Public Key Cryptography
|
|
- Stephen Mosley
- 5 years ago
- Views:
Transcription
1 Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60
2 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 2 of 60
3 Course main reference 3 of 60
4 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 4 of 60
5 RSA Encryption Scheme Designed by Rivest-Shamir-Adleman in 1977 One of the most widely used algorithms today, for both signatures and public key encryption Security requires hardness of integer factorization 5 of 60
6 Pseudorandom Permutations from One Way Functions Informally speaking, one-way functions are easy to compute, hard to invert! We don t know how to prove that one-way functions exist! Assuming the hardness of some problems, we can build one-way functions. Corollary Let n > 1, and for e > 0 define f e : Z n Z n by f e (x) = x e mod n. If GCD(e, φ(n)) = 1, then f e is a permutation. The inverse of f e is f d where d = e 1 mod φ(n) 6 of 60
7 Plain RSA encryption algorithm Let p, q two distinct odd primes, and let n = pq Compute φ(n) = (p 1)(q 1), and choose e > 1 s.t. gcd(e, φ(n)) = 1 Public key is (n, e) and private key is (p, q) Given private key, can also compute d := e 1 mod φ(n) Encryption of m Z n: c = m e mod n Decryption of c Z n: m = c d mod n Correctness follows from by Euler s theorem m = (m e ) d = m ed mod φ(n) = m mod n 7 of 60
8 RSA security Solving the factorization problem is sufficient and necessary to reconstruct the private key Solving the factorization problem might not be necessary for other goals, such as decrypting without the private key In fact, Plain RSA is insecure! What if m is not chosen uniformly from Z n? Plain RSA is deterministic! Therefore, it is not CPA-secure! 8 of 60
9 Relationship between RSA and Factoring Assumptions Theorem Given as input a composite integer n and integers e, d such that ed = 1 mod φ(n), there is a PPT algorithm that can output a factor of n except with negligible probability (in n ). 9 of 60
10 Padded RSA: RSA#1 v1.5 Idea: To encrypt a message m, first map it to an element m Z n. The sender can choose a uniform bit-string r {0, 1} l, and sets m = r m (it is a reversible operation). The security of the padded scheme depends on the length of l. The cost of a brute-force attack is O (2 ) l For instance, l(n) = O(log n) is a bad choice, the scheme is not secure in this case. This scheme is provably secure based on the RSA problem in one case: l is very large, and m is just a single bit! For other cases, no security proofs based on RSA problem, BUT no known attacks are known either! 10 of 60
11 RSA-OAEP It is a construction that is based on RSA problem and CCA-secure using optimal asymmetric encryption padding OAEP. Already standardized as a part of RSA PKCS#1 since version 2.0 It uses three integer-valued functions l(n), k 0 (n), k 1 (n) with k 0 (n), k 1 (n) = Θ(n). There is also a condition on l(n) + k 0 (n) + k 1 (n), it has to be smaller than the minimum bit-length of RSA moduli. We need two hash functions H and G that are modelled as Random Oracles OAEP is therefore a two-round Feistel network. G and H are the round functions. 11 of 60
12 RSA-OAEP Source: Wikipedia 12 of 60
13 RSA-OAEP Fix n and let l = l(n), k 0 = k 0 (n), k 1 = k 1 (n). Given H : {0, 1} l+k 1 {0, 1} k 0 and G : {0, 1} k 0 {0, 1} l+k 1. How to pad a message m {0, 1} l? Set m m 0 k 1 Choose a random r {0, 1} k 0 Compute s m G(r) {0, 1} l+k 1 Compute t r H(s) {0, 1} k 0 Finally, set m s t. 13 of 60
14 RSA-OAEP How does it work? KeyGen(n) : output the public key (n, e) and private key (p, q). Enc(m, N, e) : pad m to get m. The ciphertext will be c m e mod n. Dec(c, n, d) : compute m c d mod n. If m > l + k 0 + k 1, output, otherwise; parse m as s t, s {0, 1} l+k1, t {0, 1} k0 compute r H(s) t compute m G(r) s if the least-significant k 1 bits of m are not all 0, output otherwise, output the l most-significant bits of m. 14 of 60
15 A CCA secure KEM in the ROM The KEM scheme consists of the following algorithms: KeyGen(1 n ): it generates the RSA modulus (N, e, d), where PK = (N, e) and SK = (N, d). it also generates a hash function H : Z N {0, 1} n. Encaps(PK, 1 n ): it picks a random r Z N and outputs c r e mod N and the key k H(r). Decaps(SK, c Z N): it first computes r c d mod N and then outputs k H(r). This is a part of ISO/IEC standard for public-key encryption. 15 of 60
16 Security of RSA-OAEP It is CCA-secure assuming that G and H are modelled as random oracles. There were some attacks on PKCS# v2.0 in 2001 by James Manger that exploits its implementation- it is a side channel attack! The receiver receives the error message in two different cases! The time to return the message errors was not identical. The attacker can recover a message m using ONLY N queries. Lesson: side channels attacks are nasty! Implementations should take into consideration every possibility of information leakage! 16 of 60
17 RSA weak key generator attack Suppose Alice uses private key (p, q a ) and Bob uses private key (p, q b ). Is it safe? 17 of 60
18 RSA weak key generator attack Suppose Alice uses private key (p, q a ) and Bob uses private key (p, q b ). Is it safe? Everybody sees n a := pq a and n b := pq b 17 of 60
19 RSA weak key generator attack Suppose Alice uses private key (p, q a ) and Bob uses private key (p, q b ). Is it safe? Everybody sees n a := pq a and n b := pq b Alice can compute q b = n b /p Bob can compute q a = n a /p 17 of 60
20 RSA weak key generator attack Suppose Alice uses private key (p, q a ) and Bob uses private key (p, q b ). Is it safe? Everybody sees n a := pq a and n b := pq b Alice can compute q b = n b /p Bob can compute q a = n a /p Anyone can compute gcd(n a, n b ) = p and then q a and q b Attack demonstrated in practice Lenstra et al. Ron was wrong, Whit is right Show that 2/1000 RSA keys are insecure 17 of 60
21 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 18 of 60
22 The Discrete Logarithm Problem (Dlog) Let p be a prime and let K := F p = Z/pZ Exponentiation in K in O(n) = O(log p) multiplications What about the inverse operation? Discrete logarithm problem: Given g and h = g k mod p, compute k Believed to be very hard: subexponential complexity L p (1/3, c) More generally: given G, g G and h = g k, compute k Can be harder or easier depending on the group 19 of 60
23 Diffie-Hellman Key Exchange Algorithm Designed by Diffie and Hellman in Widely used today, e.g. in SSL/TLS. Allows two parties to set up a common private key over a public channel. Security requires hardness of discrete logarithm problem. 20 of 60
24 Diffie-Hellman Key Exchange Algorithm Public elements: G cyclic, g G a generator Alice chooses random a and sends g a to Bob Bob chooses random b and sends g b to Alice Alice computes (g b ) a = g ab Bob computes (g a ) b = g ab 21 of 60
25 Variants of Diffie-Hellman Problem Computational Diffie-Hellman (CDH): Given g, g a, g b G, compute g ab. Decisional Diffie-Hellman (DDH): Given g, h, g a, g b G, decide if h = g ab. There is a huge list of members in the DH family of problems! 22 of 60
26 Diffie-Hellman security Solving discrete logarithm problem is sufficient to break Diffie-Hellman key exchange Solving discrete logarithm problem might not be necessary to break Diffie-Hellman key exchange Additional stuff is required for authentication, for example certificates 23 of 60
27 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 24 of 60
28 ElGamal Encryption Scheme Main idea: Given a finite group G, let m be an arbitrary element of G. Lemma: if we multiply m by an uniform group element of G, say k, the result k m is a uniform group element. Proof: Let g be an arbitrary element of G, And because k is uniform Pr[k m = g] = Pr[k = g m 1 ]. Pr[k = g m 1 ] = 1/ G. 25 of 60
29 ElGamal Scheme- Construction We define ElGamal public key encryption scheme as follows: KeyGen(n) : first, it outputs a description of a cyclic group G with order q, where q = n and a generator g, i.e (G, q, g). Then, it picks a uniform x Z q to compute h g x. the public key is PK = (G, g, q, h) and the private/secret key is SK = x. The messages are elements of G. Enc(PK, m G) : it chooses a uniform y Z q, and output the following ciphertext Dec(SK, c) : it outputs Check its correctness! 26 of 60 c = (c 1, c 2 ) (g y, h y m). m = c 2 /c x 1
30 ElGamal scheme- Example Example [Katz-Lindell book] Let q = 83 and p = 2q + 1 = 167. Let G denote the group of quadratic residues mod p. As both p and q are primes, then G is a subgroup of Z p with order q. Note that G is prime, so any element 1 g G is a generator. Take g = 2 2 = 4 mod 167, pick x = 37 Z 83, compute h = g x = 4 37 mod 167 = 76 The public becomes PK = (p, q, g, h) = (167, 83, 4, 76) Enc(PK, m = 65 G): a it picks y = 71 and compute the ciphertext, c = (c 1, c 2 ) = (4 71, ) = (132, 44) mod 167 a 65 is indeed in G as 65 = 30 2 mod of 60
31 ElGamal Scheme-Example Example Dec(SK, c): m =c 2 /c x 1 =44/ mod 167 =44/124 mod 167 = mod 167 =44 66 mod 167 =65 28 of 60
32 Security of ElGamal Scheme Theorem If the DDH problem is hard, then the ElGamal encryption scheme is CPA-secure. Sketch Proof. Idea: we consider a PPT algorithm D that wants to solve DDH, and PPT algorithm A (the adversary) who is attacking ELGamal scheme S. the algorithm D first receives an instance of the DDH problem, i.e (G, q, g, h 1 = g x 1, h 2 = g x 2, h 3 ),and his challenge is to figure out whether or not h 3 is equal to g xy. 29 of 60
33 Security of ElGamal Scheme Sketch Proof. Algorithm D will simulate the ElGamal scheme to A as follows: On input (G, q, g, h 1, h 2, h 3 ), it sets PK = (G, q, g, h 1 ). On input (m 0, m 1 ) received from A, it picks b {0, 1}, and sets c 1 = h 2 and c 2 = h 3 m b and sends them over to A It receives the bit b from A, it then outputs 1 if b = b and 0 otherwise. Now, let S be a modified version of ElGamal, works as follows: Same key generation algorithm Encryption algorithm: it chooses a uniform y, z Z q, and output the following ciphertext (g y, g z m). Note that the decryption algorithm doesn t work here, but we don t actually need it in the experiment. 30 of 60
34 Security of ElGamal Scheme Sketch Proof. For the modified encryption scheme, since c 2 is a uniformly distributed group element, we have And if DDH holds, then Pr[PubK CPA A,S (n) = 1] = 1/2 Pr[D(G, q, g, g x, g y, g z ) = 1] Pr[D(G, q, g, g x, g y, g xy ) = 1] < negl(n) (1) Case 1 random tuple: We can easily see that the View A when run as a subroutine by D is distributed identically to its view in experiment PubK cpa A,S. Therefore 31 of 60 Pr[D(G, q, g, g x, g y, g z ) = 1] = Pr[PubK CPA A,S (n) = 1] = 1/2 (2)
35 Security of ElGamal Scheme Sketch Proof. Case 2 DH tuple: We can also see that the View A when run as a subroutine by D is distributed identically to its view in experiment PubK cpa A,S. Therefore Pr[PubK CPA A,S (n) = 1] = Pr[D(G, q, g, gx, g y, g xy ) = 1] (3) Equations (1), (2) and (3) give us Pr[PubK CPA A,S (n)] < 1/2 + negl(n) 32 of 60
36 ElGamal Scheme- CCA secure? Is ElGamal encryption scheme CCA-secure? Why? 33 of 60
37 ElGamal Scheme- CCA secure? Is ElGamal encryption scheme CCA-secure? Why? NO, because it is malleable! 33 of 60
38 A CPA-secure KEM Scheme based on DDH The scheme consists of the following algorithms: KeyGen(1 n ): it generates (G, q, g). It then chooses x Z q and computes h = g x. It also specifies a hash function H : G {0, 1} l(n) The public key PK = (G, q, g, h, H) and the private key is x. Encaps(PK): it chooses a uniform y Z q and outputs the ciphertext c g y and the key H(h y ). Decaps(SK, c): it outputs H(c x ). If H is modelled as a random oracle model, then the scheme is CPA-secure based on (the weaker assumption) CDH 34 of 60
39 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 35 of 60
40 Cramer-Shoup cryptosystem The first public key encryption scheme that is CCA-secure without random oracles. It is based on ElGamal. Its CCA-security relies on the hardness of DDH. 36 of 60
41 Cramer-Shoup Cryptosystem KeyGen(n) : first, it outputs a description of a cyclic group G with prime order q, s.t. q = n and a couple of generators g 1, g 2, i.e (G, q, g 1, g 2 ). Then, it picks a uniform x 1, x 2, y 1, y 2, z 1, z 2 Z q, it computes c g x1 1 gx2 2 d g y1 1 gy2 2 h g z1 1 gz2 2 The public key is PK = (G, q, g 1, g 2, c, d, h, H) where H() is a collision-resistant hash function. The private/secret key is SK = (x 1, x 2, y 1, y 2, z 1, z 2 ). The messages are elements of G. 37 of 60
42 Cramer-Shoup Cryptosystem Enc(PK, m G) : it chooses a uniform k Z q, and output the following ciphertext: u 1 = g k 1, u 2 = g k 2 e = h k m α = H(u 1, u 2, e) v = c k d kα The ciphertext is CT = (u 1, u 2, e, v) 38 of 60
43 Cramer-Shoup Cryptosystem Dec(CT, SK) : It computes α = H(u 1, u 2, e), If u x1 1 ux2 2 (uy1 1 uy2 2 )α v, output It outputs m = e/(u z1 1 uz2 2 ) Correctness: m = e/(u z 1 1 uz 2 2 ) = hk m/g kz 1 1 gkz 2 2 = h k m/h k = m 39 of 60
44 Cramer-Shoup: Security Proof Let A be the adversary attacking the Cramer-Shoup scheme and D the distinguisher that wants to distinguish a DH tuple from a random tuple. Proof. Distinguisher D(g 1, g 2, g 3, g 4 ) x 1, x 2, y 1, y 2, z 1, z 2 Z q. PK = (g 1, g 2, c := g x 1 1 gx 2 2, d := gy 1 (m 0, m 1 ) A(PK, Dec(SK, )). b {0, 1}. 1 gy 2 2, h := gz 1 CT = (g 3, g 4, g z 1 3 gz 2 4 m b, g x 1+αy 1 3 g x 2+αy 2 4 ). b A(PK, CT, Dec(SK, ) CT ), Output 1 iff b = b 1 gz 2 2, H). 40 of 60
45 Cramer-Shoup: Security Proof Proof. Claim 1: Pr[D = 1 DH] Pr[D = 1 Random] = negl(n) [It follows from the DDH assumption] Claim 2: Pr[D outputs 1 DH] = Pr[b = b A attacks S directly] Claim 3: Pr[D = 1 Random] 1 = negl(n) 2 41 of 60
46 Cramer-Shoup: Security Proof Proof. When D gets a DH tuple, then there exist γ, r s.t.: (g 1, g 2 = g γ 1, g 3 = g r 1, g 4 = g r 2) It is easy to verify that the distribution of PK and CT are exactly the same of those obtained from a real world Cramer-Shoup challenger (and not from the distinguisher who is simulating the game). Therefore, i.e. Pr[D outputs 1 DH tuple] = Pr[b = b A attacks S directly] Pr[D outputs 1 DH tuple] = Pr[PubK cca A,CS(n) = 1] 42 of 60
47 Cramer-Shoup: Security Proof Proof. When D gets a random tuple, it will look like (g 1, g 2 = g γ 1, g 3 = g r 1, g 4 = g r 2 ), where γ 0 and r r. Getting information about z 1, z 2 : From the PK, A learns log g1 h = z 1 + γz 2. (4) From the decryption oracle on CT = (u 1, u 2, e, v), we distinguish between two cases, valid and invalid ciphertexts. We will prove that he learns nothing from valid ciphertexts and that the probability that it accepts invalid ciphertexts is negligible. CT is invalid if log g1 u 1 log g2 u 2 and Dec(SK, ) doesn t return, it is valid otherwise. 43 of 60
48 Cramer-Shoup: Security Proof Proof. no extra information from valid ciphertexts, why? When Dec() returns, it means that v is not in the right format, but z 1, z 2 are not involved in this check, so no information about them in this case. On the other hand, if then what A can learn from m is log g1 u 1 = log g2 u 2 = r log g1 m = log g1 e r z 1 r γz 2 (5) But equation (5) is linearly dependent on equation (4), so no extra information about z 1, z 2 from this case. 44 of 60
49 Cramer-Shoup: Security Proof During the course of the experiment, A learns the following about x 1, x 2, y 1, y 2 : Proof. From the public key, A learns the following: From the challenge ciphertext, A learns: log g1 c = x 1 + x 2 γ (6) log g1 d = y 1 + y 2 γ (7) log g1 v = (x 1 + αy 1 )r + (x 2 + αy 2 )γr (8) 45 of 60
50 Cramer-Shoup: Security Proof Proof. Now the idea is to prove that the probability that A submits the previous type of bad decryption queries is negligible. Let CT = (u 1, u 2, e, v ) be the challenge ciphertext, we have three possible types of bad decryption queries: (u 1, u 2, e) = (u 1, u 2, e ) with v v. Since we will have same hash values but with v v, the decryption oracle will reject it. (u 1, u 2, e) (u 1, u 2, e ) and α = α. It means that we found a collision in H, but H is collision-resistant, so this happens only with negligible probability. 46 of 60
51 Cramer-Shoup: Security Proof Proof. (u 1, u 2, e) (u 1, u 2, e ) and α α. The decryption oracle will accept the query only if log g1 v = (x 1 + α y 1 ) r + (x 2 + α y 2 )γ r (9) where r r, is linearly dependent with (6),(7),(8). BUT, we can show that in this case, the equations (6),(7),(8) and (9) are linearly independent because 1 γ 0 0 det γ r r γ rα r αγ = (γ2 )(r r)( r r)(α α ) 0 r r γ rα r α γ 47 of 60
52 Cramer-Shoup: Security Proof Proof. In the third case, the decryption query is rejected except with probability 1/q, which is the probability to have v in the right format (from A s point of view, v is uniformly distributed in G), this v has to use the same values for x 1, x 2, y 1, y 2 that are used in (6),(7),(8) (remember that these values are unknown to A). If the adversary makes η queries, then the probability that one of these queries is η not rejected is at most which is negligible as q is q η + 1 exponential in the security parameter whereas the number of queries η is polynomial in it. We deduce that the hidden bit b is independent from A s view except when either a collision is found in H or the decryption oracle accepts an invalid ciphertext. Claim 3 follows. 48 of 60
53 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 49 of 60
54 Quadratic Residues Definition For any positive integer m, we define the set of quadratic residues modulo m as QR(m) := {x Z m y Z m such that y 2 = x mod m}. Theorem Given a prime p > 2. Every quadratic residue in Z p has exactly two square roots. 50 of 60
55 Quadratic Residues Definition We define the Jacobi symbol of x modulo p as follows: For a prime p > 2 and x Z p, we have J p (x) = { +1 if x QR(p) 1 if x QR(p). Theorem Given a prime p > 2. Then J p (x) = x p of 60
56 Quadratic Residues Definition Let N = pq, with p, q are distinct primes, and y Z N. Then y is a quadratic residue modulo N iff y p = [y mod p] is a quadratic residue modulo p and y q = [y mod q] is a quadratic residue modulo q, i.e. y p QR(p) and y q QR(q). Theorem Let N = pq with p, q distinct odd primes. Given x, x s.t. x 2 = y = x 2 mod N but with x ± x mod N, it is possible to factor N in time polynomial in N. 52 of 60
57 Rabin Encryption Scheme The encryption scheme consists of the following algorithms: KeyGen(1 n ): it outputs (N, p, q) where N = pq, p and q are n-bit primes with p = q = 3 mod 4. The public key is N and the private key is (p, q). Enc(PK, m {0, 1}): it chooses a uniform x QR(N) where lsb(x) = m. It outputs the ciphertext c [x 2 mod N]. Dec(SK, c): it computes a unique x QR(N) s.t. x 2 = c mod N, and outputs lsb(x). Theorem If Factoring is hard, then this encryption scheme is CPA-secure. 53 of 60
58 Collision-Resistant Hash Functions based on Dlog Theorem If the discrete logarithm is hard, then collision-resistant hash functions exist. We define a fixed-length hash function based on Dlog that consists of the algorithms (KeyGen, H) as follows: KeyGen(1 n ): It outputs a description of a cyclic group G of prime order q s.t. q = n and a generator g. It then selects a uniform h G. It outputs the key s = (G, q, g, h). H(s, (x 1, x 2 ) Z q Z q ): It outputs H s (x 1, x 2 ) := g x 1 h x 2 G. 54 of 60
59 Collision-Resistant Hash Functions based on Dlog Can you solve the Dlog problem if a collision in H s is found? 55 of 60
60 Collision-Resistant Hash Functions based on Dlog Can you solve the Dlog problem if a collision in H s is found? H s (x 1, x 2 ) = H s (x 1, x 2), with x x = log g h = [(x x 1) (x 2 x 2 ) 1 mod q]. Note that x 2 x 2 0 mod q, otherwise we will have x 1 = x 1 mod q and therefore no collision is found. As q is prime, the inverse of (x 2 x 2 ) exists. 55 of 60
61 Gap Diffie-Hellman Assumption Definition We call a group G a gap-dh group if the DDH problem in G is easy but the CDH problem is still hard. 56 of 60
62 Further Reading (1) Mihir Bellare, Alexandra Boldyreva, and Silvio Micali. Public-key encryption in a multi-user setting: Security proofs and improvements. In Bart Preneel, editor, Advances in Cryptology EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages Springer Berlin Heidelberg, Dan Boneh. Simplified OAEP for the RSA and Rabin Functions. In Joe Kilian, editor, Advances in Cryptology CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages Springer Berlin Heidelberg, of 60
63 Further Reading (2) Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1): , Whitfield Diffie and Martin E Hellman. New directions in cryptography. Information Theory, IEEE Transactions on, 22(6): , of 60
64 Further Reading (3) 59 of 60 Itai Dinur, Orr Dunkelman, Nathan Keller, and Adi Shamir. New attacks on feistel structures with improved memory complexities. In Advances in Cryptology - CRYPTO th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pages , Naofumi Homma, Atsushi Miyamoto, Takafumi Aoki, Akashi Satoh, and Adi Shamir. Collision-based power analysis of modular exponentiation using chosen-message pairs. In Cryptographic Hardware and Embedded Systems - CHES 2008, 10th International Workshop, Washington, D.C., USA, August 10-13, Proceedings, pages 15 29, 2008.
Public Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationIntroduction to Cryptography. Susan Hohenberger
Introduction to Cryptography Susan Hohenberger 1 Cryptography -- from art to science -- more than just encryption -- essential today for non-military applications 2 Symmetric Crypto Shared secret K =>
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More information5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA
Leo Reyzin. Notes for BU CAS CS 538. 1 5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA 5.1 Public Key vs. Symmetric Encryption In the encryption we ve been doing so far, the sender and the recipient
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationA Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack
A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCSC 5930/9010 Modern Cryptography: Number Theory
CSC 5930/9010 Modern Cryptography: Number Theory Professor Henry Carter Fall 2018 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More information