Chapter 11 : Private-Key Encryption
|
|
- Laurel Williams
- 5 years ago
- Views:
Transcription
1 COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1
2 Chapter 11 Public-Key Encryption Apologies: all numbering still refers to first edition of book Public-Key Encryption An Overview 10.2 Definitions Security against Chosen-Plaintext Attacks Multiple Encryptions 10.3 Hybrid Encryption 10.4 RSA Encryption Plain RSA and its Insecurity Attacks on Plain RSA Padded RSA 10.5 The El Gamal Encryption Scheme 10.6 Security Against Chosen-Ciphertext Attacks 10.7 * Trapdoor Permutations
3 Asymmetric Encryption (Public-Key Cryptography) Encryption K e P C K d Decryption Complexity Theoretical Security
4 10.2 Definitions DEFINITION 10.1 A public-key encryption scheme is a tuple of PPT algorithms (Gen,Enc,Dec) s.t. : 1. The key generation algorithm Gen takes as input the security parameter 1 n and outputs a pair of keys (pk,sk). We refer to the first of these as the public key and the second as the private key. We assume for convenience that p k and sk each have length at least n, and that n can be determined from pk, sk.
5 Definitions 2. The encryption algorithm Enc takes as input a public key pk and a message m from some underlying plaintext space. It outputs a ciphertext c, and we write this as c Encpk(m). 3. The decryption algorithm Dec takes as input a private key sk and a ciphertext c, and outputs a message m or a special symbol denoting failure. We assume without loss of generality that Dec is deterministic, and write this as m Dec sk (c).
6 Definitions It is required that there exists a negligible function negl such that for every n, every (pk,sk) output by Gen(1 n ), and every message m in the appropriate underlying plaintext space, it holds that Pr[ Decsk(Encpk(m)) m ] negl(n).
7 Security against Chosen-Plaintext Attacks The eavesdropping indistinguishability experiment PubK e A a, v Π(n): 1. Gen(1 n ) is run to obtain keys (pk,sk). 2. Adversary A is given pk, and outputs a pair of messages m 0,m1 of the same length. (These messages must be in the plaintext space associated with pk.)
8 Security against Chosen-Plaintext Attacks 3. A random bit b {0,1} is chosen, and then a ciphertext c Encpk(mb) is computed and given to A. We call c the challenge ciphertext. 4. A outputs a bit b. 5. The output of the experiment is defined to be 1 if b = b, and 0 otherwise.
9 Security against Chosen-Plaintext Attacks DEFINITION 10.3 A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions in the presence of an eavesdropper if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[ PubK e A a, v Π(n) = 1 ] ½ + negl(n).
10 Security against Chosen-Plaintext Attacks CPA indistinguishability experiment PubK c A p, a Π(n): 1. Gen(1 n ) is run to obtain keys (pk,sk). 2. Adversary A is given pk as well as oracle access to Enc pk ( ). The adversary outputs a pair of messages m0,m1 of the same length. (These messages must be in the plaintext space associated with pk.)
11 Security against Chosen-Plaintext Attacks 3. A random bit b {0,1} is chosen, and then a ciphertext c Encpk(mb) is computed and given to A. We call c the challenge ciphertext. 4. A continues to have access to Enc pk ( ), and outputs a bit b. 5. The output of the experiment is defined to be 1 if b = b, and 0 otherwise.
12 Security against Chosen-Plaintext Attacks DEFINITION 10.4 A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (or is CPA secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that: Pr[ PubK c A p, a Π(n) = 1 ] ½ + negl(n).
13 Security against Chosen-Plaintext Attacks PROPOSITION 10.5 If a public-key encryption scheme Π has indistinguishable encryptions in the presence of an eavesdropper, then Π also has indistinguishable encryptions under a chosen-plaintext attack.
14 Insecurity of Deterministic Public-Key Encryption THEOREM 10.6 No deterministic public-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper.
15 Multiple Encryptions THEOREM If a public-key encryption scheme Π has indistinguishable encryptions in the presence of an eavesdropper, then Π has indistinguishable multiple encryptions in the presence of an eavesdropper.
16 Encrypting Arbitrary- Length Messages Say Π = (Gen,Enc,Dec) is an encryption scheme where the plaintext space is {0,1}. We can construct a new scheme Π = (Gen,Enc,Dec ) with plaintext space {0,1} by defining Enc as follows: Enc pk(m) = Encpk(m1),...,Encpk(mt), where m = m 1... mt. The decryption algorithm Dec is modified in the obvious way.
17 Encrypting Arbitrary- Length Messages PROPOSITION Let Π and Π be as above. If Π has indistinguishable encryptions in the presence of an eavesdropper, then so does Π.
18 10.3 Hybrid Encryption
19 Hybrid Encryption To encrypt a message m: 1. The sender first chooses a random secret key k, and encrypts k using the public key of the receiver. Call the resulting ciphertext c 1. The receiver will be able to recover k by decrypting c1, yet k will remain unknown to an eavesdropper (by security of the public-key encryption scheme), and so this has the effect of establishing a shared secret between the sender and the receiver.
20 Hybrid Encryption 2. The sender then encrypts the message m using a private-key encryption scheme (Gen,Enc,Dec ) and the secret key k that has just been shared. This results in a ciphertext c 2 that can be decrypted by the receiver using k.
21 Hybrid Encryption
22 Hybrid Encryption THEOREM If Π is a CPA-secure public-key encryption scheme and Π is a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper, then Π hy as in Construction is a CPA-secure public-key encryption scheme.
23 Ellis, Cocks, Williamson 10.4 RSA Encryption Public inventors Private inventors
24 RSA Encryption Ron Rivest, Adi Shamir and Len Adleman
25 RSA Encryption
26 RSA Encryption In Cocks variation, e=n and therefore d=n -1 mod φ(n).
27 7.2.4 The RSA Assumption The RSA problem can be described informally as follows: given a modulus N, an integer (exponent) e > 0 that is relatively prime to φ(n), and an element y Z N, * compute e y mod N; Given N,e,y find x such that x e = y mod N.
28 7.2.4 The RSA Assumption The RSA experiment RSA-inv A,GenRSA (n): 1. Run GenRSA(1 n ) to obtain (N,e,d). 2. Choose y Z * N. 3. A is given N,e,y, and outputs x Z * N. 4. The output of the experiment is defined to be 1 if y = x e mod N, and 0 otherwise.
29 7.2.4 The RSA Assumption DEFINITION 7.46 We say that the RSA problem is hard relative to GenRSA if for all probabilistic polynomial-time algorithms A there exists a negligible function negl such that Pr[ RSA-invA,GenRSA(n) = 1 ] negl(n).
30 RSA vs Factoring The RSA assumption implies that φ(n) is unknown. Theorem: Knowledge of N and φ(n) factors N. Proof: N=pq, φ(n)=(p-1)(q-1)=n-p-q+1. p+q=n-φ(n)+1 p+n/p=n-φ(n)+1 or p 2 -(N-φ(N)+1)p+N=0. p and q are the two solutions of this quadratic equation.
31 RSA vs Factoring The RSA assumption implies that d is unknown. Knowledge of N,e,d factors N. Proof: use algorithm from next slide: RSA-FACTOR(N,e,d). Success probability ½.
32 RSA vs Factoring
33 RSA Implementation Issues Encoding binary strings as elements of Z N. * Let l = N. Any binary string m of length l 1 can be viewed as an element of ZN in the natural way. It is also possible to encode strings of varying lengths as elements of Z N by padding using some unambiguous padding scheme.
34 RSA Implementation Issues: Choice of e There does not appear to be any difference in the hardness of the RSA problem for different exponents e and, as such, different methods have been suggested for selecting e. One popular choice is to set e = 3, since then computing e th powers modulo N (as done when encrypting in the Plain RSA scheme) requires only two multiplications. If e is to be set equal to 3, then p and q must be chosen to satisfy p,q 1 mod 3 so that gcd(e,φ(n )) = 1.
35 RSA Implementation Issues: Choice of d Note that choosing d to be small in order to speed up decryption (that is, changing GenRSA so that a small d is chosen first and then computing e) is a bad idea. If d is chosen in a small range (say, d < 2 16 ) then a brute-force search for d is easy to carry out. Even if d is chosen so that d N ¼, (and so bruteforce attacks are ruled out) there are other attacks that can be used to recover d from the public key.
36 Attacks on Plain RSA Encrypting short messages using small e. If e is small then the encryption of small messages is insecure when using plain RSA encryption. For example, say e = 3 and the message m is such that m < N ⅓ ( or m < N /3 ) but m is otherwise unknown to an attacker. In this case, encryption of m does not involve any modular reduction since the integer m 3 is less than N.
37 Attacks on Plain RSA Encrypting short messages using small e. If e is small then the encryption of small messages is insecure when using plain RSA encryption. This means that given the ciphertext c = m 3 mod N an attacker can determine m by computing m c ⅓ over the integers, a computation that can be easily carried out.
38 Attacks on Plain RSA The above attack shows that short messages can be recovered easily from their encryption if plain RSA with small e is used. Here, we extend the attack to the case of arbitrarylength messages as long as the same message is sent to multiple receivers.
39 Attacks on Plain RSA Let e = 3 as before, and say the same message m is sent to three different parties holding public keys pk1 = (N1,3), pk2 = (N2,3), and pk3 = (N3,3), resp.. Then an eavesdropper sees c1 = m 3 mod N1 and c2 = m 3 mod N2 and c3 = m 3 mod N3.
40 Attacks on Plain RSA Let N = N1 N2 N3. An extended version of the Chinese remainder theorem says that there exists a unique non-negative value c < N such that: c c1 mod N1, c c2 mod N2 and c c3 mod N3.
41 Padded RSA
42 Padded RSA THEOREM If the RSA problem is hard relative to GenRSA then Construction with l(n) = O(log n) has indistinguishable encryptions under a chosen-plaintext attack.
43 PKCS #1 v1.5 A widely-used and standardized encryption scheme, RSA Laboratories Public-Key Cryptography Standard (PKCS) #1 version 1.5, utilizes what is essentially padded RSA encryption. For a public key pk = [N,e] of the usual form, let k denote the length of N in bytes; i.e., k is the integer satisfying 2 8(k 1) N < 2 8k.
44 PKCS #1 v1.5 Messages m to be encrypted are assumed to be a multiple of 8 bits long, and can have length up to k 11 bytes. Encryption of a message m that is D-bytes long is computed as ( r m) e mod N, where r is a randomly-generated string of (k D 3) bytes, with none of these bytes equal to 0.
45 PKCS #1 v1.5 PKCS #1 v1.5 is believed to be CPA-secure, although no proof solely based on the RSA assumption has ever been shown. Subsequent to the introduction of PKCS #1 v1.5, a chosen-ciphertext attack on this scheme was demonstrated. This motivated a change in the standard to a newer scheme called OAEP (for Optimal Asymmetric Encryption Padding).
46 10.5 The Elgamal Encryption Scheme Taher Elgamal
47 The Elgamal Encryption Scheme
48 The Elgamal Encryption Scheme THEOREM If the DDH problem is hard relative to G, then the Elgamal encryption scheme has indistinguishable encryptions under a chosen-plaintext attack.
49 Elgamal Implementation Issues Encoding binary strings. Let p be a strong prime, i.e., q = (p 1)/2 is also prime. Then the set of quadratic residues modulo p forms a group G of order q = (p 1)/2 under x modulo p.
50 Elgamal Implementation Issues We can map the integers {1,...,(p 1)/2} to the set of quadratic residues modulo p by squaring: that is, the integer ṁ is mapped to the quadratic residue m = ṁ 2 mod p. This encoding is one-to-one and efficiently reversible. ( When extracting square roots mod p take the smaller square root x (p 1)/2. )
51 Elgamal Implementation Issues Given the above, we can map a string w of length q 1 to an element m G in the following way: given a string w {0,1} q 1, interpret it as an integer in the natural way and add 1 to obtain an integer ṁ with 1 ṁ q. Then take m = ṁ 2 mod p.
52 10.6 Security vs Chosen- Ciphertext Attacks
53 Security vs Chosen- Ciphertext Attacks DEFINITION A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-ciphertext attack (or is CCA-secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[ PubK c A, a Π(n) = 1 ] ½ + negl(n).
54 Examples of Chosen- Ciphertext Attacks Plain RSA encryption. Say an adversary A intercepts the ciphertext c = m e mod N. Then the adversary can choose a random r Z N * and compute the ciphertext c r e c mod N. Given the decryption m of this ciphertext, A can recover m m r 1 mod N.
55 Examples of Chosen- Ciphertext Attacks Elgamal encryption. Say an adversary A intercepts a ciphertext c c1,c2 that is an encryption of the (encoded) message m with respect to the public key pk = G,q,g,h. This means that c1 = g y and c2 = h y m for some y Z q unknown to A. Nevertheless, if the adversary computes c 2 c2 m then it is easy to see that the ciphertext c c1,c2 is an encryption of the message m m.
56 Examples of Chosen- Ciphertext Attacks One might object that the receiver will become suspicious if it receives two ciphertexts c,c that share the same first component. However, this is easy for the adversary to avoid.
57 Examples of Chosen- Ciphertext Attacks Letting c1,c2,m,m be as above, A can choose a random y Zq and set c1 c1 g y and c2 c2 h y m. Then c1 = g y g y = g y+y and c2 = h y m h y m = h y+y mm, and so the ciphertext c = c1,c2 is an encryption of m m but with a completely random first component.
58 COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 58
59 NIB Blum-Goldwasser Encryption
60 NIB
61 NIB Blum-Goldwasser Encryption
62 NIB Blum-Goldwasser Encryption
63 NIB Blum-Goldwasser Encryption
64 NIB Blum-Goldwasser Encryption
65 NIB Blum-Goldwasser Encryption
66 COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 66
67 NIB Approximate Integer GCD based crypto
68 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p
69 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p
70 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p q 1 p
71 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p q 1 p q 2 p
72 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p q 1 p q 2 p q 3 p
73 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p q 1 p q 2 p q 3 p q 4 p
74 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p q 1 p q 2 p q 3 p q 4 p GCD(q1p,q2p,q3p,q4p) = p
75 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p GCD(x1,x2,x3,x4) = p
76 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p GCD(x1,x2,x3,x4) = p
77 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p GCD(x1,x2,x3,x4) = p
78 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p z1 q 1 p±2e 1 GCD(x1,x2,x3,x4) = p
79 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p z1 q 1 p±2e 1 z2 q 2 p±2e 2 GCD(x1,x2,x3,x4) = p
80 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p z1 q 1 p±2e 1 z2 q 2 p±2e 2 z3 q 3 p±2e 3 GCD(x1,x2,x3,x4) = p
81 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p z1 q 1 p±2e 1 z2 q 2 p±2e 2 z3 q 3 p±2e 3 z4 q 4 p±2e 4 GCD(x1,x2,x3,x4) = p
82 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p z1 q 1 p±2e 1 z2 q 2 p±2e 2 z3 q 3 p±2e 3 z4 q 4 p±2e 4 GCD(x1,x2,x3,x4) = p GCD(z1,z2,z3,z4) = 1
83 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p z1 q 1 p±2e 1 z2 q 2 p±2e 2 z3 q 3 p±2e 3 z4 q 4 p±2e 4 GCD(x1,x2,x3,x4) = p
84 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p z1 q 1 p±2e 1 z2 q 2 p±2e 2 z3 q 3 p±2e 3 z4 q 4 p±2e 4 GCD(x1,x2,x3,x4) = p AIGCD : find p from z1,z2,z3,z4?
85 NIB Approximate Integer GCD z1 z2 z3... zk-1 zk z0 0 p 2p 3p 4p 5p
86 NIB Approximate Integer GCD z1 z2 z3... zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 1 i k
87 Approximate Integer GCD z1 z2 z3... zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 1 i k si {0,1} NIB
88 Approximate Integer GCD z1 z2 z3... zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 1 i k si {0,1} NIB
89 Approximate Integer GCD z1 z2 z3... zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 1 i k si {0,1} NIB
90 Approximate Integer GCD z1... z2 z3 zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 sixi mod x0 1 i k 1 i k si {0,1} NIB
91 Approximate Integer GCD z1... z2 z3 zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 sixi mod x0 1 i k 1 i k si {0,1} ±2(ke0+ ei) 1 i k NIB
92 Approximate Integer GCD z1... z2 z3 zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 - ( siqi mod q0) p 1 i k 1 i k si {0,1} 4k emax NIB
93 Approximate Integer GCD NIB
94 Approximate Integer GCD NIB
95 NIB Approximate Integer GCD ΩΩ(s)= sizi mod z0 1 i k
96 NIB Approximate Integer GCD ΩΩ(s)= sizi mod z0 1 i k s {0,1} n
97 NIB Approximate Integer GCD ΩΩ(s)= sizi mod z0 1 i k s {0,1} n emax p/8k
98 NIB Approximate Integer GCD ΩΩ(s)= sizi mod z0 1 i k s {0,1} n emax p/8k ΩΩ(s)-p[ΩΩ(s)/p] = small even error
99 AIGCD encryption NIB
100 NIB SK : p AIGCD encryption
101 NIB SK : p AIGCD encryption PK : z0, z1, z2,..., zk, p/8k p/2
102 NIB AIGCD encryption SK : p PK : z0, z1, z2,..., zk, p/8k p/2 ei U [-...+ ]
103 NIB SK : p AIGCD encryption PK : z0, z1, z2,..., zk, p/8k p/2 ei U [-...+ ] enc(b) = ΩΩ(s)+2e+b s U {0,1} n e U [-...+ ]
104 NIB SK : p AIGCD encryption PK : z0, z1, z2,..., zk, p/8k p/2 ei U [-...+ ] enc(b) = ΩΩ(s)+2e+b s U {0,1} n e U [-...+ ] dec(c) = c-p[c/p] mod 2 = parity of error
ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationCSC 5930/9010 Modern Cryptography: Number Theory
CSC 5930/9010 Modern Cryptography: Number Theory Professor Henry Carter Fall 2018 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More information5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA
Leo Reyzin. Notes for BU CAS CS 538. 1 5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA 5.1 Public Key vs. Symmetric Encryption In the encryption we ve been doing so far, the sender and the recipient
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationLecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes
Lecture 30: Hybrid Encryption and Prime Number Generation Recall: ElGamal Encryption I We begin by recalling the ElGamal Public-key Encryption Recall that to describe a private-key encryption scheme we
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. 1 Public Key vs. Symmetric Encryption In the encryption we ve
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationNET 311D INFORMATION SECURITY
1 NET 311D INFORMATION SECURITY Networks and Communication Department TUTORIAL 3 : Asymmetric Ciphers (RSA) A Symmetric-Key Cryptography (Public-Key Cryptography) Asymmetric-key (public key cryptography)
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationNumber Theory & Modern Cryptography
Number Theory & Modern Cryptography Week 12 Stallings: Ch 4, 8, 9, 10 CNT-4403: 2.April.2015 1 Introduction Increasing importance in cryptography Public Key Crypto and Signatures Concern operations on
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationCryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography
Cryptography CS 555 Topic 22: Number Theory/Public Key-Cryptography 1 Exam Recap 2 Exam Recap Highest Average Score on Question Question 4: (Feistel Network with round function f(x) = 0 n ) Tougher Questions
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013
RSA Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013 Recap Recap Number theory o What is a prime number? o What is prime factorization? o What is a GCD? o What does relatively prime
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationGreat Theoretical Ideas in Computer Science
15-251 Great Theoretical Ideas in Computer Science Lecture 22: Cryptography November 12th, 2015 What is cryptography about? Adversary Eavesdropper I will cut your throat I will cut your throat What is
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 8 Markus Bläser, Saarland University Weak factoring experiment The weak factoring experiment 1. Choose two n-bit integers x 1, x 2 uniformly.
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationThéorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1
Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 1
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationRSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14
RSA Algorithm http://koclab.org Çetin Kaya Koç Spring 2018 1 / 14 Well-Known One-Way Functions Discrete Logarithm: Given p, g, and x, computing y in y = g x (mod p) is EASY Given p, g, y, computing x in
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationLecture 14: Hardness Assumptions
CSE 594 : Modern Cryptography 03/23/2017 Lecture 14: Hardness Assumptions Instructor: Omkant Pandey Scribe: Hyungjoon Koo, Parkavi Sundaresan 1 Modular Arithmetic Let N and R be set of natural and real
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationAdvanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More information