Introduction to cryptography
|
|
- Bethanie Chapman
- 5 years ago
- Views:
Transcription
1 Introduction to cryptography Christophe Ritzenthaler November 19, Private key cryptography Let us introduce some terminology. The information that Alice wants to send to Bob will be called plaintext (Message clair). She will cipher or encrypt (chiffrer) the plaintext to obtain a ciphertext (texte chiffré ou cryptogramme) with the help of a key. Bob who knows the key will then decipher (déchiffrer) the ciphertext, whereas Oscar, who does not, can try to decrypt (décrypter) it, in order to obtain the plaintext. Definition 1.1. A (secret key) cryptosystem (cryptosystème) is a three-tuple (P, C, K) where the following conditions are satisfied : 1. P is a finite set of possible plaintexts; 2. C is a finite set of possible ciphertexts; 3. K is a finite set of possible keys called keyspace (espace des clés); 4. For each K K, there is an encryption rule (fonction de chiffrement) E K : P C and a decryption rule (fonction de déchiffrement) D K : C P such that D K E K = Id. Remark 1. We see already that the function E K must be injective. Moreover if P = C, E K and D K are bijective : they are permutations, inverse of each other. Alice and Bob will employ the following protocol to use a specific cryptosystem. First they choose a random key K K. This is done when they are in the same place and not being observed by Oscar, or, alternatively, when they do have access to a secure channel. At a later time, suppose Alice wants to communicate a message to Bob over an insecure channel. We suppose that this message is a string x = x 1 x 2... x n for some integer n > 0, where each plaintext x i P. Each x i is encrypted using E K as y i = E K (x i ). She sends the resulting ciphertext y = y 1 y 2...y n to Bob over the channel. When Bob receives y, he deciphers it using D K. If we apply this protocol, the privacy is in the difficulty for Oscar to find the key K. Let us present now some classical examples. We will first start with mono-alphabetic ciphers (the elements of P are letters) and then move to more sophisticated poly-alphabetic ciphers. 1
2 1.1 The shift cipher Let represent the 26 usual letters by elements in Z/26Z (for instance A 0, B 1,...Z 25). We consider then P = C = K = Z/26Z. If K K one defines E K : x x + K. The decryption rule is given by D K : y y K. Remark 2. The case K = 3 is known historically as Caesar cipher. If we apply it to the plaintext sauna we obtain vdxqd. In spite of its extreme weakness (there are only 26 possibilities for the key, so one can test all of them till obtaining a coherent plaintext), it was used by South officers during the American Civil War and even by the Russian army in Oddly, this cipher was used again at the beginning of internet, in forums. It was called ROT-13 (with K = 13). The idea was not to cipher texts but to prevent someone to read involuntarily a message (end of a movie,...). 1.2 The substitution cipher The previous method can be seen as a particular case of permutation of letters. Allowing a random permutation is then an easy way to increase dramatically the number of keys : we can obtain 26! of them. Formally we have here P = C = Z/26Z and K = S 26. The encryption and decryption rules for σ K are E σ : x σ(x), D σ : y σ 1 (y). We have already seen in 1.1 that the shift cipher does not resist to a exhaustive research. Of course, as a set of key is always finite, exhaustive research is always an option and thus any cryptosystem can be theoretically broken. However, the opponent has not an infinite power of computation or unlimited time so if the keyspace is too big (which means more than 2 60 keys) one must have to try clever methods. We present here attacks based on statistical properties A statistic attack A way to decrypt a ciphertext is to use statistical properties of the language. Various people have estimated the relative frequencies of the 26 letters (or of any group of 2 or 3 letters). For the case of English and French these probabilities are compiled in Tab , Fig. 1 and the most frequent pairs are in the table below. 2
3 letter English French letter English French A N B O C P D Q E R F S G T H U I V J W K X L Y M Z English TH HE IN ER AN RE ES ON ST NT EN ED ND French ES DE LE EN RE NT ON ER TE EL AN SE ET Figure 1: English / French frequencies One can use these tables to find the permutation key like we will show on the following example. Example 1. Let us consider the following French ciphertext : wvzjxojukvnapzeikxzjtpkhojxkepfzvntkiktovxikzzaaikjxi kckzvbovaxkbqotktwvojtzenazixktrkjtwvepkterjoikjn. The frequency analysis gives the following results : K (16), Z, J, T (9), V (8), O, I (7), X (6), A, E (5). K is likely to be E but then it is difficult to decide between Z, J, T. We use then pairs containing K. IK (7), KT (4), KJ, XK (3). Among the pairs starting with E the most frequent is ES. So we will assume that T is S. The next one is EN so we will assume that J maps to N. Among the letters with second frequency, only Z is unassigned. We can suppose that Z maps to A. Among the pairs finishing with E the most frequent are DE,LE,RE. So I must be D,L or R. Now I is quite frequent as a letter so we will assume that I maps to the most frequent letter among them which is R. We can also think that X maps to D. So far we have plain A D E N R S cipher Z X K J I T 3
4 which gives..and...e...red..s.e..nde...tseres..dre...rendre.e...de...ses...ns...rdes.ens...es..n.ren. Analysing the beginning of the sentence one recognize quand and the last letter must be t. It is then easy to complete the key : plain A B C D E F G H I J K L M cipher Z C B X K F R Q E.. P H plain N O P Q R S T U V W X Y Z cipher J O A W I T N V U.. Y. and to decipher : quand on veut plaire dans le monde, il faut se résoudre à apprendre beaucoup de choses qu on sait par des gens qui les ignorent (Chamfort, Maximes et Pensées). 1.3 The Vigenère cipher This is our first case of poly-alphabetic ciphers. Let m be some fixed positive integer. Define P = C = K = (Z/26Z) m. For a key K = (k 1,..., k m ) K we define and E K (x 1,..., x m ) = (x 1 + k 1,..., x m + k m ) D K (y 1,...,y m ) = (y 1 k 1,..., y m k m ). Stricto sensu, the value m should be public. But we can make the system more difficult by assuming that the value m is secret as we will do (formally, it makes the accurate definitions of the sets a bit more complicated). Note that the case m = 1 is the shift cipher. 1.4 The Hill cipher Let m be some fixed positive integer. Define P = C = (Z/26Z) m and K = GL m (Z/26Z). Note that a matrix with coefficients in Z/26Z is invertible if and only if its determinant is coprime to 26. For a key K K we define E K (x) = xk and D K (y) = yk 1. As a special case we obtain the so called permutation cipher by using a permutation matrix (i.e. matrices with exactly one 1 on a given line and column and 0 elsewhere) A known plaintext attack on the Hill cipher So far we have considered only attacks on a single ciphertext. But let assume that the opponent knows several plaintexts and their ciphers. More exactly let us assume that he knows m plaintexts X i and corresponding ciphertexts Y i. Writing Y 1. Y m = X 1. X m K 4
5 Table 1: Input and key (case N K = 8) x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 k 0 k 4 k 8 k 12 k 16 k 20 k 24 k 28 k 1 k 5 k 9 k 13 k 17 k 21 k 25 k 29 k 2 k 6 k 10 k 14 k 18 k 22 k 26 k 30 k 3 k 7 k 11 k 15 k 19 k 23 k 27 k 31 one sees easily that one can find in general the key K (if the matrix of the X i s is invertible). In conclusion, we see that this cryptographic constructions are based on two principles (that we can mix) : substitutions of letters and affine transformations. We will see now that how to attack them. 1.5 A modern algorithm : AES This system is based on the work of Joan Daemen and Vincent Rijmen who created a system called Rijndael after the invitation to tender of NIST in 1997 to replace DES. It is important to notice that, unlike DES, the selection of AES was completely open and implicate the whole cryptographic community through three international conferences Plaintext, ciphertext and keys The size of the secret keys are 128 bits (16 octets), 192 bits (24 octets) or 256 bits (32 octets). For AES, the basic element is octet so we will cut our plaintext and our keys in octets and place them in arrays. The input is therefore a 4 4 array of octets p 0,...,p 15 and the key a 4 N K table with N K = 4, 6 or 8. The key is used to generate round keys. The number of round keys depends on N K : for N K = 4, 6, 8, this number is respectively n r = 10, 12, 14 plus one for an initial round. The round keys (of length 16 octets) will be then denoted K 0,..., K nr Overview Given an input x of length 16 octets, we make the following operations. 1. x K 0 (as bits). 2. we apply recursively for i = 1 to n r 1 the procedures SubBytes, ShiftRows, MixColumns and K i which will be described in??. 3. we apply finally SubBytes, ShiftRows and K nr. 5
6 1.5.3 Procedure SubBytes It is the only procedure which is non linear. It is therefore the core of AES. It is based on computations in F 256. We consider the polynomial P(X) = X 8 + X 4 + X 3 + X + 1. This polynomial is irreducible over F 2 and generates then the field F 2 8. The elements of this field can be seen as octet. Indeed one can represent the octet b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 as the element b(x) = b 7 X 7 + b 6 X 6 + b 5 X 5 + b 4 X 4 + b 3 X 3 + b 2 X 2 + b 1 X + b 0. We denote by g : F 256 F 256 the map g(x) = { 0 if x = 0 x 1 otherwise.. We introduce also an affine function f(a) = b by the matrix b a 7 b a 6 b a 5 b 4 b 3 = a a 3 b a 2 b a 1 b a
7 The procedure Subbytes := f g is then applied on each octet. 2 Public key cryptography 2.1 Some difficult problems In modern cryptography we need to find a good one-way function (fonction à sens unique). It is a function f which is easy to compute but difficult to inverse (i.e. f 1 (y) is difficult to compute for almost all y). Intuitively, we will say that something is easy to compute if one can do it in polynomial time and something is difficult if it is not. Good candidates seems to be problems in the class NP. However this is not completely true as an NP-problem can be hard in bad cases but easy for a big number of other examples. Moreover we do not know if P NP. The question is difficult. Actually, nobody knows if there exists one-way functions but a lot of functions seems to play this role in practice. Note also that one can distinguish between exponential and sub-exponential algorithms. This distinction has direct consequences on the size of the keys (160 or 1024 bits). Thus, good cryptosystems are the one for which no subexponential attack is known. To obtain an efficient cryptosystem, one has to require a last condition : the function f must become easy to inverse if one knows a secrete value : such functions are called trapdoor one-way functions (fonction à sens unique avec trappe). We give here the most used problems : Factorization. Given a number n which is the product of two big prime numbers n = pq, determine p and q. There are several (non-polynomial algorithms) to attack this problem, see previous lecture : Eratosthenes sieve : trying all prime numbers up to n is of course an exponential method. Pollard ρ-method ; Pollard p 1 method : It is an exponential method but very efficient when p 1 has only small prime factors ; continued fractions ; elliptic curves methods ; multiple polynomial quadratic sieve ; number field sieve. These last four are subexponential. This problem is used in RSA, RSA signature. Square roots. Let p be a prime number greater than 2 and x a square in Z/pZ. It is possible to compute square roots. If p 3 (mod 4), x p+1 4 is a solution. If p 1 (mod 4), Shanks algorithm is used. 7
8 Let us write p 1 = 2 s t with t odd and s 2. Let a x 2 (mod p). Let assume that we know a b which is not a quadratic residue modulo p. Let us write z = b t. Set B = a t, X = a (t+1)/2, Y = z and R = s 1 and run the following algorithm. while R 1 do if B 2R 1 1 (mod p) then Y := Y 2 ; else B := BY 2 ; X := XY ; Y := Y 2 ; end if; R := R 1; end while; One can check that the output X is a square root of a. To do so, we check that the following conditions are loop invariants : ab = X 2 Y 2R 1 (mod p) B 2R 1 (mod p) R 0 As initial conditions ab = aa t = a t+1 = (a (t+1)/2 ) 2 Y 2R z 2s 1 b (p 1)/2 1 (mod p) B 2R a t2s 1 a (p 1)/2 1 (mod p) R = s 1 0 After a loop, let us denote B, X, Y, R the new values. if B 2R 1 1 (mod p), then ab = ab = a t+1 = (a (t+1)/2 ) 2 (Y ) 2R = Y 2R 1 (mod p) (B ) 2R B 2R 1 1 (mod p) R = R 1 0 if B 2R 1 1 (mod p), then ab = aby 2 = X 2 Y 2 = X 2 (Y ) 2R = Y 2R 1 (mod p) (B ) 2R B 2R 1 Y 2R 1 (mod p) R = R 1 0 8
9 Let us point out that this algorithm gives the correct answer as long as we have picked a non quadratic residue b. It is then a Las Vegas algorithm. If n = pq is the product of 2 big prime numbers distinct and if p and q are known, the square root can be computed using the Chinese remainder theorem (théorème du reste chinois). But if p and q are unknown, the problem is difficult. Proposition 2.1. For every n = pq with p, q prime numbers there is a Las Vegas algorithm which computes p and q if one uses an oracle giving a square root modulo n of any given square. Proof. One picks randomly u and let a u 2 (mod n). The oracle gives a square root v of a. There is half a chance that u ±v (mod n) and in this case one knows that u 2 v 2 = kn, i.e. n divides (u + v)(u v) but any of the factor. Thus gcd(n, u + v) = p or q and the same for the other one. Discrete logarithm problem (DLP). Let G be a commutative group and H a finite cyclic subgroup generated by an element a. Given a n find n is called the discrete logarithm problem (problème du logarithme discret). In some groups this problem is difficult, for instance the multiplicative group of Z/pZ (or more generally of a finite field). There are also several way to attack the problem, see 5.2 : giant step, baby step (Shanks) ; Pollard ρ method ; Pohlig and Hellman method ; Index calculus : Adleman, Coppersmith. Index calculus methods leads to sub-exponential algorithms for finite fields. However for other groups (elliptic curves) it is not the case. This problem is used in ElGammal encryption and signature scheme. Remark 3. Shoup generalizing a result of Nechaev has shown that if p is the largest prime dividing the group order, a generic algorithm to solve the DLP with a probability bounded away from zero has to perform O( p) operations. 2.2 Random functions Cryptographic protocols often use random elements. A difficult question is how to produce these elements. On one hand, nature supplies hardware-based generators like the radioactive decay or the time between two keyboard strokes. However it is often too time-consuming to generate true random numbers, then pseudorandom numbers are used. Intuitively a pseudorandom generator can be described as an algorithm that, given a short sequence of bits, produces a long sequence of bits that looks random. Of course since the algorithm is deterministic, this explains the pseudo. M. Blum and S. Micali formalized this notion. A pseudorandom generator has been constructed by L. Blum, M. Blum and M. Shub. Let p, q be two big prime numbers congruent to 3 modulo 4. Let x 0 be a quadratic residue modulo n = pq. The distribution D = y 1... y n is defined by x i x 2 i 1 (mod n) and y i = x i (mod 2). This generator has been proved secure. Unfortunately it is too slow for several applications. 9
10 2.3 Hash function Definition 2.1. Let Σ be an alphabet. Let denote by Σ the set of all words. A hash function (fonction de hachage) is a map h : Σ Σ n for some n. Example 2. The map that sends b 1... b k in {0, 1} to b 1... b k is a hash function. For cryptographic purposes, we add two conditions : it must be hard to determine a pre-image of an element. it must be resistant to collisions which means that it is practically impossible to find two messages x 1, x 2 such that h(x 1 ) = h(x 2 ). As h is never injective, these two properties can be realized only because of the inextricability of the computations. Due to the birthday paradox (paradoxe des anniversaires), the second condition requires a size of n which is nowadays 128 bits at least. Example 3. Among the current hast functions, let us mention : SHA0, SHA1 (Secure Hash Algorithm) on 128, 160, 224, 256, 384, 512 bits, MD5 (Message Digest) on 128 bits, Whirlpool on 512 bits (this one has been selected by NESSIE). Note that some of these functions have been recently successfully attacked (i.e. finding collisions): SHA0 and MD5 have been broken. 3 Protocols 3.1 Encryption scheme We have already seen a definition in Def Here we will extend the latter in order to include asymmetric cryptosystems. Definition 3.1. A cryptosystem (cryptosystème) is a three-uplet (P, C, K) such that : 1. P is a finite set of possible plaintexts ; 2. C is a finite set of possible ciphertexts ; 3. K is a finite set of possible keys ; 4. for each e K, there exists a d K such that there exists an encryption function E e : P C and a decryption function D d : C P satisfying D d E e = Id. In the case where e = d, one speaks about symmetric or secret key cryptosystems. Obviously, the key e must be secret. We have seen that the secure key exchange is then an important issue. If e and d are distinct, one speaks about asymmetric or public key cryptosystems. In such system the encryption key can be made public, so e is called the public key and d is called the private key. 10
11 One can wonder why secret key cryptography has no completely disappeared with the introduction of public key cryptography. Indeed the latter offers a solution to the problem of key exchange and moreover in a open system with n entities, it is easy to see that the number of keys to communicate is 2n with asymmetric when it is n(n 1) for symmetric cryptography. The reason is simple : asymmetric cryptography is about 1000 slower than symmetric cryptography. Most of the present systems work then with both encryption : first the entity exchanges via an asymmetric protocol a message which is then used as a key to establish a symmetric protocol between the two entities Example : RSA Let n = pq be the product of two distinct big prime numbers. If φ denotes Euler function, one has φ(n) = (p 1)(q 1). Let e be a number coprime with φ(n). By Bézout theorem, there exists d such that ed 1 (mod φ(n)). Lemma 3.1. Let E e (x) x e (mod n). This function defines a permutation of (Z/nZ) with inverse D d (y) y d (mod n). Proof. By Fermat s little theorem, one has D d E e (x) x de (mod n) x kφ(n)+1 (mod n) x (mod n) so the function E e is injective, thus bijective and D d is its inverse. The cryptosystem RSA is given by P = C = (Z/nZ) ; K is a subset of Z/nZ given by the elements e prime to φ(n). For e K one denotes by d an element such that ed 1 (mod φ(n)). Then E e (x) x e (mod n) and D d (y) y d (mod n). A priori the security of RSA relies on the computation of φ(n). Clearly, if the factorization of n is known, φ(n) also. 3.2 Signature Signature is a mechanism to prove authentication of the sender, integrity of data and nonrepudiation. (Non-repudiation is a mechanism to prevent to deny a contract. One wants for instance to prove that a message was well sent or well received. The author cannot deny that 11
12 he wrote it). It is made of several parts and can be schematized by: { Message + Alice s private key = Signature Message + Signature + Alice s public key = Yes/No Let us assume that A wants to sign an already ciphered message y. The user A has a public key e A and a secret key d A. A digest m of the message y is computed with a hash function h, m = h(y). There is then a signature function S with which one computes s = S(d A, m) called the appendix of the signature. A transmits then the couple (y, s). To verify the signature, the system produces also a verification function V such that V(e A, y, s) is true (or 1) if and only if the message y is signed by A. We will denote by S A the signature function of A, i.e. the function S A (y) = (y, S(d A, h(y))), and { 0 if (y, s) S A (y), V A (y, s) = 1 if (y, s) = S A (y). Notice that this process implies non-repudiation. Indeed, since everybody knows the key e A and since only A can produce S A (y), everybody can check that the signature is A s one Eample : ElGamal See the mini-tutorial. 3.3 Key exchange First version As we said, encryption of long messages is done generally by secret key systems, much faster than public ones. The secret key systems are used to exchange the symmetric key between the users. RSA or ElGammal can be used in this direction. We describe here the elementary Diffie-Hellman key exchange protocol. A and B want to construct a symmetric 128 bits key k. They take a prime number p of 1024 bits such that p 1 has a prime factor of at least 160 bits, a primitive elements g (Z/pZ) and a hash function h which output has 128 bits. A chooses 0 < n < p 1 which is kept secret; B chooses 0 < m < p 1 which is kept secret; A sends g n to B and B sends g m to A ; A and B computes k = h(g mn ). The difficulty of the Diffie-Hellman problem insures the security of the system. However for a general i the problem of the ith bit is not solved : it is not known which are the bits of g mn which are as difficult to find as the whole g mn. One knows that the first bits are easy to compute. One knows also that to compute more than log 2 (p) last bits is as difficult as to compute g mn. Using the hash function h allows to walk round this issue. The middle-man attack (attaque de l homme du milieu) (see Fig. 2) is an attack which 12
13 can be made on this protocol by an active attacker : the attacker O intercepts the exchanges between A and B. He constructs then a common key with A and a common key with B. He can then recreate for A, B the impression of a secure communication whereas he can of course decipher all the messages. Figure 2: Middle-man attack How to avoid this attack? Signatures enable to avoid this attack. Indeed, Alice and Bob not only exchange g n and g m but send these messages with their signature. We have now moved to the issue of key distribution problem of securely distributing secret keys to one of authentically distributing public keys. This problem is more or less solved by PKI (Public Key Infrastructure) which ensures that a given public key really belongs to its owner. 4 Attacks classification One has first to distinguish the level of the attack : directly against the core functions, against the protocol (mathematical or logical), or even against its implementation. Furthermore, one has also to decide what kind of information the opponent can get. Following Kerckhoffs principle, the basic hypothesis is that the opponent knows everything 13
14 about the system except the secret key. One distinguishes several types : ciphertext-only attack (attaque à chiffré seul). The opponent knows only the ciphertext. known plaintext attack (attaque à textes clairs connus). The opponent knows pairs of plaintext and ciphertext. chosen plaintext attack (attaque à textes clairs choisis) (CPA). The opponent can get ciphers of chosen plaintexts but only before the plaintext to attack (called challenge.) adaptive chosen plaintext attack (attaque adaptative à textes clairs choisis). The opponent can get ciphers of chosen plaintexts before and after the challenge. chosen ciphertext attack (attaque à textes chiffrés choisis) (CCA1). The opponent can decipher chosen ciphertexts before the challenge. For instance such an attack is possible if a cryptosystem is used for identification. This works as follows. Alice wants to make sure that she is connected to Bob. She sends an encrypted random number to Bob for which only Bob knows the decryption key. Bob decrypt the message and sends it back to Alice. An attacker can try to impersonate Alice. Instead of sending random numbers he sends messages of his choice. adaptative chosen ciphertext attack (attaque adaptative à textes chiffrés choisis) (CCA2). The opponent can decipher chosen ciphertexts before and after the challenge (apart from this latter). In public cryptography, as everybody is allowed to cipher, CCA2 is the most powerful attack. CCA attacks are called active attacks in contrast with the first three which are passive attacks (or CPA attacks). Nowadays security level for public key cryptography is to ask that a system is semantically secure against CCA2 attacks. 4.1 Keys length : where size matters Let us take the example of DES. To find the key, require on average #K/2 attempts. As the secret key is 56 bits long, one has keys to try. So it would take : 39 days on Pentium (done in 1997). 2.5 days on a $ machine (1998). 35 minutes for $ The next results are extracted from a table created by K. Lenstra and E.R. Verheul. Considering that DES was in 1982 sufficiently secure for commercial applications, this table gives an estimation of the size of keys in the future for an equivalent security. For a symmetric system with a key of size b, the attack we consider is the one which run over 2 b 1 elements (on average). For asymmetric systems, computations are based on the best factorization or discret logarithm algorithms. To complete the table one applies Moore law (the computer 14
15 power doubles every 18 months). symmetric RSA module size of the elliptic Number of cryptosystems or DL in (Z/pZ) group for curves years on a year general DL PII 450 Mhz Discrete Logarithms Let (G, ) be a finite cyclic group of order n, α a generator. We recall that the DLP is to find x in the equation α x = y. 5.1 Generator We present a way to find a primitive element in (Z/pZ) knowing the decomposition of p 1 = q αi i. We pick a a and for each i we compute a (p 1)/qi. If this element is different from 1 this means that q αi i divides the order of a. Indeed if m is the order of a and if q βi i a with β i < α i then a (p 1)/qi = (a n ) (p 1)/(nqi) = 1. As these numbers are coprime, if all a (p 1)/qi are different from 1 then a is a primitive element, otherwise we pick another a. The probability of success is φ(p 1)/(p 1) which is greater (according to Rem.??) than e γ / log log(p 1) for p big enough. If we want to find a subgroup H of order q prime in a cyclic group of order n, with n = qr and (q, r) = 1, we pick randomly a and test if a r 1. If so a r generates a subgroup of order q. Elements for which a r = 1 are the ones whose order divides r, there are r such elements. Thus the probability of a bad case is r/n = 1/q. 5.2 Attacks We will present several attacks on the DLP. The first four are exponential. The last one is subexponential. Note that the biggest DLP which has been solved is in F Enumeration The simplest method for computing the DL x from α x = y in G is to test whether x = 0, 1, 2,... satisfies the equation. Of course, as soon as the size of the group is important (60 bits), this method is not possible anymore. 15
16 5.2.2 Shanks Baby-Step Giant-Step We set m = n and write x = qm + r with 0 r, q < m. We have α qm+r = y (α m ) q = yα r. First we compute the set of baby-steps (pas de bébé) B = {(yα r, r), 0 r < m}. If we find a pair (1, r) then y = α r. If we do not find such a pair, we determine δ = α m. Then we test for q = 1, 2,...,m whether the element δ q is the first component of an element of B. As soon as it is true we have a solution for the DLP. The elements δ q are called giant steps (pas de géant). It is easy to see that this algorithm is in O( #G). Note that it requires also a storage for O( #G) elements The Pollard ρ-algorithm This algorithm has the same running time as the previous one but it only requires constant storage. We need a partition G 1 G 2 G 3 = G. Let f : G G be defined by αβ if β G 1, f(β) = β 2 if β G 2, yβ if β G 3. We choose a random x 0 {1,..., n} and compute β 0 = α x0. Then we compute the sequence β i+1 = f(β i ). The elements of this sequence can be written as β i = α xi y δi where δ 0 = 0 and x i + 1 (mod n) if β i G 1, x i+1 = 2x i (mod n) if β i G 2, x i if β i G 3, and δ i (mod n) if β i G 1, δ i+1 = 2δ i (mod n) if β i G 2, δ i + 1 if β i G 3. At some points, two elements in the sequence (β i ) must be equal, say β i+k = β i. This implies α xi y δi = α x i+k y δ i+k 16
17 and therefore We obtain a congruence α xi x i+k = y δ i+k δ i. x i x i+k x(δ i+k δ i ) (mod n). The solution is unique if δ i+k δ i is invertible modulo n. If the solution is not unique then the discrete logarithm can be found by testing the different possibilities modulo n. If there are too many possibilities then the algorithm is applied with a different x 0. We estimate the number of β i that must be computed before a match is found. By the birthday paradox (see??) if we compute O( #G) elements then a match is found with a probability greater than 1/2. Thus far, our algorithm is less good than the previous one. The advantage is that we do not need to store as many elements. Initially (β 1, x 1, δ 1 ) is stored. Now suppose that at a certain point in the algorithm (β i, x i, δ i ) is stored. Then (β j, x j, δ j ) is computed for j = i+1, i+2,... until either a match is found or j = 2i. In the latter case we delete β i and store β 2i. Hence we only store the triplets with i = 2 k. This works for the following reason : the sequence (β i ) is periodic after a certain number s of iterations (with the first match as end point). If l is the length of the period then if 2 j max(s, l) then a period is contained in the interval [2 j,..., 2 j+1 ] and a match can be found. Remark 4. In [?], it is showed that the Pollard Rho method for finding the discrete logarithm on a cyclic group G requires O( G (log G ) 3/2 ) steps until a collision occurs and discrete logarithm is possibly found The Pohlig-Hellman algorithm We now show that the DLP can be reduced to DLPs in cyclic groups of prime order if we know the factorization n = #G = p e(p). p 1. Reduction to prime powers. For each prime divisor p of n, we set Then the order of α p is exactly p e(p) and n p = n/p e(p), α p = α np, y p = y np. α x p = y p. Assume we can solve the DLP in the prime powers subgroups and call x(p) the results. Then the Chinese Remainder Theorem shows that x is the unique solution of the congruences x x(p) (mod p e(p) ). 2. Reduction to prime order. Let now assume that #G = p e for a prime p. We want to solve the DLP in this group. We have x < p e so let us write (in base p) x = x 0 + x 1 p +... x e 1 p e 1, 0 x i < p, 0 i e 1. 17
18 We show that the x i are DLP in a group of order p. Indeed, one has Now p e 1 x = x 0 p e 1 + p e (x 1 + x 2 p x e 1 p e 2 ). (α pe 1 ) x0 = y pe 1. This equation shows that x 0 is the DL in a group of order p. The other coefficients are determined recursively. Suppose that x 0,..., x i 1 have been determined. Then α xipi +...+x e 1p e 1 = yx (x0+x1p+...+xi 1pi 1). Denote the right-hand side by y i, one has by raising to the power p e i 1 (α pe 1 ) xi = y pe i 1 i. We have then reduce the problem of the DLP in G to e DLPs in a group of prime order. 3. Prime order. One applies one of the two previous algorithms (i.e or 5.2.3). We see easily that the running time is dominated by the square root of the largest prime divisor of #G. Example 4. Let us solve 5 x 3 (mod 2017). The order of the multiplicative group is n = 2016 = First we determine x(2) x (mod 2 5 ). We obtain x(2) as a solution of the congruence ( ) x(2) (mod 2017). To solve this congruence, we write The coefficient x 0 (2) is solution of x(2) = x 0 (2) x 4 (2) x0(2) 1 (mod 2017). We obtain x 0 (2) = 0. Now y 1 = y. Then x 1 (2) is solution of 2016 x1(2) 2016 (mod 2017). We obtain x 1 (2) = 1 and y (mod 2017). Hence x 2 (2) is solution of 2016 x2(2) 2016 (mod 2017). We obtain x 2 (2) = 1 and y 3 1 (mod 2017) so x 3 (2) = x 4 (2) = 0. Concluding those computations, we obtain x(2) = 6. Now we compute x(3) = x 0 (3) + x 1 (3) 3. We obtain x 0 (3) as the solution of 294 x0(3) 294 (mod 2017), 18
19 so x 0 (3) = 1 and y (mod 2017). Hence x 1 (3) = 1 and x(3) = 4. Finally we compute x(7) as the solution of the congruence 1879 x(7) 1879 (mod 2017), so x(7) = 1. We obtain x as the solution of the simultaneous congruence The solution is x = Index calculus x 6 (mod 32), x 4 (mod 9), x 1 (mod 7). When G = (Z/nZ) or more generally the unit group of a finite field, there are more efficient DL algorithms, the so called index calculus algorithms ( méthode de l index). They are closely related to integer factoring algorithms such as the quadratic sieve. We describe a simple index calculus algorithm. The idea. Let p be a prime number, α a primitive element modulo p and y {1,...,p 1}. We want to solve α x y (mod p). We choose a bound B and determine the set F(B) = {q P, q B}. This is the factor base. An integer b is called B-smooth if it has only prime factor in F(B). We proceed in two steps. First we compute the discrete logarithm of the factor base elements, i.e. we solve α x(q) q (mod p) for all q F(B). Then we determine an exponent δ {1,..., p 1} such that yα δ (mod p) is B-smooth. We obtain yα δ q e(q) (mod p). Together and hence Therefore, yα δ q F(B) q e(q) x q F(B) q F(B) y = α È q F(B) x(q)e(q) δ q F(B) α x(q)e(q) α È q F(B) x(q)e(q) (mod p). (mod p), x(q)e(q) δ (mod p 1). (1) Discrete logarithms of the factor base elements. To compute the discrete logarithms of the factor base elements, we choose random numbers z {1,..., p 1} and compute α z (mod p). We check whether those numbers are B-smooth. If they are, we compute the decomposition α z (mod p) = q f(q,z). q F(B) 19
20 Each exponent vector (f(q, z)) q F(B) is called a relation. If we find as many relations as there are factor base elements, then we try to find the discrete logarithms by solving a linear system. We obtain α z q f(q,z) È α x(q)f(q,z) α q F(B) x(q)f(q,z) (mod p). This implies q F(B) z q F(B) q F(B) x(q)f(q, z) (mod p 1) for all z, so each relation yields one linear congruence. The system is solved with standards methods. Individual logarithms. If the discrete logarithm of the factor base elements are computed, then the discrete logarithm of y to the base α is determined. We choose a random δ {1,..., p 1}. If yα δ is B-smooth, then 1 is applied. Otherwise, we choose a new δ. Remark 5. It can be shown that the running time is L p (1/2, C) for some constant C. In principle the index calculus algorithm works in any group. However the factor base must be chosen such that relations can be found efficiently. (Un)fortunetaly, for some groups, such that elliptic curves over finite fields, it is not known how to choose the factor base and how to compute relations. 20
21 Mini-TD : ElGamal Soit p un grand nombre premier et h une fonction de hachage à valeurs entières dans [0, p 2]. Soit g un élément primitif de G = (Z/pZ). On considère le protocole de signature suivant pour Alice : Clé publique : (p, g, b) avec b g a (mod p) ; Clé secrète : a [0, p 2]; Signature : y (y, r, s) avec r g k (mod p), s k 1 (m ra) (mod p 1) avec m = h(y) et k [1, p 2] différent à chaque signature; Vérification : on vérifie que 0 r p 1. Si non, rejeter la signature ; calculer m = h(y) ; calculer v g m (mod p) et w b r r s (mod p) ; vérifier que v = w. 1. Rappeler les critères que doit remplir une signature. 2. Montrer que si la signature est correcte, on a bien v = w. 3. Quel élément un attaquant devrait-il calculer à priori pour signer des textes à la place d Alice? 4. Quel est la taille du paramètre de sécurité p pour qu une telle attaque soit impossible de nos jours? 5. Peut-on alors effectivement (i.e. en terme de temps de calcul) utiliser ce protocole? Dans la suite, nous allons voir certaines attaques contre ce protocole de signature lorsqu on oublie certaines des recommandations. L importance de k Montrer que si Alice se sert deux fois du même k pour signer deux messages y 1 et y 2 différents, alors Oscar peut en général retrouver le secret a (On regardera l expression s). L importance de la condition 0 r p 1 Supposons que notre protocole ne vérifie pas cette condition. On va montrer que Oscar peut alors créer des falsifications sélectives, i.e. des signatures de nouveaux messages ayant un sens à partir d une ancienne signature. Soit donc (y, r, s) une signature valide produite par Alice. Oscar souhaite signer un message y avec la signature d Alice. Oscar calcule : u h(y )h(y) 1 (mod p 1). Il calcule ensuite Il trouve r tel que s su (mod p 1). r ru (mod p 1), r r (mod p). 21
22 1. Montrer comment et sous quelles conditions il peut réaliser tous ces calculs. 2. Vérifier que (y, r, s ) est une signature valide. 3. Montrer que si h est sans collision alors la condition 0 r p 1 empêche la falsification. L importance de la fonction h Supposons que Alice n utilise pas de fonction de hachage, i.e. m = y dans notre protocole. Oscar peut alors réaliser une autre falsification comme suit : 1. Soit i, j des entiers tels que 0 i, j p 2. On cherche r sous la forme r g i b j (mod p). 2. Montrer que la relation v = w est équivalente à g y is b r+js (mod p). 3. Ceci est le cas en particulier si { y is 0 (mod p 1) r + js 0 (mod p 1). 4. Donner la condition pour que ce système admette une solution puis déterminer (r, s, y) en fonction de i, j. 5. Pourquoi cette falsification est moins puissante que la précédente? 22
23 6 Solutions 6.1 Un protocole de signature 1. authentification, non-répudiation, intégrité. 2. Calculons : b r r s g ar g k k 1 (m ra) g m v. On remarquera que comme s est pris modulo p 1 (qui est l ordre de G), les puissances sont bien définies. 3. Pour signer à la place d Alice, on a besoin de calculer s donc a priori a. 4. Calculer a revient à calculer le logarithme discret de b dans (Z/pZ) : la meilleure attaque connue est sous-exponentielle donc il faut que p ait au moins 1024 bits et que p 1 ait un facteur premier d ordre au moins 160 bits. 5. Toutes les opérations sont des opérations modulaires qui peuvent s effectuer en temps polynomial en la taille de p. 6.2 L importance de k Soit s i le signature obtenues en signant les messages y i. Posons m i = h(y i ) qu on suppose différents. On a s 1 s 2 k 1 (m 1 ra) k 1 (m 2 ra) k 1 (m 1 m 2 ) (mod p 1). Si y 1 est différent de y 2 alors en général m 1 m 2 (mod p 1) (h est sans collision), s 1 s 2 (mod p 1) et Oscar peut calculer k (m 1 m 2 )(s 1 s 2 ) 1 (mod p 1) si (s 1 s 2, p 1) = 1. Si ce n est pas le cas, on peut encore s en sortir si (s 1 s 2, p 1) = d n est pas trop grand. En effet on aura (s 1 s 2 )/d k 1 (m 1 m 2 )/d (mod (p 1)/d) et on retrouve alors k modulo (p 1)/d. On teste alors les d solutions possibles pour k. Une fois k connu, il calcule a (m 1 ks 1 )r 1 (mod p 1). 6.3 L importance de la condition 0 r p 1 1. Si h(y) est inversible modulo p 1, il peut calculer u. Pour trouver r, on utilise le TRC puisque p 1 et p sont premiers entre eux. 2. Calculons b r r s g aru r k 1 (h(y ) rua) g aru g (h(y ) rua) g h(y ) v (mod p). 3. Si h est sans collision, h(y ) h(y) (mod p 1) donc u 1 (mod p 1) et r r (mod p 1). Donc r r et comme il est congru à r modulo p, il doit être égal à r+kp avec k 0. En particulier il n appartient pas à l intervalle [0, p 1] si r y appartient. 23
24 6.4 L importance de la fonction h Calculons w = b r r s b r g is b js Donc v g y w (mod p) est équivalent à (mod p). g y is b r+js (mod p) Si (j, p 1) = 1 alors on obtient la solution r g i b j (mod p) s rj 1 (mod p 1) y rij 1 (mod p 1). 5. Cette falsification est moins puissante que la précédente car y ne peut être choisi à priori et n a peut-être aucun sens. C est donc une falsification existentielle. 24
Lecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCandidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.
UNIVERSITY OF EAST ANGLIA School of Mathematics May/June UG Examination 2010 2011 CRYPTOGRAPHY Time allowed: 2 hours Attempt THREE questions. Candidates must show on each answer book the type of calculator
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationWeek 7 An Application to Cryptography
SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 55 Week 7 An Application to Cryptography Cryptography the study of the design and analysis of mathematical techniques that ensure secure communications
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationPoints of High Order on Elliptic Curves ECDSA
! Independent thesis advanced level (degree of master (two years)) Points of High Order on Elliptic Curves ECDSA Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationPublic Key Encryption
Public Key Encryption KG October 17, 2017 Contents 1 Introduction 1 2 Public Key Encryption 2 3 Schemes Based on Diffie-Hellman 3 3.1 ElGamal.................................... 5 4 RSA 7 4.1 Preliminaries.................................
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information2 More on Congruences
2 More on Congruences 2.1 Fermat s Theorem and Euler s Theorem definition 2.1 Let m be a positive integer. A set S = {x 0,x 1,,x m 1 x i Z} is called a complete residue system if x i x j (mod m) whenever
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationElliptic Curve Cryptography with Derive
Elliptic Curve Cryptography with Derive Johann Wiesenbauer Vienna University of Technology DES-TIME-2006, Dresden General remarks on Elliptic curves Elliptic curces can be described as nonsingular algebraic
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationEindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015
Eindhoven University of Technology MASTER Kleptography cryptography with backdoors Antheunisse, M. Award date: 2015 Disclaimer This document contains a student thesis (bachelor's or master's), as authored
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationThe RSA Cipher and its Algorithmic Foundations
Chapter 1 The RSA Cipher and its Algorithmic Foundations The most important that is, most applied and most analyzed asymmetric cipher is RSA, named after its inventors Ron Rivest, Adi Shamir, and Len Adleman.
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationApprentissage automatique Méthodes à noyaux - motivation
Apprentissage automatique Méthodes à noyaux - motivation MODÉLISATION NON-LINÉAIRE prédicteur non-linéaire On a vu plusieurs algorithmes qui produisent des modèles linéaires (régression ou classification)
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More information