Katz, Lindell Introduction to Modern Cryptrography

Similar documents
CSC 5930/9010 Modern Cryptography: Number Theory

Introduction to Cryptology. Lecture 20

Katz, Lindell Introduction to Modern Cryptrography

John Hancock enters the 21th century Digital signature schemes. Table of contents

Lecture 14: Hardness Assumptions

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

El Gamal A DDH based encryption scheme. Table of contents

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Cryptography IV: Asymmetric Ciphers

Number Theory and Group Theoryfor Public-Key Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Chapter 11 : Private-Key Encryption

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

1 Rabin Squaring Function and the Factoring Assumption

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Lecture 1: Introduction to Public key cryptography

Computational Number Theory. Adam O Neill Based on

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CPSC 467: Cryptography and Computer Security

Public Key Encryption

Public Key Cryptography

Basic Algorithms in Number Theory

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture 11: Key Agreement

Lecture 11: Number Theoretic Assumptions

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Public Key Cryptography

CPSC 467: Cryptography and Computer Security

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Chapter 8 Public-key Cryptography and Digital Signatures

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Public Key Cryptography

4 Powers of an Element; Cyclic Groups

Lecture Notes, Week 6

1. Algebra 1.7. Prime numbers

Introduction to Cybersecurity Cryptography (Part 4)

1 Number Theory Basics

CSE 521: Design and Analysis of Algorithms I

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Introduction to Cybersecurity Cryptography (Part 4)

10 Concrete candidates for public key crypto

Cryptographic Hardness Assumptions

Introduction to Cryptography. Lecture 8

Applied Cryptography and Computer Security CSE 664 Spring 2018

ALG 4.0 Number Theory Algorithms:

Topics in Cryptography. Lecture 5: Basic Number Theory

CPSC 467b: Cryptography and Computer Security

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

ECE646 Lecture 11 Required Reading Chapter 8.3 Testing for Primality RSA Key Generation

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Cryptography. Lecture 8. Arpita Patra

Ma/CS 6a Class 4: Primality Testing

Definition of a finite group

CPSC 467b: Cryptography and Computer Security

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

5.4 ElGamal - definition

Asymmetric Encryption

Cryptography: Joining the RSA Cryptosystem

Public-Key Cryptosystems CHAPTER 4

MATH 145 Algebra, Solutions to Assignment 4

Public Key Cryptography

Computational Hardness

The RSA cryptosystem and primality tests

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

14 Diffie-Hellman Key Agreement

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Introduction to Elliptic Curve Cryptography. Anupam Datta

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Math/Mthe 418/818. Review Questions

Introduction to Public-Key Cryptosystems:

Security II: Cryptography exercises

CS 290G (Fall 2014) Introduction to Cryptography Oct 21st, Lecture 5: RSA OWFs

CS 6260 Some number theory

Elementary Number Theory Review. Franz Luef

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

CPSC 467b: Cryptography and Computer Security

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Number Theory. Raj Jain. Washington University in St. Louis

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Kevin James. MTHSC 412 Section 3.4 Cyclic Groups

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Public-Key Encryption: ElGamal, RSA, Rabin

Factorization & Primality Testing

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Chapter 8. Introduction to Number Theory

Transcription:

Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 8 Markus Bläser, Saarland University

Weak factoring experiment The weak factoring experiment 1. Choose two n-bit integers x 1, x 2 uniformly. 2. Compute N := x 1 x 2. 3. A is given N and outputs x 1, x 2 > 1. 4. The result of the experiment is 1 if N = x 1 x 2 and 0 otherwise

Weak factoring experiment The weak factoring experiment 1. Choose two n-bit integers x 1, x 2 uniformly. 2. Compute N := x 1 x 2. 3. A is given N and outputs x 1, x 2 > 1. 4. The result of the experiment is 1 if N = x 1 x 2 and 0 otherwise Easy to win x 1, x 2 prime

Generating primes Algorithm 8.31/8.34 Input: length 1 n, parameter 1 t Output: a uniform n-bit prime 1. for i := 1 to t = 3n 2 2. p {0, 1} n 1 3. p := 1 p 4. if p is prime then return p 5. return failure

Primality testing Observation N prime = a N 1 = 1 mod N for any a Algorithm 8.35 Input: integer N, parameter 1 t 1. for i := 1 to t do 2. a {1,..., N 1} 3. if a N 1 1 mod N then return composite 4. return prime

Primality testing (2) Proposition (8.36) Let G be a finite group and H G. If H is nonempty and for all a, b H we have ab H, then H is a subgroup of G. Lemma (8.37) Let H be a proper subgroup of a finite group G. Then H G /2. Theorem (8.38) If there is a witness a such that a N 1 1 mod N, then this is true for a least half the elements in Z N.

Miller-Rabin test Write N 1 = 2 r u with u odd. Definition a is a strong witness that N is composite, if (1) a u ±1 mod N and (2) a 2iu 1 mod N for all 1 i r 1. Lemma (8.39) If N is an odd prime, then the only square roots of 1 modulo N are ±1 mod N. Lemma If N is prime, then N has no strong witnesses. Theorem (8.40) If N is odd and not a prime power, then half of the elements of Z N are strong witnesses for N.

Miller-Rabin test (2) Algorithm 8.44 Input: N > 2, parameter 1 t 1. If N is even, return composite 2. If N is a perfect power, return composite 3. Write N 1 = 2 r u with u odd 4. for i := 1 to t do 5. a {0,..., N 1} 6. If a is a strong witness, return composite 7. return prime Theorem (8.33) If N is prime, then the Miller-Rabin test always outputs prime. If N is composite, then it outputs composite with probability 1 2 t. The running time is polynomial in t and log N.

The factoring experiment GenModulus: On input 1 n, output (N, p, q) where N = pq, p, q are n-bit primes (except with probability negligible in n). The factoring experiment Factor A,GenModulus (n) 1. Run GenModulus(1 n ) to obtain (N, p, q). 2. A is given N and outputs p, q > 1. 3. The outcome is 1 if p q = N and 0 otherwise. Definition (8.45) Factoring is hard relative to GenModulus if for all ppt A, Pr[Factor A,GenModulus (n) = 1] negl(n).

RSA assumption Factoring does not yield directly practical systems... φ(n) := Z N = {a {1,..., N 1} gcd(a, N) = 1} N = i pe i i φ(n) = i pe i 1 i (p i 1) a φ(n) = 1 mod N GenRSA(1 n ): 1. (N, p, q) GenModulus(1 n ) 2. φ(n) := (p 1)(q 1) 3. Choose e > 1 such that gcd(e, φ(n)) = 1 4. Compute d := e 1 mod φ(n). 5. return N, e, d.

RSA assumption (2) RSA-experiment RSA-Inv A,GenRSA (n) 1. Run GenRSA(1 n ) to obtain (N, e, d). 2. Choose y Z N uniformly at random. 3. A is given N, e, y and outputs x Z N. 4. The outcome is 1 if x e = y mod N. Definition (8.46) The RSA problem is hard relative to GenRSA if for all ppt A, Pr[RSA-Inv A,GenRSA (n) = 1] negl(n). If we can factor, we can win RSA-Inv. Given N, e, d, we can factor (Theorem 8.50). This is not the converse of the first statement.

Extended Euclidean Algorithm Proposition (8.2) For all natural numbers a, b there are integer X and Y ( cofactors ) such that Xa + Yb = gcd(a, b). gcd(a, b) is the smallest integer (in absolute value) that can be written like this. Assume that a > b and write a = qb + r with 0 r < b. If r = 0, then b = gcd(a, b) = 0 a + 1 b. Otherwise, recursively compute X, Y such that Xb + Yr = gcd(b, r) = gcd(a, b). Then Y a + (X Yq)b = gcd(a, b). Extended Euclidean Algorithm (B.10)

Factoring and RSA assumption Let gcd(a, M) = 1 and Xa + YM = 1 Then Xa = 1 mod M, i.e., X is a modular inverse of a modulo M. If de = 1 mod φ(n), then de = 1 + Yφ(N) for some Y, hence (x d ) e = x de = x 1+Yφ(N) = x mod N, since z φ(n) = 1 mod N for any z. So x d is an eth root of x modulo N. If we can factor N, then we can compute φ(n).

Cyclic groups Let G be a finite group of size m and g G.We set g := {g 0, g 1,... }. We have g m = 1 and let i m be the smallest index with g i = 1. Then g = {g 0,..., g i 1 }. Proposition g is a subgroup of G. Definition (8.51) The order of g is the smallest i with g i = 1.

Cyclic groups (2) Proposition (8.53) Let g be an element of order i in a finite group G. Then g x = g y iff x = y mod i. Definition Let G be a finite group. G is cyclic if there is a g G with g = G. Such a g is called a generator. Proposition (8.54) Let g be an element of order i in a finite group G of size m. Then i m. Corollary (8.55) If G is a finite group of prime order, then G is cyclic. All elements except 1 are generators.

Discrete logarithm assumption Group generation algorithm on input 1 n outputs: a description of a cyclic group G its order q (of bit length n) a generator g. Description means representation of elements as bit strings such that we can efficiently (= polynomial in n) check whether a string is a group element and we can efficiently perform the group operation.

Discrete logarithm assumption (2) G finite cyclic group with generator g, G = {g 0,..., g q 1 }. Definition Let y G. The unique 0 i q 1 such that g i = y is the discrete logarithm of y (with respect to g). Notation: i = log g y Some rules: log g 1 = 0 log g y r = r log g y mod q log g (xy) = log g (x) + log q (y) mod q.

Discrete logarithm assumption (3) The discrete logarithm experiment Dlog A,gen (n): 1. Generate an instance (G, q, g) with q having n bits. 2. Choose h G uniformly at random. 3. A is given (G, q, g) and h and outputs x Z q. 4. The results of the experiment is 1 if g x = h and 0 otherwise Definition We say that the discrete logarithm problem is hard with respect to Gen if for all ppt A, Pr[Dlog A,Gen (n) = 1] negl(n).

Computational Diffie Hellman assumption Let G be a cyclic group with generator g. Let h 1 = g x 1 and h 2 = g x 2. We define DH g (h 1, h 2 ) := g x 1 x 2 = h x 2 1 = h x 1 2. Computational Diffie-Hellman experiment: Compute DH(h 1, h 2 ) from uniform h 1 and h 2 (without knowing x 1 or x 2 ). If discrete logarithm is easy, so is computational Diffie-Hellman: Compute x 1 = log g (h 1 ) and output h x 1 2. Converse is not known.

Decisional Diffie-Hellman assumption Definition (8.63) The decisional Diffie-Hellman problem DHH is hard relative to Gen if for all ppt A Pr[A(G, q, g, g x, g y, g z ) = 1] Pr[A(G, q, g, g x, g y, g xy ) = 1] negl(n) where the probability is taken over the randomness of the generation algorithm Gen(1 n ) outputting (G, q, g) and x, y, and z in Z q are chosen uniformly at random. distinguish g xy from a random element g z

Choosing a group The order of the group should be a prime: Discrete logarithm is supposed to be harder in such groups. Finding a generator is trivial DH g (h 1, h 2 ) is close to uniform for such groups. Theorem Let p = rq + 1 with p and q being prime. Then G := {h r mod p h Z p} is a subgroup of Z p of order q.

Group generation Input: Security parameter 1 n, parameter l = l(n) 1. generate an n-bit prime q uniformly at random 2. generate an l-bit prime p such that q (p 1) 3. choose h Z q with h 1 4. set g = h (p 1)/q mod p 5. return p, q, g

Elliptic curves

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback