Y 2, Y 4, Y 8, Y 16, 145
  • Slide 146
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Exponentiation by Repeated Squaring To compute Y X, compute Y, Y 2, Y 4, Y 8, Y 16, and multiply those values dictated by the binary representation of X. 146
  • Slide 147
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N Exponentiation by Repeated Squaring To compute Y X, compute Y, Y 2, Y 4, Y 8, Y 16, and multiply those values dictated by the binary representation of X. Example: Y 26 = Y 2 Y 8 Y 16. 147
  • Slide 148
  • January 6, 2011Practical Aspects of Modern Cryptography How to compute Y X mod N We can now perform a 2,048-bit modular exponentiation using ~3,072 2,048-bit modular multiplications. 2,048 squarings: y, y 2, y 4, , y 2 2048 ~1024 ordinary multiplications 148
  • Slide 149
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Operations Addition and Subtraction Multiplication Division and Remainder (Mod N) Exponentiation 149
  • Slide 150
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Addition + 150
  • Slide 151
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Addition + 151
  • Slide 152
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Addition + 152
  • Slide 153
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Addition + 153
  • Slide 154
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Addition + 154
  • Slide 155
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Addition + 155
  • Slide 156
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Addition In general, adding two large integers each consisting of n small blocks requires O(n) small-integer additions. Large-integer subtraction is similar. 156
  • Slide 157
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Multiplication 157
  • Slide 158
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Multiplication 158
  • Slide 159
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Multiplication 159
  • Slide 160
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Multiplication 160
  • Slide 161
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Multiplication 161
  • Slide 162
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Multiplication 162
  • Slide 163
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Multiplication In general, multiplying two large integers each consisting of n small blocks requires O(n 2 ) small-integer multiplications and O(n) large-integer additions. 163
  • Slide 164
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Squaring 164
  • Slide 165
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Squaring 165
  • Slide 166
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Squaring 166
  • Slide 167
  • January 6, 2011Practical Aspects of Modern Cryptography Large-Integer Squaring Careful bookkeeping can save nearly half of the small-integer multiplications (and nearly half of the time). 167
  • Slide 168
  • January 6, 2011Practical Aspects of Modern Cryptography Recall computing Y X mod N About 2/3 of the multiplications required to compute Y X are actually squarings. Overall, efficient squaring can save about 1/3 of the small multiplications required for modular exponentiation. 168
  • Slide 169
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 169
  • Slide 170
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given 4 coefficients A, B, C, and D, 170
  • Slide 171
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given 4 coefficients A, B, C, and D, we need to compute 3 values: 171
  • Slide 172
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given 4 coefficients A, B, C, and D, we need to compute 3 values: AC, AD+BC, and BD. 172
  • Slide 173
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given 4 coefficients A, B, C, and D, we need to compute 3 values: AC, AD+BC, and BD. 173
  • Slide 174
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given 4 coefficients A, B, C, and D, we need to compute 3 values: AC, AD+BC, and BD. 174
  • Slide 175
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given 4 coefficients A, B, C, and D, we need to compute 3 values: AC, AD+BC, and BD. 175
  • Slide 176
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition 176
  • Slide 177
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition 177
  • Slide 178
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition 178
  • Slide 179
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition 179
  • Slide 180
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition 180
  • Slide 181
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition 181
  • Slide 182
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition 182
  • Slide 183
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD 183
  • Slide 184
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 184
  • Slide 185
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 185
  • Slide 186
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 186
  • Slide 187
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 187
  • Slide 188
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 188
  • Slide 189
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 189
  • Slide 190
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 190
  • Slide 191
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 191
  • Slide 192
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 192
  • Slide 193
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 193
  • Slide 194
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication This can be done on integers as well as on polynomials, but its not as nice on integers because of carries. The larger the integers, the larger the benefit. 194
  • Slide 195
  • January 6, 2011Practical Aspects of Modern Cryptography Karatsuba Multiplication (A 2 k +B)(C 2 k +D) = AC 2 2k + (AD+BC) 2 k + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD (A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2 subtractions 195
  • Slide 196
  • January 6, 2011Practical Aspects of Modern Cryptography Chinese Remaindering If X = A mod P, X = B mod Q, and gcd(P,Q) = 1, then X mod PQ can be computed as X = AQ(Q -1 mod P) + BP(P -1 mod Q). 196
  • Slide 197
  • January 6, 2011Practical Aspects of Modern Cryptography Chinese Remaindering If N = PQ, then a computation mod N can be accomplished by performing the same computation mod P and again mod Q and then using Chinese Remaindering to derive the answer to the mod N computation. 197
  • Slide 198
  • January 6, 2011Practical Aspects of Modern Cryptography Chinese Remaindering Since modular exponentiation of n-bit integers requires O(n 3 ) time, performing two modular exponentiations on half size values requires only about one quarter of the time of a single n-bit modular exponentiation. 198
  • Slide 199
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Reduction Generally, computing (A B) mod N requires much more than twice the time to compute A B. 199
  • Slide 200
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Reduction Generally, computing (A B) mod N requires much more than twice the time to compute A B. Large-integer division is 200
  • Slide 201
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Reduction Generally, computing (A B) mod N requires much more than twice the time to compute A B. Large-integer division is slow 201
  • Slide 202
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Reduction Generally, computing (A B) mod N requires much more than twice the time to compute A B. Large-integer division is slow cumbersome 202
  • Slide 203
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Reduction Generally, computing (A B) mod N requires much more than twice the time to compute A B. Large-integer division is slow cumbersome disgusting 203
  • Slide 204
  • January 6, 2011Practical Aspects of Modern Cryptography Modular Reduction Generally, computing (A B) mod N requires much more than twice the time to compute A B. Large-integer division is slow cumbersome disgusting wretched 204
  • Slide 205
  • January 6, 2011Practical Aspects of Modern Cryptography The Montgomery Method The Montgomery Method performs a domain transform to a domain in which the modular reduction operation can be achieved by multiplication and simple truncation. Since a single modular exponentiation requires many modular multiplications and reductions, transforming the arguments is well justified. 205
  • Slide 206
  • January 6, 2011Practical Aspects of Modern Cryptography Montgomery Multiplication Let A, B, and M be n-block integers represented in base x with 0 M x n. Let R = x n. GCD(R,M) = 1. The Montgomery Product of A and B modulo M is the integer ABR 1 mod M. Let M = M 1 mod R and S = ABM mod R. Fact: (AB+SM)/R ABR 1 (mod M). 206
  • Slide 207
  • January 6, 2011Practical Aspects of Modern Cryptography Using the Montgomery Product The Montgomery Product ABR 1 mod M can be computed in the time required for two ordinary large-integer multiplications. Montgomery transform: A AR mod M. The Montgomery product of (AR mod M) and (BR mod M) is (ABR mod M). 207
  • Slide 208
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions Z=Y X mod N 208
  • Slide 209
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions Informally, F : X Y is a one-way if Given x, y = F(x) is easily computable. Given y, it is difficult to find any x for which y = F(x). 209
  • Slide 210
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions The family of functions F Y,N (X) = Y X mod N is believed to be one-way for most N and Y. 210
  • Slide 211
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions The family of functions F Y,N (X) = Y X mod N is believed to be one-way for most N and Y. No one has ever proven a function to be one-way, and doing so would, at a minimum, yield as a consequence that P NP. 211
  • Slide 212
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Functions When viewed as a two-argument function, the (candidate) one-way function F N (Y,X) = Y X mod N also satisfies a useful additional property which has been termed quasi-commutivity: F(F(Y,X 1 ),X 2 ) = F(F(Y,X 2 ),X 1 ) since Y X 1 X 2 = Y X 2 X 1. 212
  • Slide 213
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange AliceBob 213
  • Slide 214
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange Alice Randomly select a large integer a and send A = Y a mod N. Bob Randomly select a large integer b and send B = Y b mod N. 214
  • Slide 215
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange Alice Bob A B 215
  • Slide 216
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange Alice Randomly select a large integer a and send A = Y a mod N. Bob Randomly select a large integer b and send B = Y b mod N. 216
  • Slide 217
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange Alice Randomly select a large integer a and send A = Y a mod N. Compute the key K = B a mod N. Bob Randomly select a large integer b and send B = Y b mod N. Compute the key K = A b mod N. 217
  • Slide 218
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange Alice Randomly select a large integer a and send A = Y a mod N. Compute the key K = B a mod N. Bob Randomly select a large integer b and send B = Y b mod N. Compute the key K = A b mod N. B a = Y ba = Y ab = A b 218
  • Slide 219
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange 219
  • Slide 220
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange What does Eve see? 220
  • Slide 221
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b 221
  • Slide 222
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b but the exchanged key is Y ab. 222
  • Slide 223
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b but the exchanged key is Y ab. Belief: Given Y, Y a, Y b it is difficult to compute Y ab. 223
  • Slide 224
  • January 6, 2011Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b but the exchanged key is Y ab. Belief: Given Y, Y a, Y b it is difficult to compute Y ab. Contrast with discrete logarithm assumption: Given Y, Y a it is difficult to compute a. 224
  • Slide 225
  • January 6, 2011Practical Aspects of Modern Cryptography More on Quasi-Commutivity Quasi-commutivity has additional applications. decentralized digital signatures membership testing digital time-stamping 225
  • Slide 226
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Trap-Door Functions Z=Y X mod N 226
  • Slide 227
  • January 6, 2011Practical Aspects of Modern Cryptography One-Way Trap-Door Functions Z=Y X mod N Recall that this equation is solvable for Y if the factorization of N is known, but is believed to be hard otherwise. 227
  • Slide 228
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Public-Key Cryptosystem AliceAnyone 228
  • Slide 229
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Public-Key Cryptosystem Alice Select two large random primes P & Q. Anyone 229
  • Slide 230
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Public-Key Cryptosystem Alice Select two large random primes P & Q. Publish the product N=PQ. Anyone 230
  • Slide 231
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Public-Key Cryptosystem Alice Select two large random primes P & Q. Publish the product N=PQ. Anyone To send message Y to Alice, compute Z=Y X mod N. 231
  • Slide 232
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Public-Key Cryptosystem Alice Select two large random primes P & Q. Publish the product N=PQ. Anyone To send message Y to Alice, compute Z=Y X mod N. Send Z and X to Alice. 232
  • Slide 233
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Public-Key Cryptosystem Alice Select two large random primes P & Q. Publish the product N=PQ. Use knowledge of P & Q to compute Y. Anyone To send message Y to Alice, compute Z=Y X mod N. Send Z and X to Alice. 233
  • Slide 234
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Public-Key Cryptosystem In practice, the exponent X is almost always fixed to be X = 65537 = 2 16 + 1. 234
  • Slide 235
  • January 6, 2011Practical Aspects of Modern Cryptography Some RSA Details When N=PQ is the product of distinct primes, Y X mod N = Y whenever X mod (P-1)(Q-1) = 1 and 0 Y N. 235
  • Slide 236
  • January 6, 2011Practical Aspects of Modern Cryptography Some RSA Details When N=PQ is the product of distinct primes, Y X mod N = Y whenever X mod (P-1)(Q-1) = 1 and 0 Y N. Alice can easily select integers E and D such that E D mod (P-1)(Q-1) = 1. 236
  • Slide 237
  • January 6, 2011Practical Aspects of Modern Cryptography Some RSA Details Encryption: E(Y) = Y E mod N. Decryption: D(Y) = Y D mod N. D(E(Y)) = (Y E mod N) D mod N = Y ED mod N = Y 237
  • Slide 238
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Signatures 238
  • Slide 239
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Signatures An additional property 239
  • Slide 240
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Signatures An additional property D(E(Y)) = Y ED mod N = Y 240
  • Slide 241
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y)) = Y DE mod N = Y 241
  • Slide 242
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y)) = Y DE mod N = Y Only Alice (knowing the factorization of N) knows D. Hence only Alice can compute D(Y) = Y D mod N. 242
  • Slide 243
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y)) = Y DE mod N = Y Only Alice (knowing the factorization of N) knows D. Hence only Alice can compute D(Y) = Y D mod N. This D(Y) serves as Alices signature on Y. 243
  • Slide 244
  • January 6, 2011Practical Aspects of Modern Cryptography Public Key Directory 244
  • Slide 245
  • January 6, 2011Practical Aspects of Modern Cryptography Public Key Directory (Recall that E is commonly fixed to be E=65537.) 245
  • Slide 246
  • January 6, 2011Practical Aspects of Modern Cryptography Certificate Authority Alices public modulus is N A = 331490324840 -- signed CA. 246
  • Slide 247
  • January 6, 2011Practical Aspects of Modern Cryptography Trust Chains Alice certifies Bobs key. Bob certifies Carols key. If I trust Alice should I accept Carols key? 247
  • Slide 248
  • January 6, 2011Practical Aspects of Modern Cryptography Authentication 248
  • Slide 249
  • January 6, 2011Practical Aspects of Modern Cryptography Authentication How can I use RSA to authenticate someones identity? 249
  • Slide 250
  • January 6, 2011Practical Aspects of Modern Cryptography Authentication How can I use RSA to authenticate someones identity? If Alices public key E A, just pick a random message m and send E A (m). 250
  • Slide 251
  • January 6, 2011Practical Aspects of Modern Cryptography Authentication How can I use RSA to authenticate someones identity? If Alices public key E A, just pick a random message m and send E A (m). If m comes back, I must be talking to Alice. 251
  • Slide 252
  • January 6, 2011Practical Aspects of Modern Cryptography Authentication Should Alice be happy with this method of authentication? 252
  • Slide 253
  • January 6, 2011Practical Aspects of Modern Cryptography Authentication Should Alice be happy with this method of authentication? Bob sends Alice the authentication string y = I owe Bob $1,000,000 - signed Alice. 253
  • Slide 254
  • January 6, 2011Practical Aspects of Modern Cryptography Authentication Should Alice be happy with this method of authentication? Bob sends Alice the authentication string y = I owe Bob $1,000,000 - signed Alice. Alice dutifully authenticates herself by decrypting (putting her signature on) y. 254
  • Slide 255
  • January 6, 2011Practical Aspects of Modern Cryptography Authentication What if Alice only returns authentication queries when the decryption has a certain format? 255
  • Slide 256
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Cautions Is it reasonable to sign/decrypt something given to you by someone else? Note that RSA is multiplicative. Can this property be used/abused? 256
  • Slide 257
  • January 6, 2011Practical Aspects of Modern Cryptography RSA Cautions D(Y 1 ) D(Y 2 ) = D(Y 1 Y 2 ) Thus, if Ive decrypted (or signed) Y 1 and Y 2, Ive also decrypted (or signed) Y 1 Y 2. 257
  • Slide 258
  • January 6, 2011Practical Aspects of Modern Cryptography The Hastad Attack Given E 1 (x) = x 3 mod n 1 E 2 (x) = x 3 mod n 2 E 3 (x) = x 3 mod n 3 one can easily compute x. 258
  • Slide 259
  • January 6, 2011Practical Aspects of Modern Cryptography The Bleichenbacher Attack PKCS#1 Message Format: 00 01 XX XX... XX 00 YY YY... YY random non-zero bytes message 259
  • Slide 260
  • January 6, 2011Practical Aspects of Modern Cryptography Man-in-the-Middle Attacks 260
  • Slide 261
  • January 6, 2011Practical Aspects of Modern Cryptography The Practical Side 261
  • Slide 262
  • January 6, 2011Practical Aspects of Modern Cryptography The Practical Side RSA can be used to encrypt any data. 262
  • Slide 263
  • January 6, 2011Practical Aspects of Modern Cryptography The Practical Side RSA can be used to encrypt any data. Public-key (asymmetric) cryptography is very inefficient when compared to traditional private-key (symmetric) cryptography. 263
  • Slide 264
  • January 6, 2011Practical Aspects of Modern Cryptography The Practical Side 264
  • Slide 265
  • January 6, 2011Practical Aspects of Modern Cryptography The Practical Side For efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key. 265
  • Slide 266
  • January 6, 2011Practical Aspects of Modern Cryptography The Practical Side For efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key. The private session key is used to encrypt any subsequent data. 266
  • Slide 267
  • January 6, 2011Practical Aspects of Modern Cryptography The Practical Side For efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key. The private session key is used to encrypt any subsequent data. Digital signatures are only used to sign a digest of the message. 267

Cryptography - CISSP Study Guide on Cryptography

Cryptography - CISSP Study Guide on Cryptography

Applied Cryptography Week 4 Cryptography and.NET 1 Applied Cryptography Week 4 Mike McCarthy.

Applied Cryptography Week 4 Cryptography and.NET 1 Applied Cryptography Week 4 Mike McCarthy.

The Current State of Cryptographic Election Protocols Josh Benaloh Microsoft Research.

The Current State of Cryptographic Election Protocols Josh Benaloh Microsoft Research.

Bronson Jastrow. Outline What is cryptography? Symmetric Key Cryptography Public Key Cryptography How Public Key Cryptography Works Authenticating.

Bronson Jastrow. Outline What is cryptography? Symmetric Key Cryptography Public Key Cryptography How Public Key Cryptography Works Authenticating.

Chapter 3 Cryptography - Reading & Learning...Chapter 3 Cryptography Introduction: Cryptography is an ancient art of keeping secrets. Cryptography ensures security of communication

Chapter 3 Cryptography - Reading & Learning...Chapter 3 Cryptography Introduction: Cryptography is an ancient art of keeping secrets. Cryptography ensures security of communication

Cryptography or Smalltalkers 2 Public Key Cryptography

Cryptography or Smalltalkers 2 Public Key Cryptography

ECE578 Cryptography 5: Hash Functions, Asymmetric Cryptography

ECE578 Cryptography 5: Hash Functions, Asymmetric Cryptography

Information Security Cryptography ( L02- Types Cryptography)

Information Security Cryptography ( L02- Types Cryptography)

Cryptography Cryptography 1. Activity What is cryptography ? 2.

Cryptography Cryptography 1. Activity What is cryptography ? 2.

Basic Cryptography - Sapienzaparisi/Risorse/CryptographicPrimitives.pdf · Basic Cryptography Introduction ... The Java Cryptography Architecure (JCA) The Java Cryptography Extensions

Basic Cryptography - Sapienzaparisi/Risorse/CryptographicPrimitives.pdf · Basic Cryptography Introduction ... The Java Cryptography Architecure (JCA) The Java Cryptography Extensions

Quantum computing, teleportation, cryptography Computing Teleportation Cryptography.

Quantum computing, teleportation, cryptography Computing Teleportation Cryptography.

Cryptography - A Reviewweb.cse.msstate.edu/~ramkumar/review1.pdfSymmetric Cryptography Asymmetric Cryptography Key Management Network Security Symmetric Cryptography Overview Block

Cryptography - A Reviewweb.cse.msstate.edu/~ramkumar/review1.pdfSymmetric Cryptography Asymmetric Cryptography Key Management Network Security Symmetric Cryptography Overview Block

Overview of Cryptography What is Cryptography? Cryptography is a collection of mathematical techniques for protecting information. Cryptography is.

Overview of Cryptography What is Cryptography? Cryptography is a collection of mathematical techniques for protecting information. Cryptography is.

Cryptography - Number Theory an Related Alghoritm in Cryptography

Cryptography - Number Theory an Related Alghoritm in Cryptography

Palladium Cryptography Palladium Cryptography Next ... · Palladium Cryptography Palladium Cryptography Next Generation Security Computation Base Harshwardhan Rathore, Asst. Prof.

Palladium Cryptography Palladium Cryptography Next ... · Palladium Cryptography Palladium Cryptography Next Generation Security Computation Base Harshwardhan Rathore, Asst. Prof.

Kleptography: Using Cryptography Against Cryptography · 2017-08-27 · Kleptography: Using Cryptography Against Cryptography Adam Young* and Moti Yung” Abstract. The notion of

Kleptography: Using Cryptography Against Cryptography · 2017-08-27 · Kleptography: Using Cryptography Against Cryptography Adam Young* and Moti Yung” Abstract. The notion of

Beginning Cryptography With Java - Symmetric Key Cryptography

Beginning Cryptography With Java - Symmetric Key Cryptography

Chapter 8 - Cryptography. Cryptography General Concepts.

Chapter 8 - Cryptography. Cryptography General Concepts.

Information Security Cryptography ( L03- Old Cryptography Algorithms )

Information Security Cryptography ( L03- Old Cryptography Algorithms )

Lattice-based Cryptography · Cryptography Post-Quantum CryptographyResults and Perspectives Outline 1 Cryptography Fundamental Goals Techniques and Limitations 2 Post-Quantum Cryptography

Lattice-based Cryptography · Cryptography Post-Quantum CryptographyResults and Perspectives Outline 1 Cryptography Fundamental Goals Techniques and Limitations 2 Post-Quantum Cryptography