Public-Key Encryption: ElGamal, RSA, Rabin
|
|
- Maude Reed
- 6 years ago
- Views:
Transcription
1 Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester,
2 Public-Key Encryption Syntax Encryption algorithm: E. Decryption algorithm: D. Encryption key pk. Decryption key sk. Key-Generation algorithm KG, generates encryption/decryption keys according to a given security parameter 1 k. Message space M. Consistency: For every message m M and keys (pk, sk): D sk (E pk (m)) = m. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
3 Public-Key Encryption Usage Alice Generate sk, pk. m = D sk (c) pk c = E pk (m) Eve m =? Bob: message m c = E pk (m) Remark: Alice s key may also be published in some public domain (e.g., website). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
4 Security: Ciphertext Indistinguishability (GM 82) For any pair of different messages m 0 and m 1 of equal length: The ciphertexts c 0 and c 1 should be (t, ɛ) computationally indistinguishable. Experiment 0 Let (sk, pk) R KG Output c 0 = E pk (m 0 ) t,ɛ Experiment 1 Let (sk, pk) R KG Output c 1 = E pk (m 1 ) Pr[A(pk, c 0 ) = accept] Pr[A(pk, c 1 ) = accept] < ɛ, for any adversary A of complexity at most t. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
5 Security Remarks The above also guarantees security against Chosen-Plaintext-Attacks. Why? The encryption algorithm E must be probabilistic! Why? Experiment 0 Let (sk, pk) R KG Output c 0 = E pk (m 0 ) t,ɛ Experiment 1 Let (sk, pk) R KG Output c 1 = E pk (m 1 ) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
6 ElGamal Public Key Cryptosystem We are now going to describe a second PKC, designed by Taher ElGamal in 1985 (he was with Netscape at the time). ElGammal PKC is based on the difficulty of finding discrete logs in finite fields, and more specifically on the Diffie and Hellman key exchange assumption. We will start by reviewing Diffie-Hallman, then move to ElGamal. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
7 Reminder: Diffie-Hellman key-exchange Public parameters: a generator g of a cyclic group G of prime order q. Alice a R {1,..., q} A = g a B = g b Compute B a Correctness: A b = B a = g ab. Bob b R {1,..., q} Compute A b Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
8 ElGamal As a Public-Key Encryption Public parameters: Generator g of a cyclic group G of prime order q. Key-Generation: Let a R {1,..., q} be the secret-key and let A = g a be the public-key. Message space G. Encryption: Choose b R {1,..., q}, output g b, A b m. Decryption: Given (B, C) output C/C a. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
9 Elgamal Cryptosystem Use of Randomization Encryption is randomized: m (g b, ma b ). Alice should use a new, independent b for every encryption. Even if same m is sent twice, different b must be used. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
10 Elgamal Cryptosystem Efficiency Encryption takes two modular exponentiations. Decryption takes one modular exponentiation. Ciphertext, (g k, ma k ), is twice as long as plaintext m. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
11 ElGamal CPA Security DDH-Assumption For random a, b, c R {1,..., q}, (g, g a, g b, g ab ) t,ɛ (g, g a, g b, g c ) Theorem Assuming the (t, ɛ) DDH-assumption, ElGamal is (t s, 2ɛ)-secure encryption scheme, where s is the complexity of multiplication in G. Think of t as very large (exponential in security parameter) and s as very small (polynomial in security parameter). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
12 ElGamal Concrete Instantiation We will instantiate the scheme over a group in which DDH holds. Examples: Let p be a large prime (1024 bits, say) of the form p = 2q + 1 (aka safe prime ) where q is a prime and let G be the subgroup of quadratic residue QR p. Groups defined over Elliptic curves. (Allow to use shorter keys). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
13 Elgamal is multiplicative Given E a (m) = (c 1, c 2 ) = (g b, ma b ), E a (m ) = (c 1, c 2 ) = (gb, m A b ), can easily obtain E a (m m ) = (c 1 c 1, c 2c 2 ) = (gb+b, m m A b+b ) (without knowing any secret information). We ll see that this is very useful feature. But may also leads to attacks Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
14 Is Elgamal secure against Chosen Ciphertext Attacks? Cryptosystem is vulnerable to chosen ciphertext attacks (CCA). Given E(m) = (c 1, c 2 ) = (g b, ma b ), Attacker chooses a random s, computes (c 1, s c 2 ) = (g b, s ma b ) Attacker asks for decryption of (c 1, s c 2 ), which equals s m, from which m is easily recovered. There is a variant of ElGamal, due to Cramer and Shoup, which is CCA-secure. The computational overhead is only few extra exponentiations! (We may cover this in the future... ) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
15 Factoring Related Schemes Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
16 Integer Multiplication & Factoring as a One Way Function. Multiplying two n bit prime numbers takes time O(n 2 ). Finding a random n bit long prime, and verifying its primality, is easy. (We will see in the next lessons). Factoring an n bit number takes time 2 c n1/3 (using the currently best algorithm). Easy: p, q m = p q Hard: m = p q p, q (integer multiplication). (integer factorization). Question: Can public key cryptosystem be based on this observation? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
17 The Multiplicative Group Z pq Let p, q be two large primes. Denote their product m = p q. The multiplicative group Z m = Z pq contains all integers in the range [1... pq 1] that are relatively prime to both p and q. The size (order) of the group is ϕ(pq) = (p 1) (q 1) = m (p + q) + 1. So for every Z pq, x (p 1) (q 1) = 1 (mod pq). Corollary: Z pq has no multiplicative generators. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
18 The structure of Z pq Consider the mapping f from Z pq to Z p Z q defined by f : x (x mod p, x mod q). Lemma 1: f is onto. Algorithmic Proof: Given (u, v) Z p Z q find x s.t f(x) = (u, v). (Chinese Reminder Theorem 300 BC): Suppose that there are integers a and b such that a = p 1 and a = q 0 b = p 0 and b = q 1 Then x = [(ua + vb) mod(pq)]. How to find a and b? a = q inv(q, p) and b = p inv(p, q), where inv(q, p) is the inverse of q modulo p. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
19 The structure of Z pq Consider the mapping f from Z pq to Z p Z q defined by f : x (x mod p, x mod q). Lemma 1: f is onto. Lemma 2: f is one-to-one and preserves group operation: For every x, y Z pq it holds (x pq y) mod p = (x mod p) p (y mod p) (x pq y) mod q = (x mod q) q (y mod q) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
20 The structure of Z pq Consider the mapping f from Z pq to Z p Z q defined by f : x (x mod p, x mod q). Lemma 1: f is onto. Lemma 2: f is one-to-one and preserves group operation: Corollary: The group Z pq is isomorphic to Z p Z q. Given p, q, the isomorphism is efficiently computable and invertible. Remarks: f also defines additive isomorphism: Z pq =Zp Z q. The proof generalizes to: Z m =Z p e Z p e k k. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
21 Computations in Z pq Given m = pq we can efficiently (time polynomial in log n): multiply (a, b) a pq b add (a, b) a + pq b invert a a 1 (how?) exponentiate (a, e) a e Hard problems: Factor m. Compute the order ϕ(m) = (p 1)(q 1). Extract the e-th root of y. Remark: In terms of hardness: factoring is essentially equivalent to computing order, while extracting roots is potentially easier. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
22 Computing the group order is as hard as factoring Clearly, it is easy to compute ϕ(m), given the factorization of m. The other direction holds as well. Claim Let m = pq. Given m and ϕ(m), it is easy to factor m. Hence, computing m ϕ(m) is computationally equivalent to factoring. Remark: Computing a multiple of ϕ(m) is also as hard as factoring. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
23 Exponentiation in Z pq Let e be an integer, 1 < e < (p 1) (q 1). Question: When is exponentiation to the e-th power, x x e, a one-to-one operation in Z pq? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
24 Exponentiation in Z pq Claim: If e is relatively prime to ϕ(m) = (p 1) (q 1), then x x e, a one-to-one operation in Z pq. Constructive Proof: Since gcd(e, (p 1) (q 1)) = 1, e has a multiplicative inverse mod (p 1) (q 1). Denote this inverse by d, then ed = 1 + C(p 1)(q 1), where C is an integer. Denote y = x e, then y d = (x e ) d = x ed = x 1+C(p 1)(q 1) = x. This means that y y d is the inverse operation of x x e. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
25 Exponentiation as a trapdoor permutation RSA Assumption Let m = pq be the product of two random primes, and let e be relatively prime to ϕ(m) = (p 1) (q 1), then x x e is one-way permutation over Z m. Useful observation: The function has a secret trapdoor (d the inverse of e modulo ϕ(m)) which allows inversion! Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
26 The RSA Public-Key Cryptosystem Alice s private information: two large primes p, q. Public information: Their product, m = p q. An integer e that is relatively prime to ϕ(m) = (p 1) (q 1). Messages P are elements in Z m, namely numbers in [1,..., m 1]. To encrypt P, compute C = P e (mod m), and send C to Bob. To decrypt C, Alice computes C d = P d e = P (mod m), where d e = 1 (mod ϕ(m)). Remark: d can be computed once and for all, and then kept as part of the public-key. The above mentioned method should not be confused with the exponentiation technique presented by Diffie and Hellman to solve the key distribution problem Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
27 The RSA Public Key Cryptosystem (MIT, 1978) Rivest (still at MIT), Shamir (now at Weizmann Inst.), and Adelman (now at USC), some 30 years ago. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
28 Constructing an Instance of RSA Public Key Cryptosystem Alice picks at random two large primes p, q. Alice picks an integer e that is relatively prime to ϕ(m) = (p 1) (q 1). This does not have to be random or large. Alice computes d such that ed = 1 (mod (p 1)(q 1)). Let m = p q be the product of both primes. Alice publishes the public key m, e. Alice keeps the private key d, as well as the primes p, q and the number ϕ(m) in a safe place. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
29 A Small Example Let p = 47, q = 59, N = pq = Then ϕ(n) = = Pick e = 17, then = 1, so d = 157 is the inverse of e = 17 mod e = 17 is in binary. For N = 2773 we can encode two letters per block, using a two digit number per letter: blank=00, A=01, B=02,...,Z=26. The message: ITS ALL GREEK TO ME is encoded as Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
30 A Small Example (cont.) N = 2773, e = 17 (10001 in binary). The message: ITS ALL GREEK TO ME is encoded as Message is encrypted block by block. First block is P 1 = It encrypts to P e 1 = P 17 1 = (((P 2 1 )2 ) 2 ) 2 P 1 = 948 (mod 2773). The whole message (ten blocks) ids encrypted as Indeed C d 1 = = 920 (mod 2773), etc. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
31 A Slightly Larger Example Let p = , q = , N = pq = Then ϕ(n) = (p 1)(q 1) = ( ) ( ). Pick e = , d = e 1 mod (p 1)(q 1) = For Message= we can compute and verify, using e.g. Sage, that for Cipher=Message e mod N, indeed Cipher d mod N=Message. It is worthwhile doing similar computations by yourselves. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
32 How Strong is RSA? If Eve could factor pq then she obtains all private information of Alice. Hence inverting RSA cannot be harder than factoring. How hard is it to compute the secret key, d, from the public information m, e? If Eve can find d, then she can compute ed 1. This is a multiple of ϕ(m) = (p 1)(q 1). Gary Miller has proved that such multiple enables factoring m. You ll show this in the HW as well. Does this imply that inverting RSA is equivalent to factoring? The equivalence of the RSA assumption to factoring is a famous open question. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
33 How Strong is RSA (the down-to-earth version ) Original in thanks to Elad Liebman for pointing this out Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
34 One-way security Problem: RSA is a Deterministic Encryption! Hence, it cannot satisfy our notion of security (ciphertext indistinguishability). The original version of RSA is a trapdoor permutation, and therefore satisfies a weak form of one-wayness security: Definition (One-way security) A public-key encryption scheme (KG, E, D) is (t, ɛ) one-way if: Pr [A(pk, E pk (x)) = x] ɛ, x M,(sk,pk) R KG R for every adversary A of complexity t. There are several ways to upgrade one-way security to ciphertext-indistinguishability. For now, we ignore this issue and focus on the properties of RSA as a trapdoor permutation, which is a useful building block. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
35 RSA is multiplicative RSA is multiplicative (aka homomorphic): Let P 1, P 2 be two plaintext blocks. Then E(P 1 P 2 ) = E(P 1 ) E(P 2 ). This immediately implies that RSA does not behave like a pseudo random function (these are not multiplicative). Multiplicativity implies volnurability to chosen ciphertext attacks. Given a ciphertext C = P e (mod m), choose at random R and compute C = CR e (mod m), which is an encryption of P R, a random looking text. A decryption of C = CR e (mod m) will reveal P (after one division mod m). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
36 Using CRT to Speed Up RSA Decryption CRT preprocessing (done once): Given p, q, compute a, b such that ap + bq = 1. Define A = ap, B = bq (coefficients of Chinese remainder theorem for p and q). Decryption, on input C: Originally, Alice computed C d = P d e = P (mod m). Now, Alice computes y 1 = C d (mod p 1) (mod p). And also y 2 = C d (mod q 1) (mod q). Finally, Alice computes P = Ay1 + By 2 (mod m). This yields a non negligible saving (factor 4) in decryption runtime essentially we deal with two half size exponentiations. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
37 Using a Small Exponent to Speed Up RSA Encryption The public exponent, e, can be small This will substantially improve efficiency of encryption. It does not mean that the private exponent, d, is small too. Neither does it seem to make it easier to derive d. Small public exponents are used in practice. Most popular values are either 3 or The public exponent, e and ϕ(m) = (p 1)(q 1) should still be relatively prime. For e = 3 this means 3 should divide neither p 1 nor q 1. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
38 Using a Small Exponent to Speed Up RSA Encryption (2) Small exponents are fine for sending a single message to a single user, Bob. But they are vulnerable if the same message is to be sent to multiple users. For example, suppose Bob, Bobi, and Bubchek are all using e = 3 (with public moduli m 1, m 2, m 3, respectively). Alice wishes to send the plaintext message P to each of them. She encrypts the plaintext message P and sends P 3 (mod m 1 ), P 3 (mod m 2 ), P 3 (mod m 3 ). Notice that P < m 1, m 2, m 3, and thus P 3 < m 1 m 2 m 3. Denote x = P 3 (as an integer, not modulo anything). Eve heard x (mod m 1 ), x (mod m 2 ), x (mod m 3 ). She also knows that x < m 1 m 2 m 3. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
39 Using a Small Exponent to Speed Up RSA Encryption (3) Eve heard x (mod m 1 ), x (mod m 2 ), x (mod m 3 ). She also knows that x < m 1 m 2 m 3. m 1, m 2, m 3 are pairwise relatively prime. Hence, Eve can efficiently compute y = x (mod m 1 m 2 m 3 ). (How?) But since x < m 1 m 2 m 3, this implies that y = x (over the integers!). Therefore Eve now holds P 3 = x without any modular subtractions. Computing cubic roots over the integers is easy. So Eve finds P and successfully retrieves the plaintext. Is this a weakness of small exponent RSA? No! It is a weakness in the manner small exponent RSA was used. In general, if we have cryptographic building blocks that are secure on their own, this does not mean we can compose or interleave them any way we want, and still maintain security. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
40 Random Self Reducibility of RSA Let m = pq, e be a given RSA modulus, of length n bits, plus a RSA exponent. Suppose A is an deterministic n c time algorithm which, on input E(x) = x e (mod m), outputs x for εm of the inputs in Z m. Then A can be converted into a randomized ε 1 n c expected time algorithm, R which, on input E(x) = x e (mod m), outputs x for all the inputs in Z m. Whenever R terminates, it gives the correct output x. Proof: on board (easy). Consequence: For a given m = pq and e, inverting RSA is either hard everywhere or easy everywhere. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
41 Random Padding (aka Salting ) of RSA Padding the message by a block of random bits: Suppose the length of pq is n bits. Use l bits for the message P, concatenate with n l random bits string, r: E(r P ) = (r P ) e (mod pq). Padding reduces the information rate, but increases security. It can be shown that if n l is very large, then padded RSA satisfies ciphertext indistinguishability (under the RSA assumption). Of course for security to hold, pad must be random. Choosing r = hello world, or any other fixed text, is not a good practice. For protection against chosen ciphertext attack, a combination of fixed and random padding was proposed by RSA labs: Let P be a l bit long message. Pad and encrypt by ( r P ) e (mod pq). Fixed parts of pad intended to foil multiplication attacks. Unfortunately, some chosen ciphertext attacks were later found. Still, scheme is being used. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 6 Fall Semester, / 41
Introduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationTHE CUBIC PUBLIC-KEY TRANSFORMATION*
CIRCUITS SYSTEMS SIGNAL PROCESSING c Birkhäuser Boston (2007) VOL. 26, NO. 3, 2007, PP. 353 359 DOI: 10.1007/s00034-006-0309-x THE CUBIC PUBLIC-KEY TRANSFORMATION* Subhash Kak 1 Abstract. This note proposes
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationRSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14
RSA Algorithm http://koclab.org Çetin Kaya Koç Spring 2018 1 / 14 Well-Known One-Way Functions Discrete Logarithm: Given p, g, and x, computing y in y = g x (mod p) is EASY Given p, g, y, computing x in
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More informationThe RSA cryptosystem and primality tests
Mathematics, KTH Bengt Ek November 2015 Supplementary material for SF2736, Discrete mathematics: The RSA cryptosystem and primality tests Secret codes (i.e. codes used to make messages unreadable to outsiders
More informationECE596C: Handout #11
ECE596C: Handout #11 Public Key Cryptosystems Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract In this lecture we introduce necessary mathematical background for studying
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 14, 2013 CPSC 467b, Lecture 9 1/42 Integer Division (cont.) Relatively prime numbers, Z n, and φ(n) Computing in Z n
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More information