Cryptography. Lecture 8. Arpita Patra

Transcription

1 Crytograhy Lecture 8 Arita Patra

2 Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous Finite grous Finite cyclic grous Finite Cyclic grous of rime orders (secial advantages)

3 Division for Modular Arithmetic q If b is invertible modulo N (i.e. b -1 exists) then division by b modulo N is defined as: def [a/b mod N] = [ab -1 mod N] Ø If ab = cb mod N and if b is invertible then a = c mod N v Dividing each side by b (which actually means multilying both sides by b -1 ) q Which integers b are invertible modulo a given modulus N? Proosition: Given integers b and N, with b 1 and N > 1, then b is invertible modulo N if and only if gcd(b, N) = 1 (i.e. b & N are relatively rime). Proof (<=): Inverse finding algorithm (if the number is invertible) --- Extended Euclid (GCD) algorithm Ø Given any b, N, the Extended Euclid algorithm oututs X and Y such that bx + NY = gcd(b, N) Ø If gcd(b, N) = 1 then above equation imlies that bx + NY = 1 Ø Taking mod N both sides gives bx = 1 mod N b -1 = [X mod N]

4 Algorithms for Modular Arithmetic q --- set of integers modulo N: {0, 1,, N - 1} N q Let N = n --- number of bits to reresent N : n = Θ(log N) q Let a, b --- each reresented by at most n bits N Theorem: Given integers N > 1, a and b, it is ossible to erform the following oerations in oly time in a, b and n: >> a mod N >> a+b mod N, a-b mod N, ab mod N >> Determining if a -1 mod N exists (if it exists) >> a -1 mod N (if it exists) >> a b mod N >> Choosing a random element of N

5 Grou Definition(Grou): A grou is a set G along with a binary oeration o satisfying the following axioms : Ø Closure : for every g, h G, the value g o h G Ø Associativity: for every g 1, g 2, g 3 G, (g 1 o g 2 ) o g 3 = g 1 o (g 2 o g 3 ) Ø Existence of Identity Element: there exists an identity element e G, such that for all g G v (e o g) = g = (g o e) Ø Existence of Inverse: for every g G, there exists an element h G, such that v (g o h) = e = (h o g) Definition (Order of a Grou:) If G has finite number of elements, then G denotes the number of elements in G and is called the order of G Definition(Abelian Grou:) If G satisfies the following additional roerty then it is called a commutative (Abelien) grou: For every g, h G, (g o h) = (h o g) Proosition: There exists only one identity element in a grou. Every element in a grou has a unique inverse

6 Grou Theory q The set of integers Z is an abelian grou with resect to the addition oeration (+) Ø Closure and associativity holds Ø The integer 0 is the identity element --- for every integer x, 0 + x = x = x + 0 Ø For every integer x, there exists an integer x, such that x + (-x) = 0 = (-x) + x Ø For any two integers x, y, we have x + y = y + x --- commutativity We are interested only in Finite grous

7 Finite Grous q Finite grous using modular arithmetic. q Define Z N = {0, 1,, N-1} and the oeration + in Z N as Ø Closure, commutative and associativity holds --- trivial to verify def a + b = (a + b) mod N, for every a, b N Ø 0 Z N is the identity element --- for every a Z N, (a + 0) mod N = (0 + a) mod N = a Ø Element (N - a) is additive inverse of a modulo N u Inverse of a will be (N - a) N --- (a + N - a ) mod N = (N - a + a) mod N = 0 q The set Z N = {0, 1,, N-1} is a grou with resect to addition modulo N def q Define oeration in Z N as a b = (ab) mod N, for every a, b N Ø The identity element is 1 as for every a Ø Will every element have an inverse? N, we have (a. 1) = (1. a) = (a mod N) = a u Element 0 will have no inverse --- a Z N such that (a0 mod N) = 1 u Element a will have an inverse if and only if gcd(a, N) = 1 Ø So N is not a grou with resect to multilication modulo N Ø Can we construct a set from which will be a grou with resect to multilication modulo N? N

8 Finite Grous q Let Z N = {b: {1,, N-1} gcd(b, N) = 1). Then Z N is a grou with resect to multilication modulo N Ø The set Z N is the set of integers relatively rime to N Ø Element 1 is the identity element. Every element is invertible. Associativity holds. Ø Is closed with resect to multilication mod N? --- given a, b, will [ab mod N] N N N Ø Claim: gcd(n, [ab mod N]) = element [ab mod N] has multilicative inverse [b -1 a -1 mod N]

9 Grou Exonentiation in Grous q Exonentiation: alying same oeration on the same element a number of times in a grou (G, o) Using Multilication Notation: Ø g m def = g o g o o g (m times) Ø g -m def = (g -1 o g -1 o o g -1 ) (m times) Ø g 0 def = e, the grou identity element Using Addition Notation: def Ø mg = def Ø -mg = def Ø 0g = g o g o o g (m times) (-g + -g + + -g) (m times) e, the grou identity element

10 Grou Order and Identity Element Theorem: Let (G, o) be a grou of order m, with identity element e. Then for every element g G: g o g o o g = e m times I.e. Any grou element comosed with itself m times results in the identity element Proof: Let G = {g 1,, g m } --- for simlicity assume G to be an Abelian grou Let g be an arbitrary element of G Ø Claim: elements (g o g 1 ), (g o g 2 ),, (g o g m ) are all distinct v On contrary if for distinct g i, g j, we have (g o g i ) = (g o g j ) (g -1 o g o g i ) = (g -1 o g o g j ) g i = g j Ø Thus {(g o g 1 ), (g o g 2 ),, (g o g m )} = G Ø So g 1 o g 2 o o g m = (g o g 1 ) o (g o g 2 ) o o (g o g m ) -- (both side we have all the elements of G) = (g o g o o g) o (g 1 o g 2 o o g m ) - (by associative and commutative roerty) e = (g o g o o g) o e -- (multily by (g 1 o g 2 o o g m ) -1 both sides) e = (g o g o o g) -- (a o e = a)

11 Order of Imortant Finite Grous N = {b: {1,, N-1} gcd(b, N) = 1). It is a grou with resect to multilication modulo N ϕ(n) = order of the above grou q N is a rime number, say Ø = {1, 2,, -1} --- every number from 1 to -1 is relatively rime to q N =.q, where and q are rimes Ø N = (-1)(q-1) --- follows from the rincile of mutual inclusion-exclusion Ø Which numbers in {1, 2,, N-1} are not relatively rime to N? v Numbers which are divisible by --- q-1 such numbers v Numbers which are divisible by q such numbers v Numbers which are divisible by both and q such number Ø How many numbers in {1, 2,, N-1} are not relatively rime to N? q - 2 Ø How many numbers in {1, 2,, N-1} are relatively rime to N? --- N -1 - q + 2 = (-1)(q-1)

12 Grou Order and Identity Element Theorem: Let (G, o) be a grou of order m, with identity element e. Then for every element g G: g o g o o g = e m times I.e. Any grou element comosed with itself m times results in the identity element q Imlications of the above theorem in the multilicative grou Ø Take any arbitrary N > 1 and any a. Then: N N v [[[[[a. a mod N]. a mod N]. a mod N]. a mod N].. a mod N] = [a ϕ(n) mod N] = 1 ϕ(n) times Ø If N is a rime number, say, then for any a {1, 2,, -1}, we have : Ø [a -1 mod ] = 1 Ø If N is a comosite number,.q, then for any a we have : Ø [a ( -1)(q-1) mod N] = 1

13 Subgrou of a Grou & Cyclic Grou q Let (G, o) be a grou q Let H G G Definition (Subgrou): If (H, o) is also a grou, then H is called a subgrou of G w.r.t oeration o H q Every grou (G, o) has two trivial subgrous: Ø The grou (G, o) itself and the grou (e, o) Ø A grou may/may not have subgrous other than trivial subgrous q Given a finite grou (G, o) of order m and an arbitrary element g G, define <g> = {g 0, g 1,, } --- elements generated by different non-negative owers of g Ø The sequence is finite as g m = 1 and g 0 is also 1 Ø Let i m be the smallest ositive integer such that g i = 1. Then: <g> = {g 0, g 1,, g i-1 } --- as g i = 1, after which the sequence starts reeating Proosition: (<g>, o) is a subgrou of (G, o) of order i Definition (Order of an element): Smallest ositive integer i such that g i = 1 Definition (Generator): If g has order m, then <g> = G --- then g is called a generator of G and G is called a cyclic grou generated by g

14 Examles q Consider (, mod 7) --- it is a grou with resect to multilication modulo 7 7 Ø Does 2 belong to the grou? --- Yes, as gcd(2, 7) = 1; 2 is relatively rime to 7 Ø What is <2>? --- <2> = {2 0 mod 7, 2 1 mod 7, 2 2 mod 7} = {1, 2, 4} Ø Is (<2>, mod 7) a subgrou of (, mod 7)? ü Closure ü Associativity ü Identity ü Inverse v 1-1 = 1, 2-1 = 4, 4-1 = 2 Ø Does 3 belong to the grou? --- Yes, as gcd(3, 7) = 1; 3 is relatively rime to 7 Ø What is <3>? --- <3> = {3 0 mod 7, 3 1 mod 7, 3 2 mod 7, 3 3 mod 7, 3 4 mod 7, 3 5 mod 7, 3 6 mod 7 } = {1, 3, 2, 6, 4, 5} = the original grou Ø 2 does not generate the entire grou Ø 3 generates the entire grou is a generator

15 Imortant Finite Cyclic Grous Theorem: The grou (, mod ) is a cyclic grou of order 1. v Every element need not be a generator v Ex: (, mod 7) is a cyclic grou with generator 3 7 o Element 2 is not a generator for this grou --- <2> = {1, 2, 4}

16 Useful Proositions on Order of a Grou Element q Let (G, o) be a grou of order m and let g G such that g has order i (1 i m) --- g i = e Proosition: For any integer x, we have g x = g [x mod i] x times g x = (g o g o g) o (g o g o o g) o o (g o g o o g) i times i times x mod i times e o e o o g [x mod i] = g [x mod i] Proosition: For any integer x, y, we have g x = g y if and only if x = y mod i; i.e. [x mod i] = [y mod i] Proof: If [x mod i] = [y mod i], then from the revious claim g x = g y If g x = g y -> g x-y = g x-y mod i = 1 -> x - y mod i =0 Proosition: The order of g divides the order of G --- i divides m Proof: Element g has order i g i = e v For any g, we have g m = e v So g m = g i [m mod i] = [i mod i] [m mod i] = 0 The last claim has several interesting imlications

17 Finite Cyclic Grous of Prime Order Corollary: If (G, o) is a grou of rime order then G is cyclic and all elements of G, excet the identity element will be generators of G v Any arbitrary element g G aart from the identity element will have order --- the only ositive numbers which divides a rime are 1 and v Ex: consider the grou ( 1, 2, 3, 4, 5 and 6 7, + mod 7) --- cyclic grou, with identity element 1 and generators Instances of Cyclic grous of rime order?? Theorem: The grou (, mod ) is a cyclic grou of order 1. We can construct cyclic grous of rime order from the above grou when has a secific format

18 Prime-order Cyclic Subgrou of Definition (Safe Primes): Prime numbers in the format = 2q+1 where q is also a rime. Ø Examle (5, 11), (11, 23), several such airs Definition (Quadratic Residue Modulo ): Call y a quadratic residue modulo if there exists an x, with y = x 2 mod. x is called square-root of y modulo Theorem: The set of quadratic residues modulo is a cyclic subgrou of of order q. I.e. Q = {x 2 mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q Proof: Ste I: To show that (Q, mod ) is a subgrou of (, mod ) Ste II: Show that (Q, mod ) is of order q

19 Prime-order Cyclic Subgrou of Theorem: The set of quadratic residues modulo is a cyclic subgrou of of order q. I.e. Q = {x 2 mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q Proof: Ste I: To show that (Q, mod ) is a subgrou of (, mod ) Ø Closure: (Q, mod ) satisfies the closure roerty v Given arbitrary y 1, y 2 Q, show that (y 1 y 2 ) mod Q o y 1 Q y 1 = x 2 1 mod, for some x 1 o y 2 Q y 2 = x 2 2 mod, for some x 2 o o (y 1 y 2 ) mod = (x 1 x 2 ) 2 mod = (x 3 ) 2 mod, where x 3 = (x 1 x 2 ) So (y 1 y 2 ) mod Q

20 Prime-order Cyclic Subgrou of Theorem: The set of quadratic residues modulo is a cyclic subgrou of of order q. I.e. Q = {x 2 mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q Proof: Ste I: To show that (Q, mod ) is a subgrou of (, mod ) Ø Closure: (Q, mod ) satisfies the closure roerty Ø Associativity: trivial to verify that given arbitrary y 1, y 2, y 3 Q, we have (y 1 y 2 ) y 3 mod = y 1 (y 2 y 3 ) mod Ø Identity: The element 1 will be resent in Q, which will be the identity element for Q 1 = 1 2 mod Ø Inverse: Show that every element y Q has a multilicative inverse y -1 Q, with (y y -1 mod ) = 1 y Q y = (x 2 mod ), for some x What can you say about z = (x -1 ) 2 mod? o x x -1, which imlies that z Q o From the above we get that (y z mod ) = 1

21 Prime-order Cyclic Subgrou of Theorem: The set of quadratic residues modulo is a cyclic subgrou of of order q. I.e. Q = {x 2 mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q Proof: Ste I: To show that (Q, mod ) is a subgrou of (, mod ) Ste II: Show that (Q, mod ) is of order q Ø We will show that f: Q is a 2-to-1 function --- exactly 2 elements have the same image = ( -1), the above will imly that Q = ( - 1)/2 = q Ø Let g be a generator of --- = {g 0, g 1,, g -2 } Ø Consider an arbitrary element g i in Ø Claim: there exists only one more element g j in and its corresonding image (g i ) 2 mod in Q, with (g i ) 2 mod = (g j ) 2 mod v If (g i ) 2 mod = (g j ) 2 mod [2i mod -1] = [2j mod -1] ( - 1) divides (2i 2j) q (i - j) v The above imlies that for a fixed i {0,, -2}, there is only 1 ossible j, namely (i + q) mod -1 o (i + 2q) mod ( 1) = i

22 Generalization For Prime numbers in the format = rq+1 where q is also a rime. Theorem: The set of rth residues modulo is a cyclic subgrou of of order q. I.e. Q = {x r mod x }, then (Q, mod ) is a cyclic subgrou of (, mod ) of order q

23 Easy Problems in Finite Cyclic Grous (of Prime Order) 1. Generating Cyclic Grous / Cyclic Grous of Prime Order >> How to samle a rime number of n bits / how to samle rimes of secific format (safe rimes) (Miller-Rabin, Agrawal-Kayal-Saxena) >> Finding a generator >> Given generator, how to generate an element of the grou (requires exonentiation) 2. Samling an uniform random grou element Cyclic Grou Prime Order Cyclic Grou Q = {x r mod x } There exists a generator Grou order (-1) is not a rime. Every exonent may not have multilicative inverse modulo (-1) If grou order (-1) has small rime factors, there exists no-trivial algo to break the hard roblems that we discuss next Every element excet the identity element is a generator Grou order q. Every exonent have multilicative inverse modulo q and easy to comute The attacks does not work here

24 Discrete Logarithm q Let (G, o) be a cyclic grou of order q (with q = n bits) and with generator g Ø {g 0, g 1, g 2,, g q-1 } = G --- g has order q as it is the generator Ø Given any element h G, it can be exressed as some ower of g v a unique x q = {0, 1,, q-1}, such that h = g x v x is called the discrete log of h with resect to g --- exressed as log g h q Discrete log follows certain rules of standard logarithms Ø log g e = 0 Ø log g h r = [r log g h mod q] Ø log g [h 1 o h 2 ] = [(log g h 1 + log g h 2 ) mod q]

25 Discrete Logarithm Problem q How difficult is it to comute the DLog of a random grou element? For certain grous, there exists no better algorithm than the inefficient brute-force Modeled as a challenge-resonse exeriment: DLog A, G (n) (G, o, g, q) outut by an grou gen algo PPT A y Find log g y [y R G] DLog solver for G x Exeriment outut Challenger 1, if g x = y 0, otherwise q DLog roblem is hard relative to the grou G, if for every PPT algorithm A, there exists a negligible function negl(), such that: Pr[DLog A, G (n) = 1] negl() q DLog Assumtion: there exists some grou G, relative to which DLog roblem is hard Ø We have seen will see such candidates earlier

26 Comutational Diffie-Hellman (CDH) Problem q Given a cyclic grou (G, o) of order q and a generator g for G. q The CDH roblem for the grou (G, o) is to comute g x. y for random grou elements g x, g y Modeled as a challenge-resonse exeriment: CDH A, G (n) (G, o, g, q) PPT A g x, g y x, y R CDH solver for G g z Exeriment outut Challenger q 1, if g x. y = g z 0, otherwise CDH roblem is hard relative to the grou G, if for every PPT algorithm A: Pr[CDH A, G (n) = 1] negl()

27 Relation between CDH and DLog Problems q Given a cyclic grou (G, o) of order q and a generator g for G: Hardness of CDH? Hardness of DLog q If CDH is hard in (G, o) then DLog is hard in (G, o). g x, g y R G g x (g y ) x x q Algorithm A CDH PPT Algorithm A DLog q Advantage of same as q If DLog is hard in (G, o) then CDH is hard in (G, o)? --- nothing is known q CDH (hardness) is a stronger assumtion than DLog (hardness) assumtion Ø CDH might be solved even without being able to solve the DLog roblem

28 Decisional Diffie-Hellman (DDH) Problem q The DDH roblem for the grou (G, o) is to distinguish g x. y from a random grou element g z, if g x, g y are random DDH roblem is hard relative to (G, o) if for every PPT algorithm A: Pr[A(G, o, q, g, g x, g y, g xy ) = 1] - Pr[A(G, o, q, g, g x, g y, g z ) = 1] negl() Probability over uniform choice of x and y Probability over uniform choice of x, y and z q Claim: If DDH is hard relative to (G, o) then CDH is also hard relative to (G, o) Ø If CDH can be solved, then given g x and g y, comute g xy and comare it with the third element q Nothing is known regarding the converse --- DDH is a stronger assumtion than CDH Ø DDH might be solved even without being able to solve CDH

29 Crytograhic Assumtions in Cyclic Grous DDH CDH DL Cyclic Grous of Prime Order is best choice. >> DL is harder in this grou comared to cyclic grou (Pohlig-Hellman Algo) >> DDH can be broken in cyclic grou but believed to hold good it its rime order subgrou 6 th Chalk and Talk toic Attacks on Discrete Log Assumtions- (i) Pohlig-Hellman Algorithm (ii) Shanks Baby-ste/Giant-ste algorithm (iii) Discrete Logs from Collisions

30 Diffie-Hellman Key-Exchange Protocol Idea illustration through colors Common colors (ublicly known) + + Secret colors = = Public exchange Assume mixture searation is exensive + + Original secret colors = = Common secret color

31 Diffie-Hellman Key-Exchange Protocol Actual Protocol (G, o) is a cyclic grou of order q with generator g ((G, o), g, q) Common arameters colors (ublicly (ublicly known) known) ((G, o), g, q) + + x q Secret colors exonents y q = = h S := g x h R := gy Public exchange Assume mixture comuting searation x, y from h R := g y is g x, exensive g y is exensive h S := g x + + x Original secret colors exonents y = = k:= (h R ) x = g xy Common Common secret key color k:= (h S ) y = g xy

32 Key-Exchange Protocol: Security k Protocol transcrit k q Given an arbitrary key-exchange rotocol, whose execution is monitored by a PPT eavesdroer Ø What security roerty we demand from such a rotocol? v Otion I: the outut key k should remain hidden from the eavesdroer v Otion II: the outut key k should remain indistinguishable for the eavesdroer from a uniformly random key from the key-sace Ø We actually want to have otion II v If we want the key to be used as the secret-key for some higher level rimitive

33 Key-Exchange Protocol: Security Exeriment Key-exchange rotocol Π k Protocol transcrit k Should not be able to distinguish k from a random element in eav Exeriment KE (n) k A, Π trans k PPT attacker A trans k, if b = 0 k R, if b = 1 I can break Π b {0, 1} q Exeriment outut is 1 if and only if b = b eav Pr q Π is a secure KE rotocol if: KE A, Π (n) = 1 Let me verify ½ + negl(n) Runs an instance of Π in mind simulating the role of S, R

34 Diffie-Hellman Key-Exchange Protocol: Security h S = g x, where x q h R = g y, where y q k = (h S ) x = g xy Protocol transcrit k = (h R ) y = g xy h S = g x Should not be able to distinguish k = g xy from a random element g z in G q Same as the DDH roblem h R = g y eav k = (h Exeriment KE (n) S ) x k = (h R ) y A, DH PPT attacker A I can break Π h S = g x, h R = g y g xy, if b = 0 g z R G, if b = 1 b {0, 1} Let me verify Runs an instance of DH in mind simulating the role of S, R q What is the robability that the outut of the exeriment is 1? Ø Same with which A can distinguish g xy from a random grou element g z

35 Uniform Grou Elements vs Uniform Random Strings q DH key-exchange rotocol enables the arties to agree on a (seudo)random grou element g xy q In reality, the arties would like to agree on (seudo)random bit string which can be used as a secret-key for higher level rimitive, such as PRF, MAC, etc q Required: a method of deriving (seudo)random bit strings from (seudo)random grou elements Ø Potential solution (used in ractice) v Use the binary reresentation of the grou element g xy as the required key v Claim: the resultant bit-string will be (seudo)random if the grou element is (seudo)random Ø The above claim need not be true --- dangerous solution Ø Ex: consider the rime-order q A suitable grou key-derivation (, mod function ), where (KDF) = 2q+1 is is a safe rime alied to g xy Ø Subgrou (Q, mod ), where Q = {x 2 to derive seudorandom key mod x } --- order of Q is q Ø Tyically KDFs are based on hash functions v In ractice, the DH rotocol is executed over (Q, mod ) v The agreed key g xy Ø Details out of scoe of this course is a (seudo)random element of Q --- g is a generator of Q, x, y v Number of bits to reresent elements of Q = Number of bits to reresent elements of o But Q does not contain all ossible bit-strings of length log --- Q = q 2 log 2 / 2 q o So binary reresentation of the agreed key does not corresond to a random log 2 -bit string

36 Active Attacks Against DH Key-Exchange Protocol q DH key-exchange rotocol assumes a assive attacker --- only listens the conversation q In reality, the attacker may be malicious/active --- can change information, inject its own messages, etc q Two tyes of active attacks against DH key-exchange rotocol Ø Imersonation attack : c Enc k (m) k = g xy DH key-exchange rotocol k = g xy m:= Dec k (c) k = g xy

37 Active Attacks Against DH Key-Exchange Protocol q DH key-exchange rotocol assumes a assive attacker --- only listens the conversation q In reality, the attacker may be malicious/active --- can change information, inject its own messages, etc q Two tyes of active attacks against DH key-exchange rotocol Ø Imersonation attack : Ø Man-in-the-middle attack : h S = g x Comlete control h S = g x 1 h R = g y 1 h R = g y x q k S = (h R ) x = g xy 1 x 1 q k R = (h R ) x 1 = g x 1 y y q k R = (h S ) y = g x 1 y y 1 q k S = (h S ) y 1 = g xy 1 k S k R q In ractice, robust mechanisms are used in the DH key-exchange rotocol to deal with the man-in-themiddle attack --- ex: TLS rotocol

38 The Public-key Revolution q In their seminal aer on the key-exchange, Diffie-Hellman also roosed the notion of ublic-key crytograhy (asymmetric-key crytograhy) Public domain m c m Enc Dec k sk

39 Public-key Cryto vs Private-key Cryto Private-Key Cryto Public-Key Cryto - Key distribution has to be done ariori. - In multi-sender scenario, a receiver need to hold one secret key er sender - Well-suited for closed organization (university, rivate comany, military). Does not work for oen environment (Internet Merchant) + Very fast comutation. Efficient Communication. Only way to do cryto in resource-constrained devices such as mobile, RFID, ATM cards etc + only those who shares a key can send a message + Key distribution can be done over ublic channel!! + One receiver can setu a single ublic-key/ secret key and all the senders can use the same ublic key + Better suited for oen environment (Internet) where two arties have not met ersonally but still want to communicate securely (Internet merchant & Customer) - Orders of magnitude slower than Private-key. Heavy even for deskto comuters while handling many oerations at the same time - Anyone can send message including unintended ersons - Relies on the fact that there is a way to correctly send the ublic key to the senders (can be ensured if the arties share some rior info or there is a trusted arty) q Diffie and Hellman could not come u with a concrete construction; though a ublic-key encrytion scheme was hidden in their key-exchange rotocol q Crytograhy sread to masses just due to advent of ublic-key crytograhy

40