Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Similar documents
Introduction to Cryptography. Lecture 8

Lecture 1: Introduction to Public key cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4)

Public-Key Cryptosystems CHAPTER 4

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 11: Key Agreement

Lecture V : Public Key Cryptography

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Public Key Cryptography

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

CPSC 467b: Cryptography and Computer Security

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

CIS 551 / TCOM 401 Computer and Network Security

14 Diffie-Hellman Key Agreement

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Lecture 28: Public-key Cryptography. Public-key Cryptography

Notes for Lecture 17

Fundamentals of Modern Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Public-key Cryptography and elliptic curves

Public Key Algorithms

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Topics in Cryptography. Lecture 5: Basic Number Theory

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

1 Number Theory Basics

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture Notes, Week 6

Introduction to Elliptic Curve Cryptography. Anupam Datta

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

ASYMMETRIC ENCRYPTION

Leftovers from Lecture 3

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

Asymmetric Encryption

Introduction to Cryptography. Lecture 6

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Introduction to Modern Cryptography. Benny Chor

Cryptography. P. Danziger. Transmit...Bob...

Other Public-Key Cryptosystems

Practice Assignment 2 Discussion 24/02/ /02/2018

Outline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Lecture 7: ElGamal and Discrete Logarithms

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Public-key Cryptography and elliptic curves

CRYPTOGRAPHY AND NUMBER THEORY

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Lecture 17: Constructions of Public-Key Encryption

Cryptography IV: Asymmetric Ciphers

My brief introduction to cryptography

CPSC 467: Cryptography and Computer Security

Lecture 22: RSA Encryption. RSA Encryption

ECS 189A Final Cryptography Spring 2011

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Cryptography and Security Midterm Exam

Public-Key Encryption: ElGamal, RSA, Rabin

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

RSA RSA public key cryptosystem

Algorithmic Number Theory and Public-key Cryptography

Introduction to Modern Cryptography Lecture 11

Other Public-Key Cryptosystems

Notes 10: Public-key cryptography

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

and Other Fun Stuff James L. Massey

CS483 Design and Analysis of Algorithms

RSA. Ramki Thurimella

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Question: Total Points: Score:

Cryptography and Security Final Exam

Encryption: The RSA Public Key Cipher

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Foundations of Network and Computer Security

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Winter 2011 Josh Benaloh Brian LaMacchia

Foundations of Network and Computer Security

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

8.1 Principles of Public-Key Cryptosystems

Number Theory & Modern Cryptography

Cryptographical Security in the Quantum Random Oracle Model

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Information Security

Week 7 An Application to Cryptography

Public Key Cryptography

Transcription:

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Course Summary - Math Part (first 4 lectures) Euclid gcd ; extended gcd. The ring Z m. Finite groups: Lagrange theorem (if G is finite and H is a sub-group then H divides G ) Finite fields arythmetic - GF(p k ). Primitive elements in finite fields (generators of the multiplicative group with p k -1 elements) The birthday paradox.

Course Summary - Crypto Part (first 4 lectures) Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication Codes (based on CBC and on cryptographic hashing)

The Birthday Paradox: Wrap Up Let R be a finite set of size r. Pick k elements of R uniformly and independently. What is the probability of getting at least one collision?

The Birthday Paradox (cont.) Consider the event E k : No Collision after k elements. Prob(E k )=1(1-1/r)(1-2/r) (1- (k-1)/r) < exp(-1/r) exp(-2/r) exp(-(k-1)/r) = exp(-(1+2+ +(k-1) )/r) = exp(-(k(k-1) )/2r) plot({exp(-x),1-x},x=0..0.5); ~ exp(-k 2 /2r) For k=r 1/2, Prob(E k )<0.607, thus Prob(Collision k )>0.393 For k=1.2r 1/2, Prob(E k )<0.487, thus Prob(Collision k )>0.513

Application to Cryptographic Hashing Let H:D --> R, R of size r. Suppose we can get k random images under H. If k 2 is larger than r then the probability of a collision, 1-exp(-k 2 /2r), is large. Thus a necessary condition for avoiding collisions is that r is so large that it is infeasible to generate r 2 hash values. This leads to requiring that message digests be at least 160 bits long (2 160/2 = 2 80 is large enough).

Back to Number Theory

Fermat Little Theorem Let if G be a finite group with m elements. Let a be an element of G. Then a m =1 (the unit element of G).

Example G=Z p *, the multiplicative group of Z p. The polynomial x p-1-1 has p-1 roots, so x p-1-1 = Π a 0 (x-a). > factor (x^6-1); (x-1)(x+1)(x 2 +x+1)(x 2 -x+1)_ > factor (x^6-1) mod 7; (x+6)(x+1)(x+4)(x+2)(x+5)(x+3) x_ + _x_ + 1) (_x_ - _x_

Quadratic Residues Definition: An element x is a quadratic residue modulo n if there exists y such that y 2 x mod n Claim: if p is prime there are exactly (p-1)/2 quadratic residues in Z p * Claim: if p is prime, and g is a generator of the multiplicative group, the quadratic residues are all the even powers of g g 0, g 2,,g 2i,, g p-3

Quadratic Residues in Z p (cont.) The quadratic residues (QR) form a subgroup of Z p *. x (p-1) -1 = (x (p-1)/2-1) (x (p-1)/2 +1 ). Thus x (p-1)/2-1 has (p-1)/2 roots in Z p.

Quadratic Residues in Z p (cont.) Claim: an element x in Z p is a quadratic residue if and only if x (p-1)/2 1 mod p Proof Sketch: Suppose x=y 2 (x is a QR), then x (p-1)/2-1 =0. Suppose x (p-1)/2 =1. Let x=g i where g is primitive element. Then g i (p-1)/2 =1. Since g has order p-1, p-1 must divide i (p-1)/2, implying i even, x a QR.

Testing Quadratic Residues Efficient O(log 3 p) algorithm in Z p (p prime) Applies the repeated squaring idea. For composite m (esp. m=pq), no efficient algorithm for testing quadratic residues is known. Problem believed to be computationally hard (but not NPC).

Discrete Log (DL) Let G be a group and g an element in G. Let y=g x and x the minimal non negative integer satisfying the equation. x is called the discrete log of y to base g. Example: y=g x mod p in the multiplicative group of Z p

Discrete Log in Z p A candidate for One Way Function Let y=g x mod p in the multiplicative group of Z p Exponentiation takes O(log 3 p) steps Standard discrete log is believed to be computationally hard. x g x is easy (efficiently computable). g x x believed hard (computionally infeasible). x g x is a one way function. This is a computation based notion.

Public-Key Cryptography The New Era (1976-present)

Classical, Symmetric Ciphers Alice and Bob share the same secret key K A,B. K A,B must be secretly generated and exchanged prior to using the unsecure channel. Alice Bob

Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting messages by Bob. K can be made public E (public key cryptography, assymetric cryptography)

New Directions in Cryptography The Diffie-Hellman paper (IEEE IT, vol. 22, no. 6, Nov. 1976) generated lots of interest in crypto research in academia and private industry. Diffie & Hellman came up with the revolutionary idea of public key cryptography, but did not have a proposed implementation (these came up 2 years later with Merkle-Hellman and Rivest-Shamir- Adelman). In their 76 paper, Diffie & Hellman did invent a method for key exchange over insecure communication lines, a method that is still in use today.

Public Exchange of Keys Goal: Two parties (Alice and Bob) who do not share any secret information, perform a protocol and derive the same shared key. Eve who is listening in cannot obtain the new shared key if she has limited computational resources.

Diffie-Hellman Key Exchange Public parameters: A prime p, and an element g (possibly a generator of the multiplicative group Z p * ) Alice chooses a at random from the interval [1..p-2] and sends g a mod p to Bob. Bob chooses b at random from the interval [1..p-2] and sends g b mod p to Alice. Alice and Bob compute the shared key g ab mod p : Bob holds b, computes (g a ) b = g ab. Alice holds a, computes (g b ) a = g ab.

DH Security DH is at most as strong as DL in Z p. Formal equivalence unknown, though some partial results known. Despite 25 years effort, still considered secure todate. Computation time is O(log 3 p).

Properties of Key Exchange Necessary security requirement: the shared secret key is a one way function of the public and transmitted information. Necessary constructive requirement: an appropriate combination of public and private pieces of information forms the shared secret key efficiently. DH Key exchange by itself is effective only against a passive adversary. Man-in-the-middle attack is lethal.

Security Requirements Is the one-way relationship between public information and shared private key sufficient? A one-way function may leak some bits of its arguments. Example: g x mod p Shared key may be compromised Example: g x+y mod p

Security Requirements (cont.) The full requirement is: given all the communication recorded throughout the protocol, computing any bit of the shared key is hard Note that the any bit requirement is especially important

Other DH Systems The DH idea can be used with any group structure Limitation: groups in which the discrete log can be easily computed are not useful Example: additive group of Z p Currently useful DH systems: the multiplicative group of Z p and elliptic curve systems

Key Exchange in Systems VPN usually has two phases Handshake protocol: key exchange between parties sets symmetric keys Traffic protocol: communication is encrypted and authenticated by symmetric keys Automatic distribution of keys- flexibility and scalability Periodic refreshing of keys- reduced material for attacks, recovery from leaks

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback