CS 290G (Fall 2014) Introduction to Cryptography Oct 21st, Lecture 5: RSA OWFs

Similar documents
COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Number Theory and Group Theoryfor Public-Key Cryptography

Lecture 14: Hardness Assumptions

Lecture 3.1: Public Key Cryptography I

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Topics in Cryptography. Lecture 5: Basic Number Theory

Lecture 7: Hard-core Predicate and PRG

CSE20: Discrete Mathematics

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Introduction to Cryptography. Lecture 6

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

CIS 551 / TCOM 401 Computer and Network Security

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Numbers. Çetin Kaya Koç Winter / 18

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

CSC 474 Information Systems Security

ENEE 457: Computer Systems Security. Lecture 5 Public Key Crypto I: Number Theory Essentials

1 Rabin Squaring Function and the Factoring Assumption

Public Key Encryption

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

ALG 4.0 Number Theory Algorithms:

Introduction to Number Theory 1. c Eli Biham - December 13, Introduction to Number Theory 1

Computational Hardness

Chapter 9 Basic Number Theory for Public Key Cryptography. WANG YANG

CSC 5930/9010 Modern Cryptography: Number Theory

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Mathematical Foundations of Cryptography

Lecture 10: HMAC and Number Theory

CPSC 467b: Cryptography and Computer Security

Elementary Number Theory Review. Franz Luef

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Lecture 11: Key Agreement

Katz, Lindell Introduction to Modern Cryptrography

Number Theory and Algebra: A Brief Introduction

Number Theory. Modular Arithmetic

OWO Lecture: Modular Arithmetic with Algorithmic Applications

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Introduction to Information Security

CPSC 467: Cryptography and Computer Security

CSE 521: Design and Analysis of Algorithms I

Number Theory & Modern Cryptography

Number Theory A focused introduction

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Introduction to Cryptology. Lecture 19

ECEN 5022 Cryptography

Basic elements of number theory

Basic elements of number theory

Introduction to Cryptology. Lecture 20

Chapter 4 Finite Fields

Lecture 11: Number Theoretic Assumptions

ECE596C: Handout #11

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Introduction to Cybersecurity Cryptography (Part 5)

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Mathematical Foundations of Public-Key Cryptography

basics of security/cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Chapter 5. Modular arithmetic. 5.1 The modular ring

Some Facts from Number Theory

Applied Cryptography and Computer Security CSE 664 Spring 2018

Lecture 1: Class Introduction

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Basic Algorithms in Number Theory

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

RSA. Ramki Thurimella

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Asymmetric Encryption

Discrete Mathematics GCD, LCM, RSA Algorithm

Cryptography IV: Asymmetric Ciphers

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

COMP4109 : Applied Cryptography

Finite Fields. Mike Reiter

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

1 Number Theory Basics

CPSC 467b: Cryptography and Computer Security

8.1 Principles of Public-Key Cryptosystems

Groups in Cryptography. Çetin Kaya Koç Winter / 13

Mathematics of Cryptography

Elementary Number Theory MARUCO. Summer, 2018

Ma/CS 6a Class 3: The RSA Algorithm

Public Key Cryptography

Number Theory Alex X. Liu & Haipeng Dai

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Basic Algorithms in Number Theory

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

Example 2: Student work M ATHS COURSEWORK. Mathematics SL and HL teacher support material 1. Proving Euler s Totient Theorem

2 More on Congruences

Introduction to Public-Key Cryptosystems:

Introduction to Number Theory

CS 6260 Some number theory

Transcription:

CS 290G (Fall 2014) Introduction to Cryptography Oct 21st, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Harichandan Pulagam In the last class, we continued the discussion of One-Way Functions (OWFs). We started off by proving that hardness of factoring implies the existence of a Strong OWF, i.e., Hardness of factoring Strong OWF And then we went on to prove Hardness Amplication, i.e., Weak OWF Strong OWF Corollary Hardness of factoring Strong OWF 2 Collection of OWFs Earlier definitions of Strong OWFs and Weak OWFs are elegant and concise. The Strong OWFs have a srong security guarantee, while the Weak OWFs are easy to instantiate from mathematical problems for which hard instances come from special domains and ranges, like factoring. Such a definition is very useful for complexity-theoretic crypto. However, it tends not to be as appropriate for the kinds of hard functions that we use in real-life crypto. In this class, we look at combining these features of Strong OWFs and Weak OWFs, to provide for a more flexible definition, i.e., 1. Allow arbitrary domains and ranges 2. Consider not a single function, but a collection of functions Definition 1 Collection of OWFs is a family F = {f i : D i R i } for i I such that the following conditions hold: 1. Easy to sample a function from F: PPT Gen: Gen(1 n ) i I 2. Easy to sample from the domain: PPT Sam: i I, Sam(i) a, where a is a random element in D i 3. Easy to evaluate: PPT M, i, x D i such that M(i,x) = f i (x) 5-1

4. Hard to invert: nuppt A, negligible ε(n) such that: P r [i Gen(1 n ), x D i, y=f i (x), x A(i,y): f i (x )=y] ε(n) Observation Any single OWF f: D R is also a collection of OWFs. Examples F = {f o = f: D R} I={0} 1. Hardness of factoring Collection of OWFs F = {f n (x,y) = x.y for x,y n } n N, Domain, D n = 2 n (Domain looks complex) 2. Hardness of factoring Collection of OWFs F = {g n ( x, y) = x 1 y 1,..., x m y m for x i y i {0,1} n, m=4n 3 } n N (Better domain but g n is inefficient) 3. RSA One-Way Permutations (OWPs) Nicer domain compared to 1 More efficient compared to 2 Widely used in practice 3 Recap of Basic Number Theory Modular Arithmetic Given integers a and N. Theorem 1 a,n Z unique k, 0 y<n such that: a = kn + y y = a mod N, k = a y Modular Addition/Multiplication (a + b) mod N = ((a mod N) + (b mod N)) mod N (a * b) mod N = ((a mod N) * (b mod N)) mod N Groups G is a set of elements with an operation : G G G. Then : 5-2

1. Closure: a,b G, a b G 2. Identity: i G, a G, a i = i a = a 3. Associativity: (a b) c = a (b c) 4. Inverse: a G, a 1 =b G, such that: a b = b a = i Example 1: (Z,+) is a group because: 1. Closure: Addition of two integers will always be an integer. 2. Identity: Identity = 0. Adding 0 to any integer a will give the same integer a. 3. Associativity: (a b) c = a (b c) 4. Inverse: a Z, -a Z, such that: a+(-a) = i = 0 Example 2: (Z, ) is not a group because: The inverse condition will be violated for integers. Inverse: a Z, 1 Z. a Additive Modular Groups Z N = 0,1,...,N-1 Operation: + mod N Identity: i=0 Inverse: a Z N, b Z N, such that: (a + b) mod N = 0, where b = a 1 = N a Multiplicative Modular Groups (Z N, * mod N), where Z N = {a 0 a<n, gcd(a, N) = 1} Theorem 2 a,n, a has an inverse under ( mod N) gcd(a,n) = 1 Proof. ( direction) b such that b.a mod N = 1 k such that b.a = kn + 1 To prove: gcd(a,n) = 1 Proof by Contraposition 5-3

Let gcd(a,n) = c 1 a=k 1 c, N=k 2 c b.a + kn = Kc (some multiple of c) b.a + kn 1, which violates our initial assumption. Thus, gcd(a,n) = 1 ( direction) if gcd(a,n)=1 b,k such that b.a + kn = 1 (multiples of gcd(a,n)) Theorem 3 Euclid Algorithm a,b Euclid(a,b) x,y such that: x.a + y.b = gcd(a,b) Proof. Given: a>b>0. Euclid(a,b): if (base case) a mod b = 0 //xa+yb = b, i.e., gcd(a,b)=b return (x = 0, y = 1) else if (a mod b 0) //gcd(a,b) = gcd(a mod b, b) Euclid(b,a mod b) x, y // x.b + y.(a mod b) = gcd(a,b) = x.b + y.(a a ) * b) b return (y, x a y) b Efficiency Euclid is a polynomial time algorithm meaning, it runs in time: Theorem 4 (Z N, * mod N) is a group Proof. a. Closure: a,b Z N ab mod N b. Identity, i=1 c. Inverse a 1 =b such that ba + kn = 1 poly(log a, log b) = poly(log a) Examples of Multiplicative Modular Groups Z 7 = {1,2,3,4,5,6} Z 15 = {x: x<15 and x not a multiple of 3 and 5} Z N, N = p.q where p and q are primes. Size of Z N = φ(n) = Z N (Euler s Totient Function) φ(p) = p-1 for p=prime φ(n) for N = p.q = (p-1)(q-1) 5-4

Exponentiation in multiplicative group: * mod N For e 0, a Z N ae mod N = (a*a*..*a) mod N Theorem 5 Euler s Theorem a Z N, aφ(n) mod N = 1. Corollary e, a e mod N = a emodφ(n) mod N = a e kφ(n) mod N = a e.a kφ(n) mod N a φ(n) mod N = 1 Example 2 61241 mod 21 = 2 61241modφ(21) mod 21 φ(21) = (3-1)(7-1) = 12 6 1241 mod 12 = 6.6 1240 = 6.(36) 620 mod 12 = 0 2 61241 mod 21 = 2 0 mod 21 = 1 4 RSA Collection of OWFs An RSA Collection of OWFs can be informally defined as: (N,e) : f N,e (x) = x e mod N. Hardness of RSA Given a random element y Z N, it is hard to find xe for randomly chosen special N and special e. special N Product of primes p and q special e {e Z φ(n) and gcd(e,φ(n)) = 1}, where φ(n) = Z N = (p-1)(q-1) Assumption for RSA nuppt A, negligible ε(n) such that: P r [p,q n, N=p.q, e Z φ(n), y Z φ(n) : x A(N,e,y): (x ) e mod N = y] ε(n) This assumption motivates the following definition for RSA Collection: Definition 2 RSA Collection F RSA = {f N,e = x e mod N} N,e I where I = {(N,e): N=p,q n, e Z φ(n) } Domain, D N,e = {x x Z N } Range, R N,e = Z N Theorem 6 RSA collection is a collection of OWF. 1. Easy to sample a function: Gen(1 n ): p,q n, N = p.q, φ(n) = (p-1)(q-1) e Z φ(n) 5-5

2. Easy to sample from domain of f N,e : Domain = Z N 3. Easy to compute: f N,e = x e mod N 4. Hard to invert: A, ε(n) such that: P r [(N,e) Gen(1 n ), x Z N, y = f N,e(x) = x e mod N, x A((N,e),y): (x ) e mod N = y] ε(n) The distribution given by this function and the one by RSA assumption are the same. Theorem 7 f N,e F RSA, f N,e is a permutation. Proof. y Z N, x, f N,e(x) = y, i.e., x e mod N = y Given y, demonstrate the existence of x e Z N e is co-prime with φ(n) d = e 1 under mod φ(n) Let s consider x = y d mod N x e mod N = y (y d ) e mod N = y de mod φ(n) mod N d = e 1, y = y 5-6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback