|
|
|
|
|
Josh Benaloh & Brian LaMacchia |
|
|
|
|
Protecting Privacy of Data |
|
Authentication of Identities |
|
Preservation of Integrity |
|
|
|
… basically any protocols designed to operate in
an environment absent of universal trust. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Alice and Bob decide to make a decision by
flipping a coin. |
|
|
|
Alice and Bob are not in the same place. |
|
|
|
|
Protocol must be asynchronous. |
|
|
|
We cannot assume simultaneous actions. |
|
|
|
Players must take turns. |
|
|
|
|
|
|
Two-part answer: |
|
|
|
NO – I will sketch a formal proof. |
|
|
|
YES – I will provide an effective protocol. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When the pruning is complete one will end up
with either |
|
|
|
a winner before the protocol has begun, or |
|
|
|
a useless infinite game. |
|
|
|
|
|
|
Remote coin flipping is utterly impossible!!! |
|
|
|
|
The INTEGERS |
|
|
|
0 4 8 12 16 … |
|
1
5 9 13 17 … |
|
2
6 10 14 18 … |
|
3
7 11 15 19 … |
|
|
|
|
The INTEGERS |
|
|
|
0 4 8 12 16 … |
|
1
5 9 13 17 … |
|
2
6 10 14 18 … |
|
3
7 11 15 19 … |
|
|
|
|
The INTEGERS |
|
|
|
0 4 8 12 16 … |
|
1
5 9 13 17 … |
|
2
6 10 14 18 … |
|
3
7 11 15 19 … |
|
|
|
|
The INTEGERS |
|
|
|
0 4 8 12 16 … |
|
1
5 9 13 17 … |
|
2
6 10 14 18 … |
|
3
7 11 15 19 … |
|
|
|
|
Fact 1 |
|
|
|
Multiplying two (odd) integers of the same type
always yields a product of Type +1. |
|
|
|
(4p+1)(4q+1) = 16pq+4p+4q+1 = 4(4pq+p+q)+1 |
|
|
|
(4p–1)(4q–1) = 16pq–4p–4q+1 = 4(4pq–p–q)+1 |
|
|
|
|
Fact 2 |
|
|
|
There is no known method (other than factoring)
to distinguish a product of two “Type +1” integers from a product of two
“Type –1” integers. |
|
|
|
|
Fact 3 |
|
|
|
Factoring large integers is believed to be much
harder than multiplying large integers. |
|
|
|
|
Alice |
|
Randomly select a bit bÎ{±1} and two large
integers P and Q – both of type b. |
|
Compute N = PQ. |
|
Send N to Bob. |
|
Bob |
|
|
|
|
|
|
|
|
Alice |
|
Randomly select a bit bÎ{±1} and two large
integers P and Q – both of type b. |
|
Compute N = PQ. |
|
Send N to Bob. |
|
Bob |
|
|
|
|
|
|
Bob |
|
After receiving N from Alice, guess the value of
b and send this guess to Alice. |
|
|
|
|
|
|
Bob |
|
After receiving N from Alice, guess the value of
b and send this guess to Alice. |
|
|
|
|
Bob |
|
After receiving N from Alice, guess the value of
b and send this guess to Alice. |
|
Alice |
|
Randomly select a bit bÎ{±1} and two large
integers P and Q – both of type b. |
|
Compute N = PQ. |
|
Send N to Bob. |
|
|
|
|
Bob |
|
After receiving N from Alice, guess the value of
b and send this guess to Alice. |
|
Alice |
|
Randomly select a bit bÎ{±1} and two large
integers P and Q – both of type b. |
|
Compute N = PQ. |
|
Send N to Bob. |
|
After
receiving b from Bob, reveal P and Q. |
|
|
|
|
|
|
|
|
Bob |
|
After receiving N from Alice, guess the value of
b and send this guess to Alice. |
|
Alice |
|
Randomly select a bit bÎ{±1} and two large
integers P and Q – both of type b. |
|
Compute N = PQ. |
|
Send N to Bob. |
|
After
receiving b from Bob, reveal P and Q. |
|
|
|
|
|
|
Randomly pick large integers p, q, r, and s. |
|
Send Bob N = (4p+1)(4q+1)(4r–1)(4s–1). |
|
If Bob guesses –1, send P = (4p+1)(4q+1)
and Q = (4r–1)(4s–1). |
|
If Bob guesses +1, send P = (4p+1)(4r–1)
and Q = (4q+1)(4s–1). |
|
|
|
|
Bob |
|
After receiving N from Alice, guess the value of
b and send this guess to Alice. |
|
Alice |
|
Randomly select a bit bÎ{±1} and two large
integers P and Q – both of type b. |
|
Compute N = PQ. |
|
Send N to Bob. |
|
After
receiving b from Bob, reveal P and Q. |
|
|
|
|
|
|
Bob |
|
After receiving N from Alice, guess the value of
b and send this guess to Alice. |
|
Alice |
|
Randomly select a bit bÎ{±1} and two large
primes P and Q – both of type b. |
|
Compute N = PQ. |
|
Send N to Bob. |
|
After
receiving b from Bob, reveal P and Q. |
|
|
|
|
|
|
|
Basic result from group theory – |
|
If p is a prime, then for integers a such that 0
< a < p, then a p - 1
mod p = 1. |
|
This is almost never true when p is composite. |
|
|
|
|
|
|
The impossibility proof assumed unlimited
computational ability. |
|
|
|
The protocol is not 50/50 -- Bob has a small
advantage. |
|
|
|
|
|
|
Remote Card Playing |
|
|
|
Internet Gambling |
|
|
|
Various “Fair” Agreement Protocols |
|
|
|
|
We have implemented remote coin flipping via bit
commitment. |
|
|
|
Commitment protocols can also be used for |
|
Sealed bidding |
|
Undisclosed contracts |
|
Authenticated predictions |
|
|
|
|
|
|
We have implemented bit commitment via one-way
functions. |
|
|
|
One-way functions can be used for |
|
Authentication |
|
Data integrity |
|
Strong “randomness” |
|
|
|
|
|
|
|
Two basic classes of one-way functions |
|
|
|
Mathematical |
|
Multiplication:
Z=X•Y |
|
Modular Exponentiation: Z = YX mod N |
|
Ugly |
|
|
|
|
|
|
|
|
Z=YX mod N |
|
When Z is unknown, it can be efficiently
computed. |
|
|
|
|
|
|
Z=YX mod N |
|
When X is unknown, the problem is known as the discrete
logarithm and is generally believed to be hard to solve. |
|
|
|
|
|
|
|
|
Z=YX mod N |
|
When Y is unknown, the problem is known as discrete
root finding and is generally believed to be hard to solve... |
|
|
|
|
|
|
|
|
Z=YX mod N |
|
… unless the factorization of N is known. |
|
|
|
|
|
|
Z=YX mod N |
|
The problem is not well-studied for the case
when N is unknown. |
|
|
|
|
|
|
Compute YX and then reduce mod N. |
|
|
|
If X, Y, and N each are 1,000-bit integers, YX consists of ~21010
bits. |
|
|
|
Since there are roughly 2250
particles in the universe, storage is a problem. |
|
|
|
|
Repeatedly multiplying by Y (followed each time
by a reduction modulo N) X times solves the storage problem. |
|
|
|
However, we would need to perform ~2900
32-bit multiplications per second to complete the computation before the
sun burns out. |
|
|
|
|
|
|
Multiplication by Repeated Doubling |
|
|
|
|
|
|
Multiplication by Repeated Doubling |
|
|
|
To compute X • Y, |
|
|
|
|
|
|
Multiplication by Repeated Doubling |
|
|
|
To compute X • Y, |
|
compute Y, 2Y, 4Y, 8Y,
16Y,… |
|
|
|
|
|
|
Multiplication by Repeated Doubling |
|
|
|
To compute X • Y, |
|
compute Y, 2Y, 4Y, 8Y,
16Y,… |
|
and
sum up those values dictated by the binary representation of X. |
|
|
|
|
|
|
Multiplication by Repeated Doubling |
|
|
|
To compute X • Y, |
|
compute Y, 2Y, 4Y, 8Y,
16Y,… |
|
and
sum up those values dictated by the binary representation of X. |
|
|
|
Example:
26Y = 2Y + 8Y + 16Y. |
|
|
|
|
|
|
Exponentiation by Repeated Squaring |
|
|
|
|
|
|
Exponentiation by Repeated Squaring |
|
|
|
To compute YX, |
|
|
|
|
|
|
Exponentiation by Repeated Squaring |
|
|
|
To compute YX, |
|
compute Y, Y2,
Y4, Y8, Y16, … |
|
|
|
|
|
|
Exponentiation by Repeated Squaring |
|
|
|
To compute YX, |
|
compute Y, Y2,
Y4, Y8, Y16, … |
|
and
multiply those values dictated by the binary representation of X. |
|
|
|
|
|
|
Exponentiation by Repeated Squaring |
|
|
|
To compute YX, |
|
compute Y, Y2,
Y4, Y8, Y16, … |
|
and
multiply those values dictated by the binary representation of X. |
|
|
|
Example:
Y26 = Y2 • Y8 • Y16. |
|
|
|
|
We can now perform a 1,000-bit modular
exponentiation using ~1,500 1,000-bit modular multiplications. |
|
|
|
1,000 squarings: y, y2, y4, …, y21000 |
|
|
|
~500 “ordinary” multiplications |
|
|
|
|
|
|
Addition and Subtraction |
|
Multiplication |
|
Division and Remainder (Mod N) |
|
Exponentiation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In general, adding two large integers – each
consisting of n small blocks – requires O(n) small-integer additions. |
|
|
|
Large-integer subtraction is similar. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In general, multiplying two large integers –
each consisting of n small blocks – requires O(n2) small-integer
multiplications and O(n) large-integer additions. |
|
|
|
|
|
|
|
|
|
|
|
|
Careful bookkeeping can save nearly half of the
small-integer multiplications (and nearly half of the time). |
|
|
|
|
About 2/3 of the multiplications required to
compute YX are actually squarings. |
|
|
|
Overall, efficient squaring can save about 1/3
of the small multiplications required for modular exponentiation. |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
|
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
|
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
|
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
|
|
(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
|
|
This can be done on integers as well as on
polynomials, but it’s not as nice on integers because of carries. |
|
|
|
The larger the integers, the larger the benefit. |
|
|
|
|
(A•2k+B)(C•2k+D) = |
|
AC•22k
+ (AD+BC)•2k + BD |
|
4 multiplications, 1 addition |
|
|
|
(A+B)(C+D) = AC + AD + BC + BD |
|
(A+B)(C+D) – AC – BD = AD + BC |
|
3 multiplications, 2 additions, 2 subtractions |
|
|
|
|
Generally, computing (A•B) mod N requires much
more than twice the time to compute A•B. |
|
|
|
Division is slow and cumbersome. |
|
|
|
|
Generally, computing (A•B) mod N requires much
more than twice the time to compute A•B. |
|
|
|
Division is slow and cumbersome. |
|
|
|
|
Generally, computing (A•B) mod N requires much
more than twice the time to compute A•B. |
|
|
|
Division is disgusting. |
|
|
|
|
Generally, computing (A•B) mod N requires much
more than twice the time to compute A•B. |
|
|
|
Division is slow and cumbersome. |
|
|
|
|
Generally, computing (A•B) mod N requires much
more than twice the time to compute A•B. |
|
|
|
Division is dreadful. |
|
|
|
|
Generally, computing (A•B) mod N requires much
more than twice the time to compute A•B. |
|
|
|
Division is slow and cumbersome. |
|
|
|
|
Generally, computing (A•B) mod N requires much
more than twice the time to compute A•B. |
|
|
|
Division is wretched. |
|
|
|
|
Generally, computing (A•B) mod N requires much
more than twice the time to compute A•B. |
|
|
|
Division is slow and cumbersome. |
|
|
|
|
The Montgomery Method performs a domain
transform to a domain in which the modular reduction operation can be
achieved by multiplication and simple truncation. |
|
Since a single modular exponentiation requires
many modular multiplications and reductions, transforming the arguments is
well justified. |
|
|
|
|
Let A, B, and M be n-block integers represented
in base x with 0 £ M < x n. |
|
Let R = x n. GCD(R,M) = 1. |
|
The Montgomery Product of A and B modulo M is
the integer ABR–1 mod M. |
|
Let M¢ = –M–1 mod R and S =
ABM¢ mod R. |
|
Fact: (AB+SM)/R
º ABR–1 (mod M). |
|
|
|
|
The Montgomery Product ABR–1 mod
M can be computed in the time required for two ordinary large-integer
multiplications. |
|
Montgomery transform: A®AR mod M. |
|
The Montgomery product of (AR mod M) and (BR mod
M) is (ABR mod M). |
|
|
|
|
Another way to speed up modular exponentiation
is by precomputation of many small products. |
|
For instance, if I have y, y2, y3,
…, y15 computed in advance, I can multiply by (for example) y13
without having to multiply individually by y, y4, and
y8. |
|
|
|
|
|
|
Informally, F : X ® Y is a one-way if |
|
|
|
Given x, y = F(x) is easily computable. |
|
|
|
Given y, it is difficult to find any x for
which y = F(x). |
|
|
|
|
|
|
The family of functions |
|
FY,N(X) = YX mod N |
|
is believed to be one-way for most N and Y. |
|
|
|
|
|
|
The family of functions |
|
FY,N(X) = YX mod N |
|
is believed to be one-way for most N and Y. |
|
|
|
No one has ever proven a function to be one-way,
and doing so would, at a minimum, yield as a consequence that P¹NP. |
|
|
|
|
When viewed as a two-argument function, the
(candidate) one-way function |
|
FN(Y,X) = YX mod N |
|
also satisfies a useful additional property
which has been termed quasi-commutivity: |
|
F(F(Y,X1),X2) = F(F(Y,X2),X1) |
|
since YX1X2
= YX2X1. |
|
|
|
|
|
|
|
|
Alice |
|
Randomly select a large integer a and send A = Ya mod N. |
|
Bob |
|
Randomly select a large integer b and
send B = Yb mod N. |
|
|
|
|
|
|
|
|
Alice |
|
Randomly select a large integer a and send A = Ya mod N. |
|
Bob |
|
Randomly select a large integer b and
send B = Yb mod N. |
|
|
|
|
|
|
Alice |
|
Randomly select a large integer a and send A = Ya mod N. |
|
Compute the key K = Ba mod N. |
|
Bob |
|
Randomly select a large integer b and
send B = Yb mod N. |
|
Compute the key K = Ab mod N. |
|
|
|
|
|
|
Alice |
|
Randomly select a large integer a and send A = Ya mod N. |
|
Compute the key K = Ba mod N. |
|
Bob |
|
Randomly select a large integer b and
send B = Yb mod N. |
|
Compute the key K = Ab mod N. |
|
|
|
|
|
|
What does Eve see? |
|
Y, Ya , Yb |
|
… but the exchanged key is Yab. |
|
Belief: Given
Y, Ya , Yb it is difficult to compute Yab
. |
|
Contrast with discrete logarithm
assumption: Given Y, Ya it is difficult to compute a . |
|
|
|
|
|
|
Quasi-commutivity has additional applications. |
|
|
|
decentralized digital signatures |
|
membership testing |
|
digital time-stamping |
|
|
|
|
|
|
|
|
Z=YX mod N |
|
Recall that this equation is solvable for Y if
the factorization of N is known, but is believed to be hard otherwise. |
|
|
|
|
|
|
Alice |
|
Select two large random primes P & Q. |
|
Anyone |
|
|
|
|
|
|
Alice |
|
Select two large random primes P & Q. |
|
Publish the product N=PQ. |
|
Anyone |
|
|
|
|
|
|
Alice |
|
Select two large random primes P & Q. |
|
Publish the product N=PQ. |
|
Anyone |
|
To send message Y to Alice, compute Z=YX mod N. |
|
|
|
|
Alice |
|
Select two large random primes P & Q. |
|
Publish the product N=PQ. |
|
Anyone |
|
To send message Y to Alice, compute Z=YX mod N. |
|
Send Z and X to Alice. |
|
|
|
|
Alice |
|
Select two large random primes P & Q. |
|
Publish the product N=PQ. |
|
Use knowledge of P & Q to compute Y. |
|
Anyone |
|
To send message Y to Alice, compute Z=YX mod N. |
|
Send Z and X to Alice. |
|
|
|
|
|
|
In practice, the exponent X is almost always
fixed to be X = 65537 = 216 + 1. |
|
|
|
|
When N=PQ is the product of distinct primes, |
|
YX mod N = Y |
|
whenever |
|
X mod (P-1)(Q-1) = 1 and 0 £Y<N. |
|
|
|
|
When N=PQ is the product of distinct primes, |
|
YX mod N = Y |
|
whenever |
|
X mod (P-1)(Q-1) = 1 and 0 £Y<N. |
|
Alice can easily select integers E and D such
that E•D mod (P-1)(Q-1) = 1. |
|
|
|
|
Encryption:
E(Y) = YE mod N. |
|
Decryption:
D(Y) = YD mod N. |
|
|
|
D(E(Y)) |
|
= (YE mod N)D
mod N |
|
= YED mod N |
|
= Y |
|
|
|
|
An additional property |
|
D(E(Y)) = YED mod N = Y |
|
E(D(Y)) = YDE mod N = Y |
|
Only Alice (knowing the factorization of N)
knows D. Hence only Alice can
compute D(Y) = YD mod N. |
|
This D(Y) serves as Alice’s signature on Y. |
|
|
|
|
|
|
|
|
Alice certifies Bob’s key. |
|
Bob certifies Carol’s key. |
|
|
|
If I trust Alice should I accept Carol’s key? |
|
|
|
|
How can I use RSA to authenticate someone’s
identity? |
|
|
|
If Alice’s public key EA, just pick a
random message m and send EA(m). |
|
|
|
If m comes back, I must be talking to Alice. |
|
|
|
|
Should Alice be happy with this method of
authentication? |
|
|
|
Bob sends Alice the authentication string y = “I owe Bob $1,000,000 - signed
Alice.” |
|
|
|
Alice dutifully authenticates herself by
decrypting (putting her signature on) y. |
|
|
|
|
What if Alice only returns authentication
queries when the decryption has a certain format? |
|
|
|
|
Is it reasonable to sign/decrypt something given
to you by someone else? |
|
|
|
Note that RSA is multiplicative. Can this property be used/abused? |
|
|
|
|
D(Y1) • D(Y2) = D(Y1
• Y2) |
|
|
|
Thus, if I’ve decrypted (or signed) Y1
and Y2, I’ve also decrypted (or signed) Y1 • Y2. |
|
|
|
|
Given |
|
E1(x) = x3 mod n1 |
|
E2(x) = x3
mod n2 |
|
E3(x) = x3 mod n3 |
|
one can easily compute x. |
|
|
|
|
PKCS#1 Message Format: |
|
|
|
00 01 XX XX ... XX 00 YY YY ... YY |
|
|
|
|
|
|
RSA can be used to encrypt any data. |
|
|
|
Public-key (asymmetric) cryptography is very
inefficient when compared to traditional private-key (symmetric)
cryptography. |
|
|
|
|
For efficiency, one generally uses RSA (or
another public-key algorithm) to transmit a private (symmetric) key. |
|
The private session key is used to encrypt any
subsequent data. |
|
|
|
Digital signatures are only used to sign a digest
of the message. |
|