January 6, 2011Practical Aspects of Modern Cryptography
Cryptography is... Protecting Privacy of Data Authentication of
Identities Preservation of Integrity basically any protocols
designed to operate in an environment absent of universal trust.
2
Slide 3
January 6, 2011Practical Aspects of Modern Cryptography
Characters 3
Slide 4
January 6, 2011Practical Aspects of Modern Cryptography
Characters Alice 4
Slide 5
January 6, 2011Practical Aspects of Modern Cryptography
Characters Bob 5
Slide 6
January 6, 2011Practical Aspects of Modern Cryptography Basic
Communication Alice talking to Bob 6
Slide 7
January 6, 2011Practical Aspects of Modern Cryptography Another
Character Eve 7
Slide 8
January 6, 2011Practical Aspects of Modern Cryptography Basic
Communication Problem Eve listening to Alice talking to Bob 8
Slide 9
January 6, 2011Practical Aspects of Modern Cryptography
Two-Party Environments Alice Bob 9
Slide 10
January 6, 2011Practical Aspects of Modern Cryptography Remote
Coin Flipping Alice and Bob decide to make a decision by flipping a
coin. Alice and Bob are not in the same place. 10
Slide 11
January 6, 2011Practical Aspects of Modern Cryptography Ground
Rule Protocol must be asynchronous. We cannot assume simultaneous
actions. Players must take turns. 11
Slide 12
January 6, 2011Practical Aspects of Modern Cryptography Is
Remote Coin Flipping Possible? 12
Slide 13
January 6, 2011Practical Aspects of Modern Cryptography Is
Remote Coin Flipping Possible? Two-part answer: 13
Slide 14
January 6, 2011Practical Aspects of Modern Cryptography Is
Remote Coin Flipping Possible? Two-part answer: NO I will sketch a
formal proof. 14
Slide 15
January 6, 2011Practical Aspects of Modern Cryptography Is
Remote Coin Flipping Possible? Two-part answer: NO I will sketch a
formal proof. YES I will provide an effective protocol. 15
Slide 16
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: 16
Slide 17
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B B A BA A B BAB B B BA BA BB A AB
17
Slide 18
January 6, 2011Practical Aspects of Modern Cryptography Pruning
the Tree A B A B A BB A 18
Slide 19
January 6, 2011Practical Aspects of Modern Cryptography Pruning
the Tree A B A B A: B: 19
Slide 20
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B B A BA A B BAB B B BA BA BB A AB
20
Slide 21
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B B A BA A BB B BA BA BB A AB
21
Slide 22
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B B A BA A BB B BA BA BBB 22
Slide 23
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A BA A BB B BA BA BBB 23
Slide 24
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A BA A B BA BA BBB 24
Slide 25
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A BA A B A BA BBB 25
Slide 26
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A BA A B A BA B 26
Slide 27
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: B A A B A BA B 27
Slide 28
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: BA B A BA B 28
Slide 29
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: BAB BA B 29
Slide 30
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: BABB 30
Slide 31
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A: B: A: B: A 31
Slide 32
January 6, 2011Practical Aspects of Modern Cryptography A
Protocol Flow Tree A 32
Slide 33
January 6, 2011Practical Aspects of Modern Cryptography
Completing the Pruning When the pruning is complete one will end up
with either 33
Slide 34
January 6, 2011Practical Aspects of Modern Cryptography
Completing the Pruning When the pruning is complete one will end up
with either a winner before the protocol has begun, or 34
Slide 35
January 6, 2011Practical Aspects of Modern Cryptography
Completing the Pruning When the pruning is complete one will end up
with either a winner before the protocol has begun, or a useless
infinite game. 35
Slide 36
January 6, 2011Practical Aspects of Modern Cryptography
Conclusion of Part I Remote coin flipping is utterly impossible!!!
36
Slide 37
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin 37
Slide 38
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 38
Slide 39
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 39
Slide 40
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 40
Slide 41
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 41
Slide 42
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 3 7 11 15 19 42
Slide 43
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 3 7 11 15 19 Even 43
Slide 44
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 3 7 11 15 19 4n + 1: 4n - 1: 44
Slide 45
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14
18 3 7 11 15 19 Type +1: Type - 1: 45
Slide 46
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Fact 1 Multiplying two (odd) integers of the
same type always yields a product of Type +1. (4p+1)(4q+1) =
16pq+4p+4q+1 = 4(4pq+p+q)+1 (4p1)(4q1) = 16pq4p4q+1 = 4(4pqpq)+1
46
Slide 47
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Fact 2 There is no known method (other than
factoring) to distinguish a product of two Type +1 integers from a
product of two Type 1 integers. 47
Slide 48
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Fact 3 Factoring large integers is believed to
be much harder than multiplying large integers. 48
Slide 49
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin 49
Slide 50
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin AliceBob 50
Slide 51
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Randomly select a bit b { 1} and two
large integers P and Q both of type b. Bob 51
Slide 52
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Randomly select a bit b { 1} and two
large integers P and Q both of type b. Compute N = PQ. Bob 52
Slide 53
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Randomly select a bit b { 1} and two
large integers P and Q both of type b. Compute N = PQ. Send N to
Bob. Bob 53
Slide 54
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Bob N 54
Slide 55
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Randomly select a bit b { 1} and two
large integers P and Q both of type b. Compute N = PQ. Send N to
Bob. Bob 55
Slide 56
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Alice Randomly select a
bit b { 1} and two large integers P and Q both of type b. Compute N
= PQ. Send N to Bob. 56
Slide 57
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Bob b 57
Slide 58
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Alice Randomly select a
bit b { 1} and two large integers P and Q both of type b. Compute N
= PQ. Send N to Bob. 58
Slide 59
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large integers P and Q both of type b. Compute N = PQ.
Send N to Bob. 59
Slide 60
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large integers P and Q both of type b. Compute N = PQ.
Send N to Bob. After receiving b from Bob, reveal P and Q. 60
Slide 61
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Alice Bob P,QP,Q 61
Slide 62
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large integers P and Q both of type b. Compute N = PQ.
Send N to Bob. After receiving b from Bob, reveal P and Q. 62
Slide 63
January 6, 2011Practical Aspects of Modern Cryptography Lets
Play The INTEGERS 0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19
Type +1: Type - 1: 63
Slide 64
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large integers P and Q both of type b. Compute N = PQ.
Send N to Bob. After receiving b from Bob, reveal P and Q. 64
Slide 65
January 6, 2011Practical Aspects of Modern Cryptography How to
Remotely Flip a Coin Bob After receiving N from Alice, guess the
value of b and send this guess to Alice. Bob wins if and only if he
correctly guesses the value of b. Alice Randomly select a bit b {
1} and two large primes P and Q both of type b. Compute N = PQ.
Send N to Bob. After receiving b from Bob, reveal P and Q. 65
Slide 66
January 6, 2011Practical Aspects of Modern Cryptography
Checking Primality Basic result from group theory If p is a prime,
then for integers a such that 0 < a < p, then a p - 1 mod p =
1. This is almost never true when p is composite. 66
Slide 67
January 6, 2011Practical Aspects of Modern Cryptography How are
the Answers Reconciled? 67
Slide 68
January 6, 2011Practical Aspects of Modern Cryptography The
impossibility proof assumed unlimited computational ability. How
are the Answers Reconciled? 68
Slide 69
January 6, 2011Practical Aspects of Modern Cryptography The
impossibility proof assumed unlimited computational ability. The
protocol is not 50/50 Bob has a small advantage. How are the
Answers Reconciled? 69
Slide 70
January 6, 2011Practical Aspects of Modern Cryptography
Applications of Remote Flipping Remote Card Playing Internet
Gambling Various Fair Agreement Protocols 70
Slide 71
January 6, 2011Practical Aspects of Modern Cryptography Bit
Commitment We have implemented remote coin flipping via bit
commitment. Commitment protocols can also be used for Sealed
bidding Undisclosed contracts Authenticated predictions 71
Slide 72
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions We have implemented bit commitment via one-way functions.
One-way functions can be used for Authentication Data integrity
Strong randomness 72
Slide 73
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions 73
Slide 74
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions 74
Slide 75
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions Mathematical
75
Slide 76
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions Mathematical
Multiplication: Z=X Y 76
Slide 77
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions Mathematical
Multiplication: Z=X Y Modular Exponentiation: Z = Y X mod N 77
Slide 78
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Two basic classes of one-way functions Mathematical
Multiplication: Z=XY Modular Exponentiation: Z = Y X mod N Ugly
78
Slide 79
January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N 79
Slide 80
January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic 80
Slide 81
Modular Arithmetic Z mod N is the integer remainder when Z is
divided by N. January 6, 2011Practical Aspects of Modern
Cryptography81
Slide 82
Modular Arithmetic Z mod N is the integer remainder when Z is
divided by N. The Division Theorem For all integers Z and N>0,
there exist unique integers Q and R such that Z = Q N + R and 0 R
N. January 6, 2011Practical Aspects of Modern Cryptography82
Slide 83
Modular Arithmetic Z mod N is the integer remainder when Z is
divided by N. The Division Theorem For all integers Z and N>0,
there exist unique integers Q and R such that Z = Q N + R and 0 R
N. By definition, this unique R = Z mod N. January 6, 2011Practical
Aspects of Modern Cryptography83
Slide 84
January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic To compute (A+B) mod N, compute (A+B) and take the
result mod N. 84
Slide 85
January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic To compute (A+B) mod N, compute (A+B) and take the
result mod N. To compute (A-B) mod N, compute (A-B) and take the
result mod N. 85
Slide 86
January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic To compute (A+B) mod N, compute (A+B) and take the
result mod N. To compute (A-B) mod N, compute (A-B) and take the
result mod N. To compute (AB) mod N, compute (AB) and take the
result mod N. 86
Slide 87
January 6, 2011Practical Aspects of Modern Cryptography Modular
Arithmetic To compute (A+B) mod N, compute (A+B) and take the
result mod N. To compute (A-B) mod N, compute (A-B) and take the
result mod N. To compute (AB) mod N, compute (AB) and take the
result mod N. To compute (AB) mod N, 87
Slide 88
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division 88
Slide 89
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division What is the value of (12) mod 7? We need a solution to 2x
mod 7 = 1. 89
Slide 90
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division What is the value of (12) mod 7? We need a solution to 2x
mod 7 = 1. Try x = 4. 90
Slide 91
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division What is the value of (12) mod 7? We need a solution to 2x
mod 7 = 1. Try x = 4. What is the value of (75) mod 11? We need a
solution to 5x mod 11 = 7. 91
Slide 92
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division What is the value of (12) mod 7? We need a solution to 2x
mod 7 = 1. Try x = 4. What is the value of (75) mod 11? We need a
solution to 5x mod 11 = 7. Try x = 8. 92
Slide 93
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division 93
Slide 94
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Is modular division always well-defined? 94
Slide 95
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Is modular division always well-defined? (13) mod 6 = ?
95
Slide 96
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Is modular division always well-defined? (13) mod 6 = ? 3x
mod 6 = 1 has no solution! 96
Slide 97
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Is modular division always well-defined? (13) mod 6 = ? 3x
mod 6 = 1 has no solution! Fact (AB) mod N always has a solution
when gcd(B,N) = 1. 97
Slide 98
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Fact 1 (AB) mod N always has a solution when gcd(B,N) = 1.
98
Slide 99
January 6, 2011Practical Aspects of Modern Cryptography Modular
Division Fact 1 (AB) mod N always has a solution when gcd(B,N) = 1.
Fact 2 (AB) mod N never has a solution when gcd(A,B) = 1 and
gcd(B,N) 1. 99
Slide 100
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors 100
Slide 101
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) 101
Slide 102
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) since any common
factor of A and B is also a factor of A B and since any common
factor of B and A B is also a factor of A. 102
Slide 103
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(21,12) =
gcd(12,9) = gcd(9,3) = gcd(3,6) = gcd(6,3) = gcd(3,3) = gcd(3,0) =
3 103
Slide 104
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) 104
Slide 105
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(A, B) = gcd(B,
A kB) for any integer k. 105
Slide 106
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(A, B) = gcd(B,
A kB) for any integer k. gcd(A, B) = gcd(B, A mod B) 106
Slide 107
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors gcd(A, B) = gcd(B, A B) gcd(A, B) = gcd(B,
A kB) for any integer k. gcd(A, B) = gcd(B, A mod B) gcd(21,12) =
gcd(12,9) = gcd(9,3) = gcd(3,0) = 3 107
Slide 108
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm Given integers A and B, find integers
X and Y such that AX + BY = gcd(A,B). 108
Slide 109
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm Given integers A and B, find integers
X and Y such that AX + BY = gcd(A,B). When gcd(A,B) = 1, solve AX
mod B = 1, by finding X and Y such that AX + BY = gcd(A,B) = 1.
109
Slide 110
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm Given integers A and B, find integers
X and Y such that AX + BY = gcd(A,B). When gcd(A,B) = 1, solve AX
mod B = 1, by finding X and Y such that AX + BY = gcd(A,B) = 1.
Compute (CA) mod B as C(1A) mod B. 110
Slide 111
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm gcd(35, 8) = gcd(8, 35 mod 8) = gcd(8,
3) = gcd(3, 8 mod 3) = gcd(3, 2) = gcd(2, 3 mod 2) = gcd(2, 1) =
gcd(1, 2 mod 1) = gcd(1, 0) = 1 111
Slide 112
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 = 8 4 + 3 112
Slide 113
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 = 8 4 + 3 8 = 3 2 + 2 113
Slide 114
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 = 8 4 + 3 8 = 3 2 + 2 3 = 2 1 + 1
114
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 121
Slide 122
January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N 122
Slide 123
January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N When Z is unknown, it can be
efficiently computed. 123
Slide 124
January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N When X is unknown, the problem is
known as the discrete logarithm and is generally believed to be
hard to solve. 124
Slide 125
January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N When Y is unknown, the problem is
known as discrete root finding and is generally believed to be hard
to solve... 125
Slide 126
January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N unless the factorization of N is
known. 126
Slide 127
January 6, 2011Practical Aspects of Modern Cryptography The
Fundamental Equation Z=Y X mod N The problem is not well-studied
for the case when N is unknown. 127
Slide 128
January 6, 2011Practical Aspects of Modern Cryptography
Implementation Z=Y X mod N 128
Slide 129
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N 129
Slide 130
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Compute Y X and then reduce mod N. 130
Slide 131
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Compute Y X and then reduce mod N. If X, Y, and N
each are 2,048-bit integers, Y X consists of ~2 2059 bits. 131
Slide 132
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Compute Y X and then reduce mod N. If X, Y, and N
each are 2,048-bit integers, Y X consists of ~2 2059 bits. Since
there are roughly 2 250 particles in the universe, storage is a
problem. 132
Slide 133
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N 133
Slide 134
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Repeatedly multiplying by Y (followed each time
by a reduction modulo N) X times solves the storage problem.
134
Slide 135
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Repeatedly multiplying by Y (followed each time
by a reduction modulo N) X times solves the storage problem.
However, we would need to perform ~2 900 64-bit multiplications per
second to complete the computation before the sun burns out.
135
Slide 136
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N 136
Slide 137
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling 137
Slide 138
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling To compute X
Y, 138
Slide 139
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling To compute X
Y, compute Y, 2Y, 4Y, 8Y, 16Y, 139
Slide 140
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling To compute X
Y, compute Y, 2Y, 4Y, 8Y, 16Y, and sum up those values dictated by
the binary representation of X. 140
Slide 141
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Multiplication by Repeated Doubling To compute X
Y, compute Y, 2Y, 4Y, 8Y, 16Y, and sum up those values dictated by
the binary representation of X. Example: 26Y = 2Y + 8Y + 16Y.
141
Slide 142
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N 142
Slide 143
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring 143
Slide 144
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring To compute Y
X, 144
Slide 145
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring To compute Y
X, compute Y, Y 2, Y 4, Y 8, Y 16, 145
Slide 146
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring To compute Y
X, compute Y, Y 2, Y 4, Y 8, Y 16, and multiply those values
dictated by the binary representation of X. 146
Slide 147
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N Exponentiation by Repeated Squaring To compute Y
X, compute Y, Y 2, Y 4, Y 8, Y 16, and multiply those values
dictated by the binary representation of X. Example: Y 26 = Y 2 Y 8
Y 16. 147
Slide 148
January 6, 2011Practical Aspects of Modern Cryptography How to
compute Y X mod N We can now perform a 2,048-bit modular
exponentiation using ~3,072 2,048-bit modular multiplications.
2,048 squarings: y, y 2, y 4, , y 2 2048 ~1024 ordinary
multiplications 148
Slide 149
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Operations Addition and Subtraction Multiplication
Division and Remainder (Mod N) Exponentiation 149
Slide 150
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 150
Slide 151
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 151
Slide 152
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 152
Slide 153
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 153
Slide 154
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 154
Slide 155
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition + 155
Slide 156
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition In general, adding two large integers each
consisting of n small blocks requires O(n) small-integer additions.
Large-integer subtraction is similar. 156
Slide 157
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 157
Slide 158
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 158
Slide 159
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 159
Slide 160
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 160
Slide 161
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 161
Slide 162
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication 162
Slide 163
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication In general, multiplying two large
integers each consisting of n small blocks requires O(n 2 )
small-integer multiplications and O(n) large-integer additions.
163
Slide 164
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring 164
Slide 165
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring 165
Slide 166
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring 166
Slide 167
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring Careful bookkeeping can save nearly half of
the small-integer multiplications (and nearly half of the time).
167
Slide 168
January 6, 2011Practical Aspects of Modern Cryptography Recall
computing Y X mod N About 2/3 of the multiplications required to
compute Y X are actually squarings. Overall, efficient squaring can
save about 1/3 of the small multiplications required for modular
exponentiation. 168
Slide 169
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD
169
Slide 170
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, 170
Slide 171
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values:
171
Slide 172
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values: AC,
AD+BC, and BD. 172
Slide 173
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values: AC,
AD+BC, and BD. 173
Slide 174
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values: AC,
AD+BC, and BD. 174
Slide 175
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD Given
4 coefficients A, B, C, and D, we need to compute 3 values: AC,
AD+BC, and BD. 175
Slide 176
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 176
Slide 177
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 177
Slide 178
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 178
Slide 179
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 179
Slide 180
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 180
Slide 181
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 181
Slide 182
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition 182
Slide 183
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD 183
Slide 184
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 184
Slide 185
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 185
Slide 186
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 186
Slide 187
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 187
Slide 188
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 188
Slide 189
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 189
Slide 190
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 190
Slide 191
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 191
Slide 192
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 192
Slide 193
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (Ax+B)(Cx+D) = ACx 2 + (AD+BC)x + BD 4
multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 193
Slide 194
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication This can be done on integers as well as on
polynomials, but its not as nice on integers because of carries.
The larger the integers, the larger the benefit. 194
Slide 195
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication (A 2 k +B)(C 2 k +D) = AC 2 2k + (AD+BC) 2
k + BD 4 multiplications, 1 addition (A+B)(C+D) = AC + AD + BC + BD
(A+B)(C+D) AC BD = AD + BC 3 multiplications, 2 additions, 2
subtractions 195
Slide 196
January 6, 2011Practical Aspects of Modern Cryptography Chinese
Remaindering If X = A mod P, X = B mod Q, and gcd(P,Q) = 1, then X
mod PQ can be computed as X = AQ(Q -1 mod P) + BP(P -1 mod Q).
196
Slide 197
January 6, 2011Practical Aspects of Modern Cryptography Chinese
Remaindering If N = PQ, then a computation mod N can be
accomplished by performing the same computation mod P and again mod
Q and then using Chinese Remaindering to derive the answer to the
mod N computation. 197
Slide 198
January 6, 2011Practical Aspects of Modern Cryptography Chinese
Remaindering Since modular exponentiation of n-bit integers
requires O(n 3 ) time, performing two modular exponentiations on
half size values requires only about one quarter of the time of a
single n-bit modular exponentiation. 198
Slide 199
January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. 199
Slide 200
January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is 200
Slide 201
January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is slow
201
Slide 202
January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is slow
cumbersome 202
Slide 203
January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is slow
cumbersome disgusting 203
Slide 204
January 6, 2011Practical Aspects of Modern Cryptography Modular
Reduction Generally, computing (A B) mod N requires much more than
twice the time to compute A B. Large-integer division is slow
cumbersome disgusting wretched 204
Slide 205
January 6, 2011Practical Aspects of Modern Cryptography The
Montgomery Method The Montgomery Method performs a domain transform
to a domain in which the modular reduction operation can be
achieved by multiplication and simple truncation. Since a single
modular exponentiation requires many modular multiplications and
reductions, transforming the arguments is well justified. 205
Slide 206
January 6, 2011Practical Aspects of Modern Cryptography
Montgomery Multiplication Let A, B, and M be n-block integers
represented in base x with 0 M x n. Let R = x n. GCD(R,M) = 1. The
Montgomery Product of A and B modulo M is the integer ABR 1 mod M.
Let M = M 1 mod R and S = ABM mod R. Fact: (AB+SM)/R ABR 1 (mod M).
206
Slide 207
January 6, 2011Practical Aspects of Modern Cryptography Using
the Montgomery Product The Montgomery Product ABR 1 mod M can be
computed in the time required for two ordinary large-integer
multiplications. Montgomery transform: A AR mod M. The Montgomery
product of (AR mod M) and (BR mod M) is (ABR mod M). 207
Slide 208
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Z=Y X mod N 208
Slide 209
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions Informally, F : X Y is a one-way if Given x, y = F(x) is
easily computable. Given y, it is difficult to find any x for which
y = F(x). 209
Slide 210
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions The family of functions F Y,N (X) = Y X mod N is believed
to be one-way for most N and Y. 210
Slide 211
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions The family of functions F Y,N (X) = Y X mod N is believed
to be one-way for most N and Y. No one has ever proven a function
to be one-way, and doing so would, at a minimum, yield as a
consequence that P NP. 211
Slide 212
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Functions When viewed as a two-argument function, the (candidate)
one-way function F N (Y,X) = Y X mod N also satisfies a useful
additional property which has been termed quasi-commutivity:
F(F(Y,X 1 ),X 2 ) = F(F(Y,X 2 ),X 1 ) since Y X 1 X 2 = Y X 2 X 1.
212
Slide 213
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange AliceBob 213
Slide 214
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Randomly select a large integer a
and send A = Y a mod N. Bob Randomly select a large integer b and
send B = Y b mod N. 214
Slide 215
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Bob A B 215
Slide 216
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Randomly select a large integer a
and send A = Y a mod N. Bob Randomly select a large integer b and
send B = Y b mod N. 216
Slide 217
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Randomly select a large integer a
and send A = Y a mod N. Compute the key K = B a mod N. Bob Randomly
select a large integer b and send B = Y b mod N. Compute the key K
= A b mod N. 217
Slide 218
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange Alice Randomly select a large integer a
and send A = Y a mod N. Compute the key K = B a mod N. Bob Randomly
select a large integer b and send B = Y b mod N. Compute the key K
= A b mod N. B a = Y ba = Y ab = A b 218
Slide 219
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange 219
Slide 220
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? 220
Slide 221
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b 221
Slide 222
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b but the
exchanged key is Y ab. 222
Slide 223
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b but the
exchanged key is Y ab. Belief: Given Y, Y a, Y b it is difficult to
compute Y ab. 223
Slide 224
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b but the
exchanged key is Y ab. Belief: Given Y, Y a, Y b it is difficult to
compute Y ab. Contrast with discrete logarithm assumption: Given Y,
Y a it is difficult to compute a. 224
Slide 225
January 6, 2011Practical Aspects of Modern Cryptography More on
Quasi-Commutivity Quasi-commutivity has additional applications.
decentralized digital signatures membership testing digital
time-stamping 225
Slide 226
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Trap-Door Functions Z=Y X mod N 226
Slide 227
January 6, 2011Practical Aspects of Modern Cryptography One-Way
Trap-Door Functions Z=Y X mod N Recall that this equation is
solvable for Y if the factorization of N is known, but is believed
to be hard otherwise. 227
Slide 228
January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem AliceAnyone 228
Slide 229
January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Anyone 229
Slide 230
January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Publish the product N=PQ. Anyone 230
Slide 231
January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Publish the product N=PQ. Anyone To send message Y to
Alice, compute Z=Y X mod N. 231
Slide 232
January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Publish the product N=PQ. Anyone To send message Y to
Alice, compute Z=Y X mod N. Send Z and X to Alice. 232
Slide 233
January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem Alice Select two large random primes P
& Q. Publish the product N=PQ. Use knowledge of P & Q to
compute Y. Anyone To send message Y to Alice, compute Z=Y X mod N.
Send Z and X to Alice. 233
Slide 234
January 6, 2011Practical Aspects of Modern Cryptography RSA
Public-Key Cryptosystem In practice, the exponent X is almost
always fixed to be X = 65537 = 2 16 + 1. 234
Slide 235
January 6, 2011Practical Aspects of Modern Cryptography Some
RSA Details When N=PQ is the product of distinct primes, Y X mod N
= Y whenever X mod (P-1)(Q-1) = 1 and 0 Y N. 235
Slide 236
January 6, 2011Practical Aspects of Modern Cryptography Some
RSA Details When N=PQ is the product of distinct primes, Y X mod N
= Y whenever X mod (P-1)(Q-1) = 1 and 0 Y N. Alice can easily
select integers E and D such that E D mod (P-1)(Q-1) = 1. 236
Slide 237
January 6, 2011Practical Aspects of Modern Cryptography Some
RSA Details Encryption: E(Y) = Y E mod N. Decryption: D(Y) = Y D
mod N. D(E(Y)) = (Y E mod N) D mod N = Y ED mod N = Y 237
Slide 238
January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures 238
Slide 239
January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property 239
Slide 240
January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property D(E(Y)) = Y ED mod N = Y 240
Slide 241
January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y))
= Y DE mod N = Y 241
Slide 242
January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y))
= Y DE mod N = Y Only Alice (knowing the factorization of N) knows
D. Hence only Alice can compute D(Y) = Y D mod N. 242
Slide 243
January 6, 2011Practical Aspects of Modern Cryptography RSA
Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y))
= Y DE mod N = Y Only Alice (knowing the factorization of N) knows
D. Hence only Alice can compute D(Y) = Y D mod N. This D(Y) serves
as Alices signature on Y. 243
Slide 244
January 6, 2011Practical Aspects of Modern Cryptography Public
Key Directory 244
Slide 245
January 6, 2011Practical Aspects of Modern Cryptography Public
Key Directory (Recall that E is commonly fixed to be E=65537.)
245
Slide 246
January 6, 2011Practical Aspects of Modern Cryptography
Certificate Authority Alices public modulus is N A = 331490324840
-- signed CA. 246
Slide 247
January 6, 2011Practical Aspects of Modern Cryptography Trust
Chains Alice certifies Bobs key. Bob certifies Carols key. If I
trust Alice should I accept Carols key? 247
Slide 248
January 6, 2011Practical Aspects of Modern Cryptography
Authentication 248
Slide 249
January 6, 2011Practical Aspects of Modern Cryptography
Authentication How can I use RSA to authenticate someones identity?
249
Slide 250
January 6, 2011Practical Aspects of Modern Cryptography
Authentication How can I use RSA to authenticate someones identity?
If Alices public key E A, just pick a random message m and send E A
(m). 250
Slide 251
January 6, 2011Practical Aspects of Modern Cryptography
Authentication How can I use RSA to authenticate someones identity?
If Alices public key E A, just pick a random message m and send E A
(m). If m comes back, I must be talking to Alice. 251
Slide 252
January 6, 2011Practical Aspects of Modern Cryptography
Authentication Should Alice be happy with this method of
authentication? 252
Slide 253
January 6, 2011Practical Aspects of Modern Cryptography
Authentication Should Alice be happy with this method of
authentication? Bob sends Alice the authentication string y = I owe
Bob $1,000,000 - signed Alice. 253
Slide 254
January 6, 2011Practical Aspects of Modern Cryptography
Authentication Should Alice be happy with this method of
authentication? Bob sends Alice the authentication string y = I owe
Bob $1,000,000 - signed Alice. Alice dutifully authenticates
herself by decrypting (putting her signature on) y. 254
Slide 255
January 6, 2011Practical Aspects of Modern Cryptography
Authentication What if Alice only returns authentication queries
when the decryption has a certain format? 255
Slide 256
January 6, 2011Practical Aspects of Modern Cryptography RSA
Cautions Is it reasonable to sign/decrypt something given to you by
someone else? Note that RSA is multiplicative. Can this property be
used/abused? 256
Slide 257
January 6, 2011Practical Aspects of Modern Cryptography RSA
Cautions D(Y 1 ) D(Y 2 ) = D(Y 1 Y 2 ) Thus, if Ive decrypted (or
signed) Y 1 and Y 2, Ive also decrypted (or signed) Y 1 Y 2.
257
Slide 258
January 6, 2011Practical Aspects of Modern Cryptography The
Hastad Attack Given E 1 (x) = x 3 mod n 1 E 2 (x) = x 3 mod n 2 E 3
(x) = x 3 mod n 3 one can easily compute x. 258
Slide 259
January 6, 2011Practical Aspects of Modern Cryptography The
Bleichenbacher Attack PKCS#1 Message Format: 00 01 XX XX... XX 00
YY YY... YY random non-zero bytes message 259
Slide 260
January 6, 2011Practical Aspects of Modern Cryptography
Man-in-the-Middle Attacks 260
Slide 261
January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side 261
Slide 262
January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side RSA can be used to encrypt any data. 262
Slide 263
January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side RSA can be used to encrypt any data. Public-key
(asymmetric) cryptography is very inefficient when compared to
traditional private-key (symmetric) cryptography. 263
Slide 264
January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side 264
Slide 265
January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side For efficiency, one generally uses RSA (or another
public-key algorithm) to transmit a private (symmetric) key.
265
Slide 266
January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side For efficiency, one generally uses RSA (or another
public-key algorithm) to transmit a private (symmetric) key. The
private session key is used to encrypt any subsequent data.
266
Slide 267
January 6, 2011Practical Aspects of Modern Cryptography The
Practical Side For efficiency, one generally uses RSA (or another
public-key algorithm) to transmit a private (symmetric) key. The
private session key is used to encrypt any subsequent data. Digital
signatures are only used to sign a digest of the message. 267