Introduction to Cryptology. Lecture 20

Similar documents
Katz, Lindell Introduction to Modern Cryptrography

Introduction to Cryptology. Lecture 19

Lecture 14: Hardness Assumptions

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Topics in Cryptography. Lecture 5: Basic Number Theory

CSC 5930/9010 Modern Cryptography: Number Theory

Introduction to Cryptography. Lecture 8

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Ma/CS 6a Class 4: Primality Testing

Introduction to Modern Cryptography. Benny Chor

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 17: Constructions of Public-Key Encryption

CS 6260 Some number theory

Ma/CS 6a Class 4: Primality Testing

Basic elements of number theory

Basic elements of number theory

Lecture 7 Cyclic groups and subgroups

1 Rabin Squaring Function and the Factoring Assumption

Lecture 11: Number Theoretic Assumptions

CPSC 467: Cryptography and Computer Security

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture 11: Key Agreement

Public-Key Encryption: ElGamal, RSA, Rabin

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Applied Cryptography and Computer Security CSE 664 Spring 2018

Public Key Cryptography

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Lecture Notes, Week 6

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 1: Introduction to Public key cryptography

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Cryptography IV: Asymmetric Ciphers

CIS 551 / TCOM 401 Computer and Network Security

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

An Improved Pseudorandom Generator Based on Hardness of Factoring

Computational Number Theory. Adam O Neill Based on

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

COMP4109 : Applied Cryptography

Mathematics of Cryptography

Introduction to Cryptography. Lecture 6

Introduction to Cybersecurity Cryptography (Part 4)

CPSC 467b: Cryptography and Computer Security

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Basic Algorithms in Number Theory

Security II: Cryptography exercises

Number Theory. Modular Arithmetic

MATH 310: Homework 7

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Public-Key Cryptosystems CHAPTER 4

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Kevin James. MTHSC 412 Section 3.4 Cyclic Groups

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Introduction to Cybersecurity Cryptography (Part 5)

CPSC 467b: Cryptography and Computer Security

Numbers. Çetin Kaya Koç Winter / 18

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Lecture 22: RSA Encryption. RSA Encryption

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

An Efficient Discrete Log Pseudo Random Generator

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Introduction to Elliptic Curve Cryptography. Anupam Datta

Asymmetric Encryption

Tricks of the Trade in Combinatorics and Arithmetic

CPSC 467b: Cryptography and Computer Security

Lecture 6: Cryptanalysis of public-key algorithms.,

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Factorization & Primality Testing

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Breaking Plain ElGamal and Plain RSA Encryption

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

CPSC 467: Cryptography and Computer Security

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Iterated Encryption and Wiener s attack on RSA

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

10 Public Key Cryptography : RSA

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Lecture 3.1: Public Key Cryptography I

Public Key Algorithms

The RSA cryptosystem and primality tests

CPSC 467b: Cryptography and Computer Security

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Public Key Cryptography

Elliptic Curve Cryptography

Chapter 4 Asymmetric Cryptography

Transcription:

Introduction to Cryptology Lecture 20

Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas.

Agenda More Number Theory! Our focus today will be on computational complexity: Which problems in multiplicative groups are easy and which are hard?

Loose Ends from Last Time Recall that we saw last time that a m a m mod φ N mod N. For e Z N, let f e: Z N Z N be defined as f e x x e mod N. Theorem: f e (x) is a permutation. Proof: To prove the theorem, we show that f e (x) is invertible. Let d be the multiplicative inverse of e mod φ(n). Then for y Z N, f d y y d mod N is the inverse of f e. To see this, we show that f d f e x = x. f d f e x = x e d mod N = x e d mod N = x e d mod φ(n) mod N = x 1 mod N = x mod N. Note: Given d, it is easy to compute the inverse of f e However, we saw in the homework that given only e, N, it is hard to find d, since finding d implies that we can factor N = p q. This will be important for cryptographic applications.

Modular Exponentiation Is the following algorithm efficient (i.e. poly-time)? ModExp(a, m, N) //computes a m mod N Set temp 1 For i = 1 to m Set temp temp a mod N return temp; No the run time is O(m). m can be on the order of N. This means that the runtime is on the order of O(N), while to be efficient it must be on the order of O(log N).

Modular Exponentiation We can obtain an efficient algorithm via repeated squaring. ModExp(a, m, N) //computes a m mod N, where m = m n 1 m n 2 m 1 m 0 are the bits of m. Set s a Set temp 1 For i = 0 to n 1 If m i = 1 Set temp temp s mod N Set s s 2 mod N return temp; This is clearly efficient since the loop runs for n iterations, where n = log 2 m.

Modular Exponentiation Why does it work? m = n 1 i=0 m i 2 i Consider a m = a n 1 i=0 m i 2 i n 1 = a m i 2 i i=0. In the efficient algorithm: s values are precomputations of a 2i, for i = 0 to n 1 (this is the repeated squaring part since a 2i = (a 2i 1 ) 2 ). If m i = 1, we multiply in the corresponding s-value. If m i = 0, then a m i 2 i = a 0 = 1 and so we skip the multiplication step.

Toolbox for Cryptographic Multiplicative Groups Can be done efficiently Modular multiplication Finding multiplicative inverses (extended Euclidean algorithm) Modular exponentiation (via repeated squaring) No efficient algorithm believed to exist Factoring RSA problem Discrete logarithm problem Diffie Hellman problems We have seen the efficient algorithms in the left column. We will now start talking about the hard problems in the right column.

The Factoring Assumption The factoring experiment Factor A,Gen n : 1. Run Gen 1 n to obtain (N, p, q), where p, q are random primes of length n bits and N = p q. 2. A is given N, and outputs p, q > 1. 3. The output of the experiment is defined to be 1 if p q = N, and 0 otherwise. Definition: Factoring is hard relative to Gen if for all ppt algorithms A there exists a negligible function neg such that Pr Factor A,Gen n = 1 neg n.

How does Gen work? 1. Pick random n-bit numbers p, q 2. Check if they are prime 3. If yes, return N, p, q. If not, go back to step 1. Why does this work? Prime number theorem: Primes are dense! A random n-bit number is a prime with non-negligible probability. Bertrand s postulate: For any n > 1, the fraction of n-bit integers that are prime is at least 1/3n. Can efficiently test whether a number is prime or composite: If p is prime, then the Miller-Rabin test always outputs prime. If p is composite, the algorithm outputs composite except with negligible probability.

The RSA Assumption The RSA experiment RSA inv A,Gen n : 1. Run Gen 1 n to obtain (N, e, d), where gcd e, φ N = 1 and e d 1 mod φ(n). 2. Choose a uniform y Z N. 3. A is given (N, e, y), and outputs x Z N. 4. The output of the experiment is defined to be 1 if x e = y mod N, and 0 otherwise. Definition: The RSA problem is hard relative to Gen if for all ppt algorithms A there exists a negligible function neg such that Pr RSA inv A,Gen n = 1 neg n.

Relationship between RSA and Factoring Known: If an attacker can break factoring, then an attacker can break RSA. Given p, q such that p q = N, can find φ(n) and d, the multiplicative inverse of e mod φ(n). If an attacker can find φ(n), can break factoring. If an attacker can find d such that e d 1 mod φ N, can break factoring. Not Known: Can every efficient attacker who breaks RSA also break factoring? Due to the above, we have that the RSA assumption is a stronger assumption than the factoring assumption.

Cyclic Groups For a finite group G of order m and g G, consider: g = {g 0, g 1,, g m 1 } g always forms a cyclic subgroup of G. However, it is possible that there are repeats in the above list. Thus g may be a subgroup of order smaller than m. If g = G, then we say that G is a cyclic group and that g is a generator of G.

Examples Consider Z 13 : 2 is a generator of Z 13 : 3 is not a generator of Z 13 : 2 0 1 2 1 2 2 2 4 2 3 8 2 4 16 3 2 5 6 2 6 12 2 7 24 11 2 8 22 9 2 9 18 5 2 10 10 2 11 20 7 2 12 14 1 3 0 1 3 1 3 3 2 9 3 3 27 1 3 4 3 3 5 9 3 6 27 1 3 7 3 3 8 9 3 9 27 1 3 10 3 3 11 9 3 12 27 1

Definitions and Theorems Definition: Let G be a finite group and g G. The order of g is the smallest positive integer i such that g i = 1. Ex: Consider Z 13. The order of 2 is 12. The order of 3 is 3. Proposition 1: Let G be a finite group and g G an element of order i. Then for any integer x, we have g x = g x mod i. Proposition 2: Let G be a finite group and g G an element of order i. Then g x = g y iff x y mod i.

More Theorems Proposition 3: Let G be a finite group of order m and g G an element of order i. Then i m. Proof: We know by the generalized theorem of last class that g m = 1 = g 0. By Proposition 1, we have that g m = g m mod i = g 0. By the direction of Proposition 2, we have that 0 m mod i. By definition of modulus, this means that i m. Corollary: if G is a group of prime order p, then G is cyclic and all elements of G except the identity are generators of G. Why does this follow from Proposition 3? Theorem: If p is prime then Z is a cyclic group of order p 1. p

Prime-Order Cyclic Groups Consider Z p, where p is a strong prime. Strong prime: p = 2q + 1, where q is also prime. Recall that Z p is a cyclic group of order p 1 = 2q. The subgroup of quadratic residues in Z p is a cyclic group of prime order q.

Example of Prime-Order Cyclic Group Consider Z 11. Note that 11 is a strong prime, since 11 = 2 5 + 1. g = 2 is a generator of Z 11 : 2 0 1 2 1 2 2 2 4 2 3 8 2 4 16 5 2 5 10 2 6 20 9 2 7 18 7 2 8 14 3 2 9 6 The even powers of g are the quadratic residues (i.e. the perfect squares). Exactly half the elements of Z p are quadratic residues. Note that the even powers of g form a cyclic subgroup of order p 1 2 = q. Verify: closure (Multiplication translates into addition in the exponent. Addition of two even numbers mod p 2 gives an even number mod p 1, since for prime p > 3, p 1 is even.) Cyclic any element is a generator. E.g. it is easy to see that all even powers of g can be generated by g 2.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback