of Modern Cryptography Josh Benaloh Brian LaMacchia Winter 2011 January 6 2011 Practical Aspects of Modern Cryptography Cryptography is Protecting Privacy of Data Authentication of Identities ID: 385974
Download Presentation The PPT/PDF document "Practical Aspects" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Practical Aspects of Modern Cryptography
Josh BenalohBrian LaMacchia
Winter 2011Slide2
January 6, 2011Practical Aspects of Modern Cryptography
Cryptography is ...Protecting Privacy of DataAuthentication of IdentitiesPreservation of Integrity
… basically any protocols designed to operate in an environment
absent
of universal trust.
2Slide3
January 6, 2011Practical Aspects of Modern Cryptography
Characters3Slide4
January 6, 2011Practical Aspects of Modern Cryptography
Characters
Alice
4Slide5
January 6, 2011Practical Aspects of Modern Cryptography
Characters
Bob
5Slide6
January 6, 2011Practical Aspects of Modern Cryptography
Basic Communication
Alice talking to Bob
6Slide7
January 6, 2011Practical Aspects of Modern Cryptography
Another Character
Eve
7Slide8
January 6, 2011Practical Aspects of Modern Cryptography
Basic Communication Problem
Eve listening to Alice talking to Bob
8Slide9
January 6, 2011Practical Aspects of Modern Cryptography
Two-Party Environments
Alice Bob
9Slide10
January 6, 2011Practical Aspects of Modern Cryptography
Remote Coin FlippingAlice and Bob decide to make a decision by flipping a coin.Alice and Bob are not in
the same
place.
10Slide11
January 6, 2011Practical Aspects of Modern Cryptography
Ground RuleProtocol must be asynchronous.We cannot assume simultaneous actions.
Players must take turns.
11Slide12
January 6, 2011Practical Aspects of Modern Cryptography
Is Remote Coin Flipping Possible?
12Slide13
January 6, 2011Practical Aspects of Modern Cryptography
Is Remote Coin Flipping Possible?Two-part answer:
13Slide14
January 6, 2011Practical Aspects of Modern Cryptography
Is Remote Coin Flipping Possible?Two-part answer:
NO – I will sketch a formal proof.
14Slide15
January 6, 2011Practical Aspects of Modern Cryptography
Is Remote Coin Flipping Possible?Two-part answer:
NO – I will sketch a formal proof.
YES – I will provide an effective protocol.
15Slide16
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
16Slide17
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
B
A
B
A
A
B
B
A
B
B
B
B
A
B
A
B
B
A
A
B
17Slide18
January 6, 2011Practical Aspects of Modern Cryptography
Pruning the Tree
A
B
A
B
A
B
B
A
18Slide19
January 6, 2011Practical Aspects of Modern Cryptography
Pruning the Tree
A
B
A
B
A:
B:
19Slide20
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
B
A
B
A
A
B
B
A
B
B
B
B
A
B
A
B
B
A
A
B
20Slide21
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
B
A
B
A
A
B
B
B
B
A
B
A
B
B
A
A
B
21Slide22
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
B
A
B
A
A
B
B
B
B
A
B
A
B
B
B
22Slide23
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
A
B
A
A
B
B
B
B
A
B
A
B
B
B
23Slide24
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
A
B
A
A
B
B
A
B
A
B
B
B
24Slide25
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
A
B
A
A
B
A
B
A
B
B
B
25Slide26
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
A
B
A
A
B
A
B
A
B
26Slide27
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
A
A
B
A
B
A
B
27Slide28
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
A
B
A
B
A
B
28Slide29
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
A
B
B
A
B
29Slide30
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
B
A
B
B
30Slide31
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A:
B:
A:
B:
A
31Slide32
January 6, 2011Practical Aspects of Modern Cryptography
A Protocol Flow Tree
A
32Slide33
January 6, 2011Practical Aspects of Modern Cryptography
Completing the PruningWhen the pruning is complete one will end up with either
33Slide34
January 6, 2011Practical Aspects of Modern Cryptography
Completing the PruningWhen the pruning is complete one will end up with eithera winner before the protocol has begun, or
34Slide35
January 6, 2011Practical Aspects of Modern Cryptography
Completing the PruningWhen the pruning is complete one will end up with eithera winner before the protocol has begun, or
a useless infinite game.
35Slide36
January 6, 2011Practical Aspects of Modern Cryptography
Conclusion of Part IRemote coin flipping is utterly impossible!!!
36Slide37
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a Coin37Slide38
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinThe INTEGERS
38Slide39
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinThe INTEGERS
0
4 8 12 16 …
39Slide40
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinThe INTEGERS
0 4 8 12 16 …
1 5 9 13 17 …
40Slide41
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinThe INTEGERS
0 4 8 12 16 …
1 5 9 13 17 …
2 6 10 14 18 …
41Slide42
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinThe INTEGERS
0 4 8 12 16 …
1 5 9 13 17 …
2 6 10 14 18 …
3 7 11 15 19 …
42Slide43
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinThe INTEGERS
0 4 8 12 16 …
1 5 9 13 17 …
2 6 10 14 18 …
3 7 11 15 19 …
Even
43Slide44
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinThe INTEGERS
0 4 8 12 16 …
1 5 9 13 17 …
2 6 10 14 18 …
3 7 11 15 19 …
4
n
+
1:
4
n
-
1:
44Slide45
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinThe INTEGERS
0 4 8 12 16 …
1 5 9 13 17 …
2 6 10 14 18 …
3 7 11 15 19 …
Type
+
1:
Type
-
1:
45Slide46
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinFact 1Multiplying two (odd) integers of the same type always yields a product of Type +1.
(4
p
+1)(4
q
+1)
= 16
pq
+4
p
+4
q
+1 = 4(4
pq
+
p
+
q
)+1
(4
p
–1)(4
q
–1) =
16
pq
–4
p
–4
q
+1 = 4(4
pq
–
p
–
q
)+1
46Slide47
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinFact 2There is no known method (other than factoring) to distinguish a product of two “Type +1” integers from a product of two “Type –1” integers.
47Slide48
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinFact 3Factoring large integers is believed to be
much
harder than multiplying large integers.
48Slide49
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a Coin49Slide50
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinAlice
Bob
50Slide51
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinAliceRandomly select a bit b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Bob
51Slide52
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinAliceRandomly select a bit b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Compute
N = PQ
.
Bob
52Slide53
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinAliceRandomly select a bit b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Compute
N = PQ
.
Send N to Bob.
Bob
53Slide54
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a Coin
Alice Bob
N
54Slide55
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinAliceRandomly select a bit b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Compute
N = PQ
.
Send N to Bob.
Bob
55Slide56
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinBobAfter receiving N
from Alice, guess the value of
b
and send this guess to Alice.
Alice
Randomly select a bit
b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Compute
N = PQ
.
S
end
N
to Bob.
56Slide57
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a Coin
Alice Bob
b
57Slide58
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinBobAfter receiving N
from Alice, guess the value of
b
and send this guess to Alice.
Alice
Randomly select a bit
b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Compute
N = PQ
.
S
end
N
to Bob.
58Slide59
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinBobAfter receiving N
from Alice, guess the value of
b
and send this guess to Alice.
Bob wins if and only
if he correctly guesses
the value of
b
.
Alice
Randomly select a bit
b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Compute
N = PQ
.
S
end
N
to Bob.
59Slide60
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinBobAfter receiving N
from Alice, guess the value of
b
and send this guess to Alice.
Bob wins if and only
if he correctly guesses
the value of
b
.
Alice
Randomly select a bit
b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Compute
N = PQ
.
S
end
N
to Bob.
After receiving
b
from Bob, reveal
P
and
Q
.
60Slide61
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a Coin
Alice Bob
P
,
Q
61Slide62
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinBobAfter receiving N
from Alice, guess the value of
b
and send this guess to Alice.
Bob wins if and only
if he correctly guesses
the value of
b
.
Alice
Randomly select a bit
b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Compute
N = PQ
.
S
end
N
to Bob.
After receiving
b
from Bob, reveal
P
and
Q
.
62Slide63
January 6, 2011Practical Aspects of Modern Cryptography
Let’s PlayThe INTEGERS
0 4 8 12 16 …
1 5 9 13 17 …
2 6 10 14 18 …
3 7 11 15 19 …
Type
+
1:
Type
-
1:
63Slide64
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinBobAfter receiving N
from Alice, guess the value of
b
and send this guess to Alice.
Bob wins if and only
if he correctly guesses
the value of
b
.
Alice
Randomly select a bit
b
{1}
and
two
large
integers
P
and
Q
– both of type
b
.
Compute
N = PQ
.
S
end
N
to Bob.
After receiving
b
from Bob, reveal
P
and
Q
.
64Slide65
January 6, 2011Practical Aspects of Modern Cryptography
How to Remotely Flip a CoinBobAfter receiving N
from Alice, guess the value of
b
and send this guess to Alice.
Bob wins if and only
if he correctly guesses
the value of
b
.
Alice
Randomly select a bit
b
{1}
and
two
large
primes
P
and
Q
– both of type
b
.
Compute
N = PQ
.
S
end
N
to Bob.
After receiving
b
from Bob, reveal
P
and
Q
.
65Slide66
January 6, 2011Practical Aspects of Modern Cryptography
Checking Primality Basic result from group theory –If
p
is a prime, then for integers a such
that
0 <
a
<
p
, then
a
p
-
1 mod
p
= 1
.
This is almost never true when
p
is composite.
66Slide67
January 6, 2011Practical Aspects of Modern Cryptography
How are the Answers Reconciled?67Slide68
January 6, 2011Practical Aspects of Modern Cryptography
The impossibility proof assumed unlimited computational ability.How are the Answers Reconciled?
68Slide69
January 6, 2011Practical Aspects of Modern Cryptography
The impossibility proof assumed unlimited computational ability.The protocol is not 50/50 – Bob has a small advantage.
How are the Answers Reconciled?
69Slide70
January 6, 2011Practical Aspects of Modern Cryptography
Applications of Remote FlippingRemote Card PlayingInternet Gambling
Various “Fair” Agreement Protocols
70Slide71
January 6, 2011Practical Aspects of Modern Cryptography
Bit CommitmentWe have implemented remote coin flipping via bit commitment.
Commitment protocols can also be used for
Sealed bidding
Undisclosed contracts
Authenticated predictions
71Slide72
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsWe have implemented bit commitment via one-way functions.
One-way functions can be used for
Authentication
Data integrity
Strong “randomness”
72Slide73
January 6, 2011Practical Aspects of Modern Cryptography
One-Way Functions73Slide74
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsTwo basic classes of one-way functions
74Slide75
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsTwo basic classes of one-way functionsMathematical
75Slide76
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsTwo basic classes of one-way functionsMathematical
Multiplication:
Z=X
Y
76Slide77
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsTwo basic classes of one-way functionsMathematical
Multiplication:
Z=X
Y
Modular Exponentiation:
Z =
Y
X
mod N
77Slide78
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsTwo basic classes of one-way functionsMathematical
Multiplication:
Z=X
×
Y
Modular Exponentiation:
Z =
Y
X
mod N
Ugly
78Slide79
January 6, 2011Practical Aspects of Modern Cryptography
The Fundamental EquationZ=Y
X
mod N
79Slide80
January 6, 2011Practical Aspects of Modern Cryptography
Modular Arithmetic80Slide81
Modular Arithmetic
Z mod N is the integer remainder when Z is divided by N.
January 6, 2011
Practical Aspects of Modern Cryptography
81Slide82
Modular Arithmetic
Z mod N is the integer remainder when Z is divided by N.The Division TheoremFor all integers
Z
and
N>0
, there exist unique integers
Q
and
R
such that
Z = Q
N + R
and
0 R N
.
January 6, 2011
Practical Aspects of Modern Cryptography
82Slide83
Modular Arithmetic
Z mod N is the integer remainder when Z is divided by N.The Division TheoremFor all integers
Z
and
N>0
, there exist unique integers
Q
and
R
such that
Z = Q
N + R
and
0 R N
.
By definition, this unique
R = Z mod N
.
January 6, 2011
Practical Aspects of Modern Cryptography
83Slide84
January 6, 2011Practical Aspects of Modern Cryptography
Modular ArithmeticTo compute (A+B) mod N,
compute
(A+B)
and take the result
mod N
.
84Slide85
January 6, 2011Practical Aspects of Modern Cryptography
Modular ArithmeticTo compute (A+B) mod N,
compute
(A+B)
and take the result
mod N
.
To compute
(A-B) mod N
,
compute
(A-B)
and take the result
mod N
.
85Slide86
January 6, 2011Practical Aspects of Modern Cryptography
Modular ArithmeticTo compute (A+B) mod N,
compute
(A+B)
and take the result
mod N
.
To compute
(A-B) mod N
,
compute
(A-B)
and take the result
mod N
.
To compute
(A
×B) mod N,compute
(A
×
B)
and take the result
mod N
.
86Slide87
January 6, 2011Practical Aspects of Modern Cryptography
Modular ArithmeticTo compute (A+B) mod N,
compute
(A+B)
and take the result
mod N
.
To compute
(A-B) mod N
,
compute
(A-B)
and take the result
mod N
.
To compute
(A
×B) mod N,compute
(A
×
B)
and take the result
mod N
.
To compute
(A
÷
B) mod N
, …
87Slide88
January 6, 2011Practical Aspects of Modern Cryptography
Modular Division88Slide89
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionWhat is the value of (1
÷2) mod 7
?
We need a solution to
2
x
mod 7 = 1
.
89Slide90
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionWhat is the value of (1
÷2) mod 7
?
We need a solution to
2
x
mod 7 = 1
.
Try
x
= 4
.
90Slide91
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionWhat is the value of (1
÷2) mod 7
?
We need a solution to
2
x
mod 7 = 1
.
Try
x
= 4
.
What is the value of
(
7
÷5) mod 11
?
We need a solution to
5
x
mod 11 = 7
.
91Slide92
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionWhat is the value of (1
÷2) mod 7
?
We need a solution to
2
x
mod 7 = 1
.
Try
x
= 4
.
What is the value of
(
7
÷5) mod 11
?
We need a solution to
5
x
mod 11 = 7
.
Try
x
= 8
.
92Slide93
January 6, 2011Practical Aspects of Modern Cryptography
Modular Division93Slide94
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionIs modular division always well-defined?
94Slide95
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionIs modular division always well-defined?
(1
÷3) mod 6 =
?
95Slide96
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionIs modular division always well-defined?
(1
÷3) mod 6 =
?
3
x
mod 6 = 1
has no solution!
96Slide97
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionIs modular division always well-defined?
(1
÷3) mod 6 =
?
3
x
mod 6 = 1
has no solution!
Fact
(A
÷B) mod N
always has a solution when
gcd
(B,N) = 1
.
97Slide98
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionFact 1
(A
÷B) mod N
always has a solution when
gcd
(B,N) = 1
.
98Slide99
January 6, 2011Practical Aspects of Modern Cryptography
Modular DivisionFact 1
(A
÷B) mod N
always has a solution when
gcd
(B,N) = 1
.
Fact 2
(
A
÷B) mod N
never
has a solution
when
gcd
(A,B)
=
1
and
gcd
(B,N) ≠ 1
.
99Slide100
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisors100Slide101
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisorsgcd(A , B) =
gcd
(B , A – B)
101Slide102
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisorsgcd
(A , B) =
gcd
(B , A – B)
since any common factor of
A
and
B
is also a factor of
A –
B
and
since any common factor of
B and A – B
is also a factor of
A
.
102Slide103
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisorsgcd
(A , B) =
gcd
(B , A – B
)
gcd
(21,12
) =
gcd
(12,9) =
gcd
(9,3)
=
gcd
(3,6)
=
gcd
(6,3)
=
gcd
(3,3)
=
gcd
(3,0) = 3
103Slide104
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisorsgcd
(A , B) =
gcd
(B , A – B)
104Slide105
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisorsgcd
(A , B) =
gcd
(B , A – B)
gcd
(A , B) =
gcd
(B , A –
k
B
)
for any integer
k
.
105Slide106
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisorsgcd
(A , B) =
gcd
(B , A – B)
gcd
(A , B) =
gcd
(B , A –
k
B
)
for any integer
k
.
gcd
(A , B) =
gcd
(B , A mod B)
106Slide107
January 6, 2011Practical Aspects of Modern Cryptography
Greatest Common Divisorsgcd
(A , B) =
gcd
(B , A – B)
gcd
(A , B) =
gcd
(B , A –
k
B
)
for any integer
k
.
gcd
(A , B) =
gcd
(B , A mod B
)
gcd
(21,12) =
gcd
(12,9) =
gcd
(9,3)
=
gcd
(3,0) = 3
107Slide108
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean AlgorithmGiven integers A
and
B
, find integers
X
and
Y
such that
AX + BY =
gcd
(A,B)
.
108Slide109
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean AlgorithmGiven integers A
and
B
, find integers
X
and
Y
such that
AX + BY =
gcd
(A,B)
.
When
gcd
(A,B) = 1
, solve
AX mod B = 1, by finding X and
Y
such that
AX + BY =
gcd
(A,B) = 1
.
109Slide110
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean AlgorithmGiven integers A
and
B
, find integers
X
and
Y
such that
AX + BY =
gcd
(A,B)
.
When
gcd
(A,B) = 1
, solve
AX mod B = 1, by finding X and
Y
such that
AX + BY =
gcd
(A,B) = 1
.
Compute
(C
÷A) mod B
as
C×(1÷A) mod B
.
110Slide111
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm gcd
(35, 8) =
gcd
(8, 35 mod 8) =
gcd
(8, 3) =
gcd
(3, 8 mod 3) =
gcd
(3, 2) =
gcd
(2, 3 mod 2) =
gcd
(2, 1) =
gcd
(1, 2 mod 1) =
gcd
(1, 0) = 1
111Slide112
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 =
8
4 +
3
112Slide113
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 =
8
4 +
3
8
=
3
2 +
2
113Slide114
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 =
8
4 +
3
8
=
3
2 +
2
3
=
2
1 +
1
114Slide115
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 =
8
4 +
3
8
=
3
2 +
2
3
=
2
1 +
1
2
=
1
2 +
0
115Slide116
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm 35 =
8
4 +
3
3
=
35
–
8
4
8
=
3
2 +
2
2
=
8
–
3
2
3
=
2
1 +
1
1
=
3
–
2
1
2
=
1
2 +
0
116Slide117
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm3
=
35
–
8
4
2
=
8
–
3
2
1
=
3
–
2
1
117Slide118
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm3
=
35
–
8
4
2
=
8
–
3
2
1
=
3
–
2
1 = (
35
–
8
4) – (
8
–
3
2) 1
118Slide119
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm3
=
35
–
8
4
2
=
8
–
3
2
1
=
3
–
2
1 = (
35
–
8
4) – (
8
–
3
2) 1 = (
35
–
8
4) – (
8
– (
35
–
8
4) 2) 1
119Slide120
January 6, 2011Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm3
=
35
–
8
4
2
=
8
–
3
2
1
=
3
–
2
1 = (
35
–
8
4) – (
8
–
3
2) 1 = (
35
–
8
4) – (
8
– (
35
–
8
4) 2) 1 =
35
3
–
8
13
120Slide121
January 6, 2011
Practical Aspects of Modern CryptographyExtended Euclidean Algorithm
Given
, set
.
Repeat while
: {
;
div
;
;
}.
For
all
:
. Final
gcd
(
,
)
.
If
,
then
mod
and
mod
.
121Slide122
January 6, 2011Practical Aspects of Modern Cryptography
The Fundamental EquationZ=Y
X
mod N
122Slide123
January 6, 2011Practical Aspects of Modern Cryptography
The Fundamental EquationZ
=Y
X
mod N
When
Z
is unknown, it can be efficiently computed.
123Slide124
January 6, 2011Practical Aspects of Modern Cryptography
The Fundamental EquationZ=Y
X
mod N
When
X
is unknown, the problem is known as the
discrete logarithm
and is generally believed to be hard to solve.
124Slide125
January 6, 2011Practical Aspects of Modern Cryptography
The Fundamental EquationZ=
Y
X
mod N
When
Y
is unknown, the problem is known as
discrete root finding
and is generally believed to be hard to solve...
125Slide126
January 6, 2011Practical Aspects of Modern Cryptography
The Fundamental EquationZ=
Y
X
mod N
… unless
the factorization of
N
is known.
126Slide127
January 6, 2011Practical Aspects of Modern Cryptography
The Fundamental EquationZ=Y
X
mod
N
The problem is not well-studied for the case when
N
is unknown.
127Slide128
January 6, 2011Practical Aspects of Modern Cryptography
ImplementationZ
=Y
X
mod N
128Slide129
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
129Slide130
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Compute
Y
X
and then reduce
mod N
.
130Slide131
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Compute
Y
X
and then reduce
mod N
.
If
X
,
Y
,
and
N
each are
2,048-bit integers, YX
consists of ~
2
2059
bits.
131Slide132
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Compute
Y
X
and then reduce
mod N
.
If
X
,
Y
,
and
N
each are
2,048-bit integers, YX
consists of ~
2
2059
bits.
Since there are roughly 2
250
particles in the universe, storage is a problem.
132Slide133
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
133Slide134
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Repeatedly multiplying by
Y
(followed each time by a reduction modulo
N
)
X
times solves the storage problem.
134Slide135
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Repeatedly multiplying by
Y
(followed each time by a reduction modulo
N
)
X
times solves the storage problem.
However, we would need to perform ~2
900
64-bit
multiplications per second to complete the computation before the sun burns out.
135Slide136
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
136Slide137
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Multiplication by Repeated Doubling
137Slide138
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Multiplication by Repeated Doubling
To compute
X
×
Y
,
138Slide139
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Multiplication by Repeated Doubling
To compute
X
×
Y
,
compute
Y
,
2Y
,
4Y
,
8Y
,
16Y
,…
139Slide140
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Multiplication by Repeated Doubling
To compute
X
×
Y
,
compute
Y
,
2Y
,
4Y
,
8Y
,
16Y
,…
and sum up those values dictated by the binary representation of
X
.
140Slide141
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Multiplication by Repeated Doubling
To compute
X
×
Y
,
compute
Y
,
2Y
,
4Y
,
8Y
,
16Y
,…
and sum up those values dictated by the binary representation of
X
.
Example
:
26Y
=
2Y
+
8Y
+
16Y
.
141Slide142
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
142Slide143
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Exponentiation by Repeated Squaring
143Slide144
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Exponentiation by Repeated Squaring
To compute
Y
X
,
144Slide145
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Exponentiation by Repeated Squaring
To compute
Y
X
,
compute
Y
,
Y
2
,
Y
4
,
Y
8
,
Y
16
, …
145Slide146
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Exponentiation by Repeated Squaring
To compute
Y
X
,
compute
Y
,
Y
2
,
Y
4
,
Y
8
,
Y
16
, …
and multiply those values dictated by the binary representation of
X
.
146Slide147
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
Exponentiation by Repeated Squaring
To compute
Y
X
,
compute
Y
,
Y
2
,
Y
4
,
Y
8
,
Y
16
, …
and multiply those values dictated by the binary representation of
X
.
Example
:
Y
26
=
Y
2
×
Y
8
×
Y
16
.
147Slide148
January 6, 2011Practical Aspects of Modern Cryptography
How to compute YX mod N
We can now perform a
2,048-bit
modular exponentiation using
~3,072 2,048-bit
modular multiplications.
2,048
squarings
:
y
,
y
2
,
y
4
, …, y2
2048
~1024
“ordinary” multiplications
148Slide149
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer OperationsAddition and SubtractionMultiplicationDivision and Remainder (Mod
N
)
Exponentiation
149Slide150
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition
+
150Slide151
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition
+
151Slide152
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition
+
152Slide153
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition
+
153Slide154
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition
+
154Slide155
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Addition
+
155Slide156
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer AdditionIn general, adding two large integers – each consisting of n
small blocks – requires
O
(
n
)
small-integer additions.
Large-integer subtraction is similar.
156Slide157
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication
157Slide158
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication
158Slide159
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication
159Slide160
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication
160Slide161
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication
161Slide162
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Multiplication
162Slide163
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer MultiplicationIn general, multiplying two large integers – each consisting of n
small blocks – requires
O
(
n
2
)
small-integer multiplications and
O
(
n
)
large-integer
additions.
163Slide164
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring
164Slide165
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring
165Slide166
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer Squaring
166Slide167
January 6, 2011Practical Aspects of Modern Cryptography
Large-Integer SquaringCareful bookkeeping can save nearly half of the small-integer multiplications (and nearly half of the time).
167Slide168
January 6, 2011Practical Aspects of Modern Cryptography
Recall computing YX mod N
About 2/3 of the multiplications required to compute
Y
X
are actually
squarings
.
Overall, efficient squaring can save about 1/3 of the small multiplications required for modular exponentiation.
168Slide169
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
169Slide170
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+
BD
Given 4 coefficients
A
,
B
,
C
, and
D
,
170Slide171
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+
BD
Given 4 coefficients
A
,
B
,
C
, and
D
,
we need to compute 3 values:
171Slide172
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) =
AC
x
2
+ (AD+BC)
x
+
BD
Given 4 coefficients
A
,
B
,
C
, and
D
,
we need to compute 3 values:
AC
,
AD+BC
, and
BD
.
172Slide173
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (
AD+BC
)
x
+
BD
Given 4 coefficients
A
,
B
,
C
, and
D
,
we need to compute 3 values:
AC
,
AD+BC
, and
BD
.
173Slide174
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+
BD
Given 4 coefficients
A
,
B
,
C
, and
D
,
we need to compute 3 values:
AC
,
AD+BC
, and
BD
.
174Slide175
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+
BD
Given 4 coefficients
A
,
B
,
C
, and
D
,
we need to compute 3 values:
AC
,
AD+BC
, and
BD
.
175Slide176
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
176Slide177
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) =
AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications
, 1 addition
177Slide178
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (
AD
+BC)
x
+ BD
4 multiplications
, 1 addition
178Slide179
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+
BC
)
x
+ BD
4 multiplications
, 1 addition
179Slide180
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+
BD
4 multiplications
, 1 addition
180Slide181
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD
+
BC)
x
+ BD
4 multiplications,
1 addition
181Slide182
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
182Slide183
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+
BD
183Slide184
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C+D) – AC – BD = AD
+
BC
184Slide185
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C+D) – AC – BD = AD
+ BC
3 multiplications, 2 additions, 2 subtractions
185Slide186
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A
+
B)(C+D) – AC – BD = AD
+ BC
3 multiplications,
2 additions
, 2 subtractions
186Slide187
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C
+
D) – AC – BD = AD
+ BC
3 multiplications,
2 additions
, 2 subtractions
187Slide188
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C+D)
– AC – BD = AD
+ BC
3 multiplications
, 2 additions, 2 subtractions
188Slide189
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C+D) –
AC
– BD = AD
+ BC
3 multiplications
, 2 additions, 2 subtractions
189Slide190
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C+D) – AC –
BD
= AD
+ BC
3 multiplications
, 2 additions, 2 subtractions
190Slide191
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C+D)
–
AC – BD = AD
+ BC
3 multiplications, 2 additions,
2 subtractions
191Slide192
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C+D) – AC
–
BD = AD
+ BC
3 multiplications, 2 additions,
2 subtractions
192Slide193
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
x+
B
)(
C
x+
D
) = AC
x
2
+ (AD+BC)
x
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C+D) – AC – BD = AD
+ BC
3 multiplications, 2 additions, 2 subtractions
193Slide194
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba MultiplicationThis can be done on integers as well as on polynomials, but it’s not as nice on integers because of carries.The larger the integers, the larger the benefit.
194Slide195
January 6, 2011Practical Aspects of Modern Cryptography
Karatsuba Multiplication(A
2
k
+B
)(
C
2
k
+
D
) =
AC
2
2k
+ (AD+BC
)
2
k
+ BD
4 multiplications, 1 addition
(A+B)(C+D) = AC
+ AD
+ BC
+ BD
(A+B)(C+D) – AC – BD = AD
+ BC
3 multiplications, 2 additions, 2 subtractions
195Slide196
January 6, 2011Practical Aspects of Modern Cryptography
Chinese RemainderingIf X
= A
mod
P
,
X = B
mod
Q
, and
gcd
(P,Q) = 1
, then
X mod P
·
Q
can be computed as
X = A
·Q·(Q
-1
mod P) + B·P·(P
-1
mod Q)
.
196Slide197
January 6, 2011Practical Aspects of Modern Cryptography
Chinese RemainderingIf N = PQ, then a computation
mod N
can be accomplished by performing the same computation
mod P
and again
mod Q
and then using Chinese Remaindering to derive the answer to the
mod N
computation.
197Slide198
January 6, 2011Practical Aspects of Modern Cryptography
Chinese RemainderingSince modular exponentiation of n-bit integers requires
O(n
3
)
time, performing two modular exponentiations on half size values requires only about one quarter of the time of a single
n
-bit modular exponentiation.
198Slide199
January 6, 2011Practical Aspects of Modern Cryptography
Modular ReductionGenerally, computing (A
B
) mod N
requires much more than twice the time to compute
A
B
.
199Slide200
January 6, 2011Practical Aspects of Modern Cryptography
Modular ReductionGenerally, computing (A
B
) mod N
requires much more than twice the time to compute
A
B
.
Large-integer division is …
200Slide201
January 6, 2011Practical Aspects of Modern Cryptography
Modular ReductionGenerally, computing (A
B
) mod N
requires much more than twice the time to compute
A
B
.
Large-integer division is …
slow …
201Slide202
January 6, 2011Practical Aspects of Modern Cryptography
Modular ReductionGenerally, computing (A
B
) mod N
requires much more than twice the time to compute
A
B
.
Large-integer division is …
slow … cumbersome
202Slide203
January 6, 2011Practical Aspects of Modern Cryptography
Modular ReductionGenerally, computing (A
B
) mod N
requires much more than twice the time to compute
A
B
.
Large-integer division is …
slow … cumbersome … disgusting
203Slide204
January 6, 2011Practical Aspects of Modern Cryptography
Modular ReductionGenerally, computing (A
B
) mod N
requires much more than twice the time to compute
A
B
.
Large-integer division is …
slow … cumbersome … disgusting … wretched
204Slide205
January 6, 2011Practical Aspects of Modern Cryptography
The Montgomery MethodThe Montgomery Method performs a domain transform to a domain in which the modular reduction operation can be achieved by multiplication and simple truncation.Since a single modular exponentiation requires many modular multiplications and reductions, transforming the arguments is well justified.
205Slide206
January 6, 2011Practical Aspects of Modern Cryptography
Montgomery MultiplicationLet A,
B
, and
M
be
n
-block integers represented in base
x
with
0
M
x
n
.
Let
R =
x
n
.
GCD(R,M) = 1
.
The
Montgomery Product
of
A
and
B
modulo
M
is the integer
ABR
–
1
mod M
.
Let
M =
–
M
–
1
mod R
and
S = ABM mod R
.
Fact:
(AB+SM)/R ABR
–
1
(mod M)
.
206Slide207
January 6, 2011Practical Aspects of Modern Cryptography
Using the Montgomery ProductThe Montgomery Product ABR
–
1
mod M
can be computed in the time required for two ordinary large-integer multiplications.
Montgomery transform:
A
AR
mod M
.
The Montgomery product of
(AR mod M)
and
(BR mod M)
is
(ABR mod M)
.
207Slide208
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsZ=Y
X
mod N
208Slide209
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsInformally, F : X
Y
is a
one-way
if
Given
x
,
y
= F(
x
)
is easily computable.
Given
y
, it is difficult to find
any
x
for which
y
= F(
x
)
.
209Slide210
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsThe family of functionsF
Y,N
(X) = Y
X
mod N
is
believed
to be one-way for
most
N
and
Y
.
210Slide211
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsThe family of functionsF
Y,N
(X) = Y
X
mod N
is
believed
to be one-way for
most
N
and
Y
.
No one has ever
proven
a function to be one-way, and doing so would, at a minimum, yield as a consequence that P
NP.
211Slide212
January 6, 2011Practical Aspects of Modern Cryptography
One-Way FunctionsWhen viewed as a two-argument function, the (candidate) one-way functionF
N
(Y,X) = Y
X
mod N
also satisfies a useful additional property which has been termed
quasi-
commutivity
:
F(F(Y,X
1
),X
2
) = F(F(Y,X
2
),X
1)
since
Y
X
1
X
2
= Y
X
2
X
1
.
212Slide213
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeAlice
Bob
213Slide214
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeAliceRandomly select a large integer
a
and send
A =
Y
a
mod N
.
Bob
Randomly select a large integer
b
and send
B =
Y
b
mod N
.
214Slide215
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange
Alice Bob
A
B
215Slide216
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeAliceRandomly select a large integer
a
and send
A =
Y
a
mod N
.
Bob
Randomly select a large integer
b
and send
B =
Y
b
mod N
.
216Slide217
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeAliceRandomly select a large integer
a
and send
A =
Y
a
mod N
.
Compute the key
K = B
a
mod N
.
Bob
Randomly select a large integer
b
and send
B =
Y
b
mod N
.
Compute the key
K =
A
b
mod N
.
217Slide218
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeAliceRandomly select a large integer
a
and send
A =
Y
a
mod N
.
Compute the key
K = B
a
mod N
.
Bob
Randomly select a large integer
b
and send
B =
Y
b
mod N
.
Compute the key
K =
A
b
mod N
.
B
a
=
Y
ba
=
Y
ab
=
A
b
218Slide219
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange
219Slide220
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeWhat does Eve see?
220Slide221
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeWhat does Eve see?Y,
Y
a
,
Y
b
221Slide222
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeWhat does Eve see?Y,
Y
a
,
Y
b
… but the exchanged key is
Y
ab
.
222Slide223
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeWhat does Eve see?Y,
Y
a
,
Y
b
… but the exchanged key is
Y
ab
.
Belief:
Given
Y
,
Y
a
,
Y
b
it is difficult to compute
Y
ab
.
223Slide224
January 6, 2011Practical Aspects of Modern Cryptography
Diffie-Hellman Key ExchangeWhat does Eve see?Y,
Y
a
,
Y
b
… but the exchanged key is
Y
ab
.
Belief:
Given
Y
,
Y
a
,
Y
b
it is difficult to compute
Y
ab
.
Contrast with discrete logarithm assumption:
Given
Y
,
Y
a
it is difficult to compute
a
.
224Slide225
January 6, 2011Practical Aspects of Modern Cryptography
More on Quasi-CommutivityQuasi-commutivity has additional applications.
decentralized digital signatures
membership testing
digital time-stamping
225Slide226
January 6, 2011Practical Aspects of Modern Cryptography
One-Way Trap-Door FunctionsZ=
Y
X
mod N
226Slide227
January 6, 2011Practical Aspects of Modern Cryptography
One-Way Trap-Door FunctionsZ=
Y
X
mod N
Recall that this equation is solvable for
Y
if the factorization of
N
is known, but is
believed
to be hard otherwise.
227Slide228
January 6, 2011Practical Aspects of Modern Cryptography
RSA Public-Key CryptosystemAlice
Anyone
228Slide229
January 6, 2011Practical Aspects of Modern Cryptography
RSA Public-Key CryptosystemAliceSelect two large random primes
P
&
Q
.
Anyone
229Slide230
January 6, 2011Practical Aspects of Modern Cryptography
RSA Public-Key CryptosystemAliceSelect two large random primes
P
&
Q
.
Publish the product
N=PQ
.
Anyone
230Slide231
January 6, 2011Practical Aspects of Modern Cryptography
RSA Public-Key CryptosystemAliceSelect two large random primes
P
&
Q
.
Publish the product
N=PQ
.
Anyone
To send message
Y
to Alice, compute
Z=Y
X
mod N
.
231Slide232
January 6, 2011Practical Aspects of Modern Cryptography
RSA Public-Key CryptosystemAliceSelect two large random primes
P
&
Q
.
Publish the product
N=PQ
.
Anyone
To send message
Y
to Alice, compute
Z=Y
X
mod N
.
Send Z and
X
to Alice.
232Slide233
January 6, 2011Practical Aspects of Modern Cryptography
RSA Public-Key CryptosystemAliceSelect two large random primes
P
&
Q
.
Publish the product
N=PQ
.
Use knowledge of
P
&
Q
to compute
Y
.
Anyone
To send message Y to Alice, compute Z=Y
X
mod N
.
Send
Z
and
X
to Alice.
233Slide234
January 6, 2011Practical Aspects of Modern Cryptography
RSA Public-Key CryptosystemIn practice, the exponent X is almost always fixed to be
X = 65537 = 2
16
+ 1
.
234Slide235
January 6, 2011Practical Aspects of Modern Cryptography
Some RSA DetailsWhen N=PQ is the product of distinct primes,
Y
X
mod N = Y
whenever
X mod (P-1)(Q-1) = 1
and
0
YN
.
235Slide236
January 6, 2011Practical Aspects of Modern Cryptography
Some RSA DetailsWhen N=PQ is the product of distinct primes,
Y
X
mod N = Y
whenever
X mod (P-1)(Q-1) = 1
and
0
YN
.
Alice can easily select integers
E
and
D
such that
E
D
mod (P-1)(Q-1) = 1
.
236Slide237
January 6, 2011Practical Aspects of Modern Cryptography
Some RSA DetailsEncryption: E(Y) = YE
mod N
.
Decryption:
D(Y) = Y
D
mod N
.
D(E(Y))
= (Y
E
mod N)
D
mod N
= Y
ED
mod N
= Y
237Slide238
January 6, 2011Practical Aspects of Modern Cryptography
RSA Signatures238Slide239
January 6, 2011Practical Aspects of Modern Cryptography
RSA SignaturesAn additional property
239Slide240
January 6, 2011Practical Aspects of Modern Cryptography
RSA SignaturesAn additional property D(E(Y)) = Y
ED
mod N = Y
240Slide241
January 6, 2011Practical Aspects of Modern Cryptography
RSA SignaturesAn additional property D(E(Y)) = Y
ED
mod N = Y
E(D(Y)) = Y
DE
mod N =
Y
241Slide242
January 6, 2011Practical Aspects of Modern Cryptography
RSA SignaturesAn additional property D(E(Y)) = Y
ED
mod N = Y
E(D(Y)) = Y
DE
mod N = Y
Only Alice (knowing the factorization of
N
) knows
D
. Hence only Alice can compute
D(Y) = Y
D
mod N
.
242Slide243
January 6, 2011Practical Aspects of Modern Cryptography
RSA SignaturesAn additional property D(E(Y)) = Y
ED
mod N = Y
E(D(Y)) = Y
DE
mod N = Y
Only Alice (knowing the factorization of
N
) knows
D
. Hence only Alice can compute
D(Y) = Y
D
mod N
.
This
D(Y) serves as Alice’s signature on Y
.
243Slide244
January 6, 2011Practical Aspects of Modern Cryptography
Public Key Directory
244Slide245
January 6, 2011Practical Aspects of Modern Cryptography
Public Key Directory
(Recall that
E
is commonly fixed to be
E=65537
.)
245Slide246
January 6, 2011Practical Aspects of Modern Cryptography
Certificate Authority
“Alice’s public modulus is
N
A
= 331490324840…
”
-- signed CA.
246Slide247
January 6, 2011Practical Aspects of Modern Cryptography
Trust ChainsAlice certifies Bob’s key.Bob certifies Carol’s key.
If I trust Alice should I accept Carol’s key?
247Slide248
January 6, 2011Practical Aspects of Modern Cryptography
Authentication248Slide249
January 6, 2011Practical Aspects of Modern Cryptography
AuthenticationHow can I use RSA to authenticate someone’s identity?
249Slide250
January 6, 2011Practical Aspects of Modern Cryptography
AuthenticationHow can I use RSA to authenticate someone’s identity?
If Alice’s public key
E
A
, just pick a random message
m
and send
E
A
(
m
)
.
250Slide251
January 6, 2011Practical Aspects of Modern Cryptography
AuthenticationHow can I use RSA to authenticate someone’s identity?
If Alice’s public key
E
A
, just pick a random message
m
and send
E
A
(
m
)
.
If
m
comes back, I must be talking to Alice.
251Slide252
January 6, 2011Practical Aspects of Modern Cryptography
AuthenticationShould Alice be happy with this method of authentication?
252Slide253
January 6, 2011Practical Aspects of Modern Cryptography
AuthenticationShould Alice be happy with this method of authentication?Bob sends Alice the authentication string
y
=
“I owe Bob $1,000,000 - signed Alice.”
253Slide254
January 6, 2011Practical Aspects of Modern Cryptography
AuthenticationShould Alice be happy with this method of authentication?Bob sends Alice the authentication string
y
=
“I owe Bob $1,000,000 - signed Alice.”
Alice dutifully authenticates herself by decrypting (putting her signature on)
y
.
254Slide255
January 6, 2011Practical Aspects of Modern Cryptography
AuthenticationWhat if Alice only returns authentication queries when the decryption has a certain format?
255Slide256
January 6, 2011Practical Aspects of Modern Cryptography
RSA CautionsIs it reasonable to sign/decrypt something given to you by someone else?Note that RSA is multiplicative. Can this property be used/abused?
256Slide257
January 6, 2011Practical Aspects of Modern Cryptography
RSA CautionsD(Y1
)
D(Y
2
) = D(Y
1
Y
2
)
Thus, if I’ve decrypted (or signed)
Y
1
and
Y
2
,
I’ve also decrypted (or signed)
Y
1
Y
2
.
257Slide258
January 6, 2011Practical Aspects of Modern Cryptography
The Hastad AttackGiven E
1
(
x
) =
x
3
mod n
1
E
2
(
x
) =
x
3
mod n
2
E
3
(
x
) =
x
3
mod n
3
one can easily compute
x
.
258Slide259
January 6, 2011Practical Aspects of Modern Cryptography
The Bleichenbacher AttackPKCS#1 Message Format:
00 01 XX
XX
... XX 00 YY
YY
... YY
random
non-zero
bytes
message
259Slide260
January 6, 2011Practical Aspects of Modern Cryptography
“Man-in-the-Middle” Attacks
260Slide261
January 6, 2011Practical Aspects of Modern Cryptography
The Practical Side261Slide262
January 6, 2011Practical Aspects of Modern Cryptography
The Practical SideRSA can be used to encrypt any data.
262Slide263
January 6, 2011Practical Aspects of Modern Cryptography
The Practical SideRSA can be used to encrypt any data.Public-key (asymmetric) cryptography is very inefficient when compared to traditional private-key (symmetric) cryptography.
263Slide264
January 6, 2011Practical Aspects of Modern Cryptography
The Practical Side264Slide265
January 6, 2011Practical Aspects of Modern Cryptography
The Practical SideFor efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.
265Slide266
January 6, 2011Practical Aspects of Modern Cryptography
The Practical SideFor efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.The private
session
key is used to encrypt any subsequent data
.
266Slide267
January 6, 2011Practical Aspects of Modern Cryptography
The Practical SideFor efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.The private
session
key is used to encrypt any subsequent data.
Digital signatures are only used to sign a
digest
of the message.
267