Public Key Cryptography
|
|
- Moses Glenn
- 5 years ago
- Views:
Transcription
1 Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74
2 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 2 of 74
3 Course main reference 3 of 74
4 Secure communications Alice wants to send a private message to Bob over a public channel. 4 of 74
5 Secure communications Alice wants to send a private message to Bob over a public channel. Private key cryptography: Alice and Bob both have a key to some locked box. 4 of 74
6 Secure communications Alice wants to send a private message to Bob over a public channel. Private key cryptography: Alice and Bob both have a key to some locked box. Public key cryptography: Alice uses a lock for which only Bob has the key. 4 of 74
7 Public key vs Private key cryptography No preshared key needed with public key crypto. Security reduced to hard number theory problems vs. ad hoc security for block ciphers, hash functions. Mathematical problems have independent interest, so more scrutinized. Typically 1500 bits vs. 160 bits. 5 of 74
8 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 6 of 74
9 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 7 of 74
10 What do we mean by hard problem? Is hard? Is factoring integers hard? 8 of 74
11 What do we mean by hard problem? Is hard? Is factoring integers hard? Is inverting a matrix hard? 8 of 74
12 What do we mean by hard problem? Is hard? Is factoring integers hard? Is inverting a matrix hard? what if it has billions of rows and columns? 8 of 74
13 Big Oh notation Let f, g : N R. We say f = O(g) if there exist N and c such that for all n > N, we have g(n) cf (n). Examples: x = O ( x 2 ) x = O ( x 2 ) x n = O(e x ) for any n log x = O(x) 9 of 74
14 Measuring complexity (theory) Consider the multiplication problem: given two integers p and q, compute n = pq Hardness is function of s := log 2 p + log 2 q, the input size Trivial algorithm runs in time O(log 2 p log 2 q) = O ( s 2 ) : multiply p by each bit of q, shift by appropriate powers of 2, and make additions with carries Best algorithms achieve O(s log s) 10 of 74
15 Measuring complexity (theory) Consider exhaustive search on a key of n bits Hardness is function of n Complexity is O(2 n ): try every possible key Exponential complexity! 11 of 74
16 Measuring complexity (theory) Consider the factorization problem: given a positive composite integer n, find p and q such that n = pq Hardness is function of log 2 n, that is the size of input The best algorithms today run in subexponential time with α = 1/3 L n (α; c) = exp(c(log n) α (log log n) 1 α ) 12 of 74
17 P and NP A problem is in P if it can be solved in polynomial time (in other words, there is an integer n such that it can be solved in time O(x n ) for an input of size x) Refinements to this: randomization, memory, etc. A problem is in NP if a solution can be checked in polynomial time P=NP? is worth a million dollars (and glory!) NP-complete problems are as hard as the hardest known NP problems such as 3-SAT, graph coloring, traveling salesman, etc Factorization, Dlog, are (probably) NOT NP-complete 13 of 74
18 In practice Hardness depends on your computer power, your time, your memory Hard for you might be easy for NSA Compare with exhaustive search: 2 20 is certainly possible on a laptop, 2 60 becomes very hard for most organizations See for key sizes 14 of 74
19 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 15 of 74
20 Group A group (G, ) is a set G with some binary operation : G G G such that Identity (neutral) element: there exists e G such that for all x G, we have x e = x = e x Inverse: for all x G, there exists y such that x y = e = y x Associativity: for all x, y, z G, we have (x y) z = x (y z) A group is Abelian if for all x, y, we have x y = y x A group is finite if G is finite 16 of 74
21 Group examples (Z, +) is a group with neutral element 0 (Q, +) is a group with neutral element 0 (Q, ) is not a group: 0 has no inverse (Q, ) is a group with neutral element 1 Here Q = Q \ {0} (Z n, +) is a group for any positive integer n Here Z n = Z/nZ are integers modulo n (Z p, ) is a group for any prime number p Here Z p = Z p \ {0} of 74
22 Rank of a group The rank of a group (G, +) is the minimal number of elements needed to generate the whole group min{k : S = {g 1,..., g k } G s.t. g G, g = i g ei with g ei S} Example: (Z Z, +) is a group of rank 2 with generating set {(1, 0), (0, 1)} A group of rank 1 is called a cyclic group 18 of 74
23 Lagrange theorem Let (G, ) a finite group For any integer k and any g G, we write g k for g g... g, k times Lagrange s theorem: for any g G, we have g G = e where e is the neutral element in the group Fermat s little theorem: for any prime p and any g 0 mod p, we have g p 1 = 1 mod p 19 of 74
24 Field A field (K, +, ) is a set K with two binary operations + : K K K and : K K K such that (K, +) is an Abelian group (K, ) is a group, where K = K \ {e}, where e is the neutral element of K for + A field (K, +, ) is finite if K is finite 20 of 74
25 Field examples (C, +, ) is a field with neutral elements 0 and 1 for + and * (Q, +, ) is a field with neutral elements 0 and 1 for + and * (Z p, +, ) is a finite field for any prime p This field is often denoted F p 21 of 74
26 Field examples Let f be a polynomial of degree n with coefficients in F p, such that f has no factor of degree different than 0 or n. Consider (K, +, ) where K = all polynomials over F p + and are addition and multiplication modulo the polynomial f Then (K, +, ) is a finite field with p n elements Example: let f (x) = x 2 + x + 1 F 2 [x] then F 4 = F 2 [x]/(f (x)f 2 [x]) is a finite field with 4 elements {0, 1, x, x + 1} 22 of 74
27 Ring A ring (R, +, ) is a set R with two operations + : R R R and : R R R such that (R, +) is an Abelian group (R, ) is associative and has a neutral element (but some elements may have no inverse) Distributivity: for all a, b, c R, we have (a + b) c = a c + b c 23 of 74
28 Ring examples Let K be a field and let K[X] be the set of polynomials with coefficients in K. Then (K[X], +, ) is a ring Z n := Z/nZ (the integers modulo n) is a ring for any n N. It is a field if and only if n is prime. Let K be a field. Let f K[X] and let K = K[X]/(f (X)) be the set of polynomials over K modulo f (x), then K is a ring. K is a field if and only if f is irreducible. 24 of 74
29 Addition in F p Let p be a prime and let K := F p = Z/pZ Addition in K: given a and b, return a + b mod p 1: c a + b 2: if c > p then 3: c c p 4: end if 5: return c Complexity O(log p) bit operations 25 of 74
30 Multiplication in F p Let p be a prime and let K := F p = Z/pZ Multiplication in K: given a and b, return ab mod p n 1: Let b = b i 2 i, where b i {0, 1} i=0 2: a a; c b 0 a 3: for i=1 to n do 4: a 2a mod p 5: c c + b i a mod p 6: end for 7: return c Complexity O ( n 2 ) = O ( log 2 p ) bit operations Best algorithms achieve O(log p log log p) 26 of 74
31 Modular exponentiation: Square-and-Multiply Let p be a prime and let K := F p = Z/pZ Exponentiation in K: given a and k, return a k mod p n 1: Let k = k i 2 i i=0 2: a a; c a k 0 3: for i=1 to n do 4: a a 2 mod p 5: c c(a ) k i mod p 6: end for 7: return c Complexity O(n) = O(log p) multiplications 27 of 74
32 Euclid s algorithm Goal: given integers a and b, find d = gcd(a, b) 28 of 74
33 Euclid s algorithm Goal: given integers a and b, find d = gcd(a, b) d a, d b imply d (a + kb) for any integer k 28 of 74
34 Euclid s algorithm Goal: given integers a and b, find d = gcd(a, b) d a, d b imply d (a + kb) for any integer k Require: a b Ensure: gcd(a, b) 1: if b a then 2: return b 3: else 4: Compute q such that 0 < a qb < b 5: return gcd(b, a qb) 6: end if Complexity O ( a 2 ) ; best algorithms achieve O( a log a ) 28 of 74
35 Example gcd(36, 16) = gcd(16, ) = gcd(16, 4) = 4 29 of 74
36 Extended Euclidean algorithm Goal: compute r and s such that ra + sb = gcd(a, b) Require: a b Ensure: d = gcd(a, b) and r, s, such that ar + bs = 1 1: if b a then 2: return a, 0, 1 3: else 4: Compute q such that 0 < a qb < b 5: d, r, s gcd(b, a qb) 6: return d, s, r qs 7: end if 30 of 74
37 Extended Euclidean algorithm Goal: compute r and s such that ra + sb = gcd(a, b) Require: a b Ensure: d = gcd(a, b) and r, s, such that ar + bs = 1 1: if b a then 2: return a, 0, 1 3: else 4: Compute q such that 0 < a qb < b 5: d, r, s gcd(b, a qb) 6: return d, s, r qs 7: end if Indeed if rb + s(a qb) = d then sa + (r qb)b = d Complexity O ( a 2 ) ; best algorithms achieve O( a log a ) 30 of 74
38 Example gcd(36, 16) = gcd(16, ) = gcd(16, 4) = 4 4 = = (0 2 1)16 31 of 74
39 The RSA ring Let p, q be two primes and let n = pq Let Z n := Z/nZ be the ring of integers modulo n Not a field: for any k, neither kp nor kq are invertible The map f : Z n Z p Z q : x (x mod p, x mod q) is a ring isomorphism. Its inverse is given by f 1 : Z p Z q Z n (x p, x q ) x p q(q 1 mod p) + x q p(p 1 mod q) 32 of 74
40 Chinese Remainder Theorem More generally if n = N i=1 p e i i then the map f : Z n N i=1 Z p e i i : x (x mod p e 1 1,..., x mod pe N N ) is a ring isomorphism In other words given all residue values, there exists a unique value that corresponds to them modulo n 33 of 74
41 Euler s theorem Let n = N i=1 p e i i where the p i are distinct primes The Euler totient function φ(n) is the number of positive integers less than or equal to n that are relatively prime to n, more formally, φ(n) = Then for all x Z n, we have N i=1 (p i 1)p e i 1 i x φ(n) = 1 mod n If n = p a prime, then φ(n) = p 1 and we recover Fermat s little theorem x p 1 = 1 mod p If n = pq like in RSA, then φ(n) = (p 1)(q 1) 34 of 74
42 Prime numbers 2,3,5,7,11,... are prime numbers whereas 4,6,8,9,10,... are not. Any integer n can be decomposed uniquely as a product of prime numbers. There are infinitely many primes. Prime Number Theorem: the number of primes up to some bound B is roughly equal to B/ log B. Bertrand s postulate: For any n > 1, the fraction of the n-bit integers that are prime is at least 1/3n. 35 of 74
43 Primality testing Given an integer n, decide whether n is prime or not. There are deterministic algorithms for primality testing (see AKS test). In practice, we use probabilistic algorithms (having a small probability to return prime for composite numbers) that are much faster. 36 of 74
44 Generating Random Primes You can generate primes by picking random numbers smaller than B and checking whether they are prime: need about log B trials by the prime number theorem. More formally, Algorithm Input: Length n, parameter t For i = 1 to t: p {0, 1} n 1 p := 1 p if Primality_test (p) = 1 return p return fail 37 of 74
45 Generating Random Primes Remember that for any n > 1, the fraction of the n-bit integers that are prime is at least 1/3n. Now, set t = 3n 2, then the probability of the previous algorithm to not output a prime in t iteration is (1 1 3n )t = ( (1 1 3n )3n) n (e 1 ) n = e n This probability is negligible in n if we have a number of iterations that is polynomial in n. We still need to study the algorithms that test numbers primality! 38 of 74
46 Fermat test Observation: if n is prime then a n 1 = 1 mod n for all a (Fermat s little theorem) Idea: choose random a and check whether a n 1 = 1 mod n. If not then n is composite. We define a witness that n is composite any a Z n, s.t. a n 1 1 mod n. 39 of 74
47 Fermat test Algorithm Input: Integer n and parameter 1 t for i = 1 to t a {1,, n 1} if a n 1 1 mod n return composite return prime Theorem If n has a witness that it is composite, then {witnesses} n Z n /2 40 of 74
48 Fermat test Algorithm Input: Integer n and parameter 1 t for i = 1 to t a {1,, n 1} if a n 1 1 mod n return composite return prime Theorem If n has a witness that it is composite, then {witnesses} n Z n /2 However, try 561 or of 74
49 Fermat test Algorithm Input: Integer n and parameter 1 t for i = 1 to t a {1,, n 1} if a n 1 1 mod n return composite return prime Theorem If n has a witness that it is composite, then {witnesses} n Z n /2 However, try 561 or Carmichael numbers: are composite and pass this test for all 0 < a < n, i.e. they don t have any witnesses. 40 of 74
50 Fermat test Algorithm Input: Integer n and parameter 1 t for i = 1 to t a {1,, n 1} if a n 1 1 mod n return composite return prime Theorem If n has a witness that it is composite, then {witnesses} n Z n /2 However, try 561 or Carmichael numbers: are composite and pass this test for all 0 < a < n, i.e. they don t have any witnesses. Solution? 40 of 74
51 Testing Primality We have just seen that Carmichael numbers don t have any witnesses! We need to refine Fermat s test. Let n 1 = 2 k u, where u is odd and k 1 (and therefore n is odd). 41 of 74
52 Testing Primality We have just seen that Carmichael numbers don t have any witnesses! We need to refine Fermat s test. Let n 1 = 2 k u, where u is odd and k 1 (and therefore n is odd). In Fermat s test, we check if a n 1 = a 2ku = of 74
53 Testing Primality We have just seen that Carmichael numbers don t have any witnesses! We need to refine Fermat s test. Let n 1 = 2 k u, where u is odd and k 1 (and therefore n is odd). In Fermat s test, we check if a n 1 = a 2ku = 1. What about a u, a 2u,, a 2k 1u? 41 of 74
54 Testing Primality We have just seen that Carmichael numbers don t have any witnesses! We need to refine Fermat s test. Let n 1 = 2 k u, where u is odd and k 1 (and therefore n is odd). In Fermat s test, we check if a n 1 = a 2ku = 1. What about a u, a 2u,, a 2k 1u? Strong witness: a Z n is a strong witness that n is composite if a u ±1 mod n and a 2iu 1 for all i {1,, k 1} 41 of 74
55 Testing Primality If n is prime, then n doesn t have any strong witness that it is composite. More formally, Theorem Let n be an odd number that is not a prime power, then we have that at least half of the elements of Z n are strong witnesses that n is composite. 42 of 74
56 Miller-Rabin test Algorithm Input: Integer n > 2 and parameter 1 t If n is even, return composite If n is a perfect power, return composite a Write n 1 = 2 k u where u is odd and k 1 for j = 1 to t a {1,, n 1} if a u ±1 mod n and a 2iu 1 mod n for i {1,, k 1} return composite return prime a Exercise: Show that this test can be done in polynomial time 43 of 74
57 Miller-Rabin test Theorem If p is prime, then the Miller-Rabin test always outputs prime. If p is composite, the algorithm outputs composite except with probability at most 2 t 44 of 74
58 Miller-Rabin test Theorem If p is prime, then the Miller-Rabin test always outputs prime. If p is composite, the algorithm outputs composite except with probability at most 2 t (Exercise-1) Show that the Miller-Rabin algorithm runs in time polynomial in p and t. 44 of 74
59 Miller-Rabin test Theorem If p is prime, then the Miller-Rabin test always outputs prime. If p is composite, the algorithm outputs composite except with probability at most 2 t (Exercise-1) Show that the Miller-Rabin algorithm runs in time polynomial in p and t. (Exercise-2) Compare its running time to the (deterministic) AKS running time. 44 of 74
60 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 45 of 74
61 Public Key Cryptosystems An asymmetric encryption scheme consists of the following algorithms: KeyGen(1 n ): is a randomized algorithm that takes the security parameters as input and returns a pair of keys (PK, SK), the public key PK and its matching secret key SK, respectively. Enc(PK, m): A randomized algorithm that takes a public key PK, a plaintext m and returns a ciphertext c. Dec(SK, c): A deterministic algorithm that takes the secret key SK and a ciphertext c, and returns a message m M. Correctness: m M, Pr[(SK, PK) KeyGen(n) : Dec(Enc(PK, m), SK) = m] = 1 46 of 74
62 CPA Indistinguishability Experiment PubK cpa A,E Challenger Ch PK, SK KeyGen(n) b {0, 1} Definition m 0,m 1, m 0 = m 1 Adversary A c=enc(pk,m b) Outputs his guess b An encryption scheme is CPA-secure if for all efficient A the following holds: Adv cpa A,E (n) = Pr[PubKcpa A,E (n) = 1] 1/2 = negl(n) Where PubK cpa A,E (n) = 1 if b = b, and 0 otherwise. 47 of 74
63 CCA Indistinguishability Experiment PubK cca A,E Challenger Ch Adversary A PK, SK = KeyGen(n) Access to the oracle Dec(SK, ) b {0, 1} m 0,m 1, m 0 = m 1 Definition c=enc(pk,m b) Access to the oracle Dec(SK, ) c Outputs his guess b An encryption scheme is CCA-secure if for all efficient A the following holds: Adv cca A,E(n) = Pr[PubK cca A,E(n) = 1] 1/2 = negl(n) 48 of 74
64 Dealing with arbitrary-length messages Theorem If a public-key encryption scheme is CPA-secure, then it also has indistinguishable multiple encryptions, where the adversary is allowed to send two lists of messages to be challenged on instead of sending a pair of messages. As a consequence, any CPA-secure public-key encryption scheme for fixed-length messages (down to one bit!) can be used as a public key-encryption scheme for arbitrary-length messages. 49 of 74
65 Hybrid Encryption A better approach to deal with arbitrary-length messages. We will use a private-key encryption scheme along with a public-key encryption scheme. Remember that private-key encryption scheme are significantly faster than public ones. We call this approach the key-encapsulation mechanism and data-encapsulation mechanism (KEM/DEM). 50 of 74
66 KEM An key-encapsulation mechanism scheme (KEM) consists of the following PPT algorithms: KeyGen(1 n ): takes the security parameter as input and returns a pair of keys (PK, SK), the public key PK and its matching secret key SK, respectively, each of length n. Encaps(PK, 1 n ): it returns a ciphertext c and a key k {0, 1} l(n). Decaps(SK, c): A deterministic algorithm that takes a secret key SK and a ciphertext c, and returns a key k or. 51 of 74
67 Hybrid Encryption An hybrid encryption scheme consists of a KEM scheme and a private-key encryption scheme: KeyGen hy (1 n ): is a randomized algorithm that takes the security parameters as input and returns a pair of keys (PK, SK). Enc hy (PK, m {0, 1} ): takes a public key PK, a plaintext m and does the following: compute (c, k) Encaps(PK, 1 n ). compute c Enc(k, m). output the ciphertext (c, c ). Dec hy (SK, (c, c )): takes a secret key SK and a ciphertext (c, c ) and does the following: k Decaps(SK, c). output m Dec(k, c ). 52 of 74
68 Hybrid Encryption: Efficiency Fix n. Let α =cost(encaps(1 n )) and β =cost(enc(1 bit)). Then cost(enc hy (1 bit)) = α + β m m = α m + β For sufficiently large m, cost(enc hy (1 bit)) β. In other words, cost(enc hy (1 bit)) cost(enc(1 bit)), which is the cost of encrypting one bit using a private-key encryption scheme! 53 of 74
69 Security of KEM Intuitively speaking, for a KEM to be CPA secure, we require the encapsulated key to be indistinguishable from a uniform key that is independent of the ciphertext. Experiment Run KeyGen(1 n ) to get (PK, SK), then run Encaps(PK, 1 n ) to generate (c, k) where k {0, 1} n. Choose random b {0, 1}, if b = 0 set k := k, otherwise choose k uniformly at random from {0, 1} n. Give the adversary A the tuple (PK, c, k), he should output a bit b. Experiment output: 1 if b = b and 0 otherwise. 54 of 74
70 Security of the Hyprid Encryption Scheme Theorem The hybrid encryption scheme is a CPA-secure public-key encryption scheme if KEM is CPA secure and the private-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper. 55 of 74
71 Security of the Hyprid Encryption Scheme Let k Encaps(1 n ) and k {0, 1} n (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 56 of 74
72 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 57 of 74 PrivEnc is secure
73 Security of the Hyprid Encryption Scheme KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 58 of 74 PrivEnc is secure
74 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 59 of 74 PrivEnc is secure
75 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) KEM is CPA secure KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 60 of 74 PrivEnc is secure
76 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) KEM is CPA secure KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 61 of 74 PrivEnc is secure
77 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) KEM is CPA secure KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 62 of 74 PrivEnc is secure
78 Security of the Hyprid Encryption Scheme We need to prove the following: Pr[PubK eav A hy,s hy (n) = 1] negl(n) Whereas, by definition of the security experiment, we have Pr[PubK eav A hy,s hy (n) = 1] = 1 2 Pr[Ahy outputs 0 k = k, m = m 0 ] Pr[Ahy outputs 1 k = k, m = m 1 ] 63 of 74
79 Security of the Hyprid Encryption Scheme A hy A 1 (m 0, m 1 ) c = Enc(k, m 0 ) (c, c ) b (pk, c, k) b KEM Challenger b 0,1 0: k Encaps pk, 1 n 1: k {0,1} n Pr A 1 s output = 0 b = 0 = Pr [A hy s output = 0 k = k, m = m 0 ] 64 of 74 Pr A 1 s output = 1 b = 1 = Pr [A hy s output = 1 k = k, m = m 0 ]
80 Security of the Hyprid Encryption Scheme A hy A 2 (m 0, m 1 ) c = Enc(k, m 1 ) (c, c ) b (pk, c, k) 1 b KEM Challenger b 0,1 0: k Encaps pk, 1 n 1: k {0,1} n Pr A 2 s output = 0 b = 0 = Pr [A hy s output = 1 k = k, m = m 1 ] 65 of 74 Pr A 2 s output = 1 b = 1 = Pr [A hy s output = 0 k = k, m = m 1 ]
81 Security of the Hyprid Encryption Scheme A hy A PrivK Challenger (m 0, m 1 ) (c, c ) b (m 0, m 1 ) c c = Encaps(pk, 1 n ) b b 0,1 k 0,1 n c Enc(k, m b ) Pr A output = 0 b = 0 = Pr [A hy s output = 0 k = k, m = m 0 ] 66 of 74 Pr A output = 1 b = 1 = Pr [A hy s output = 1 k = k, m = m 1 ]
82 Security of the Hyprid Encryption Scheme Theorem The hybrid encryption scheme is a CCA-secure public-key encryption scheme if KEM is CCA secure and the private-key encryption scheme is CCA-secure. 67 of 74
83 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 68 of 74
84 RSA Encryption Scheme Designed by Rivest-Shamir-Adleman in 1977 One of the most widely used algorithms today, for both signatures and public key encryption Security requires hardness of integer factorization 69 of 74
85 Pseudorandom Permutations from One Way Functions Informally speaking, one-way functions are easy to compute, hard to invert! We don t know how to prove that one-way functions exist! Assuming the hardness of some problems, we can build one-way functions. Corollary Let n > 1, and for e > 0 define f e : Z n Z n by f e (x) = x e mod n. If GCD(e, φ(n)) = 1, then f e is a permutation. The inverse of f e is f d where d = e 1 mod φ(n) 70 of 74
86 Plain RSA encryption algorithm Let p, q two distinct odd primes, and let n = pq Compute φ(n) = (p 1)(q 1), and choose e > 1 s.t. gcd(e, φ(n)) = 1 Public key is (n, e) and private key is (p, q) Given private key, can also compute d := e 1 mod φ(n) Encryption of m Z n: c = m e mod n Decryption of c Z n: m = c d mod n Correctness follows from by Euler s theorem m = (m e ) d = m ed mod φ(n) = m mod n 71 of 74
87 RSA security Solving the factorization problem is sufficient and necessary to reconstruct the private key Solving the factorization problem might not be necessary for other goals, such as decrypting without the private key In fact, Plain RSA is insecure! What if m is not chosen uniformly from Z n? Plain RSA is deterministic! Therefore, it is not CPA-secure! 72 of 74
88 Further Reading (1) Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1): , Whitfield Diffie and Martin E Hellman. New directions in cryptography. Information Theory, IEEE Transactions on, 22(6): , of 74
89 Further Reading (2) 74 of 74 Itai Dinur, Orr Dunkelman, Nathan Keller, and Adi Shamir. New attacks on feistel structures with improved memory complexities. In Advances in Cryptology - CRYPTO th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pages , Naofumi Homma, Atsushi Miyamoto, Takafumi Aoki, Akashi Satoh, and Adi Shamir. Collision-based power analysis of modular exponentiation using chosen-message pairs. In Cryptographic Hardware and Embedded Systems - CHES 2008, 10th International Workshop, Washington, D.C., USA, August 10-13, Proceedings, pages 15 29, 2008.
Public Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationLecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya
BBM 205 Discrete Mathematics Hacettepe University http://web.cs.hacettepe.edu.tr/ bbm205 Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya Resources: Kenneth Rosen,
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationThe RSA cryptosystem and primality tests
Mathematics, KTH Bengt Ek November 2015 Supplementary material for SF2736, Discrete mathematics: The RSA cryptosystem and primality tests Secret codes (i.e. codes used to make messages unreadable to outsiders
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013
RSA Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013 Recap Recap Number theory o What is a prime number? o What is prime factorization? o What is a GCD? o What does relatively prime
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationBiomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.
Biomedical Security Erwin M. Bakker Some Security News From: NYTimes Blockchains are not safe for voting (slashdot.org) : From Motherboard.vice.com ECDAA: Eliptic Curve Direct Anonymous Attestation for
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More informationRSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 Public Key Encryption page 2 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem:
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationNumber Theory & Modern Cryptography
Number Theory & Modern Cryptography Week 12 Stallings: Ch 4, 8, 9, 10 CNT-4403: 2.April.2015 1 Introduction Increasing importance in cryptography Public Key Crypto and Signatures Concern operations on
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More information5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA
Leo Reyzin. Notes for BU CAS CS 538. 1 5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA 5.1 Public Key vs. Symmetric Encryption In the encryption we ve been doing so far, the sender and the recipient
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationAddition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?
Ch - Algorithms with numbers Addition Basic arithmetic Addition ultiplication Division odular arithmetic factoring is hard Primality testing 53+35=88 Cost? (n number of bits) O(n) ultiplication al-khwārizmī
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationThéorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1
Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 1
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationCSC 5930/9010 Modern Cryptography: Number Theory
CSC 5930/9010 Modern Cryptography: Number Theory Professor Henry Carter Fall 2018 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationCircuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.
Circuit Complexity Circuit complexity is based on boolean circuits instead of Turing machines. A boolean circuit with n inputs computes a boolean function of n variables. Now, identify true/1 with yes
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationGreat Theoretical Ideas in Computer Science
15-251 Great Theoretical Ideas in Computer Science Lecture 22: Cryptography November 12th, 2015 What is cryptography about? Adversary Eavesdropper I will cut your throat I will cut your throat What is
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationPublic Key Algorithms
1 Public Key Algorithms ffl hash: irreversible transformation(message) ffl secret key: reversible transformation(block) encryption digital signatures authentication RSA yes yes yes El Gamal no yes no Zero-knowledge
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationUniversity of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:
University of Tokyo: Advanced Algorithms Summer 2010 Lecture 6 27 May Lecturer: François Le Gall Scribe: Baljak Valentina As opposed to prime factorization, primality testing is determining whether a given
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationCSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography
CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography 1 Two Problems Problem 1. Generate Primes Find a prime number p of between 200 and 1000 decimal digits that has never been
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationbasics of security/cryptography
RSA Cryptography basics of security/cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret)
More informationRSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality
ECE646 Lecture RSA Key Generation Required Reading W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality A.Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More information