|
|
|
|
|
Josh Benaloh & Brian LaMacchia |
|
|
|
|
|
|
1976 New
Directions in Cryptograhy |
|
Whit Diffie and Marty Hellman |
|
One-Way functions |
|
Diffie-Hellman Key Exchange |
|
1978 RSA
paper |
|
Ron Rivest, Adi Shamir, and Len Adleman |
|
RSA Encryption System |
|
RSA Digital Signature Mechanism |
|
|
|
|
|
|
|
|
Z=YX mod N |
|
When X is unknown, the problem is known as the discrete
logarithm and is generally believed to be hard to solve. |
|
|
|
|
Alice |
|
Randomly select a large integer a and send A = Ya mod N. |
|
Compute the key K = Ba mod N. |
|
Bob |
|
Randomly select a large integer b and
send B = Yb mod N. |
|
Compute the key K = Ab mod N. |
|
|
|
|
|
|
What does Eve see? |
|
Y, Ya , Yb |
|
… but the exchanged key is Yab. |
|
Belief: Given
Y, Ya , Yb it is difficult to compute Yab
. |
|
Contrast with discrete logarithm
assumption: Given Y, Yx it is difficult to compute x . |
|
|
|
|
|
|
|
|
Z=YX mod N |
|
Recall that this equation is solvable for Y if
the factorization of N is known, but is believed to be hard otherwise. |
|
|
|
|
Alice |
|
Select two large random primes P & Q. |
|
Publish the product N=PQ. |
|
Use knowledge of P & Q to compute Y. |
|
Anyone |
|
To send message Y to Alice, compute Z=YX mod N. |
|
Send Z and X to Alice. |
|
|
|
|
When N=PQ is the product of distinct primes, |
|
YX mod N = Y |
|
whenever |
|
X mod (P-1)(Q-1) = 1 and 0 £Y<N. |
|
|
|
|
When N=PQ is the product of distinct primes, |
|
YX mod N = Y |
|
whenever |
|
X mod (P-1)(Q-1) = 1 and 0 £Y<N. |
|
Alice can easily select integers E and D such
that E•D mod (P-1)(Q-1) = 1. |
|
|
|
|
Encryption:
E(Y) = YE mod N. |
|
Decryption:
D(Y) = YD mod N. |
|
|
|
D(E(Y)) |
|
= (YE mod N)D
mod N |
|
= YED mod N |
|
= Y |
|
|
|
|
An additional property |
|
D(E(Y)) = YED mod N = Y |
|
E(D(Y)) = YDE mod N = Y |
|
Only Alice (knowing the factorization of N)
knows D. Hence only Alice can
compute D(Y) = YD mod N. |
|
This D(Y) serves as Alice’s signature on Y. |
|
|
|
|
Why is YX mod PQ = Y whenever |
|
X
mod (P-1)(Q-1) = 1, 0 £Y<PQ, |
|
and P and Q are distinct primes? |
|
|
|
How can Alice can select integers E and D such
that E•D mod (P-1)(Q-1) = 1? |
|
|
|
|
|
To compute (A+B) mod N, |
|
compute (A+B) and take the result mod N. |
|
To compute (A-B) mod N, |
|
compute (A-B) and take the result mod N. |
|
To compute (A×B) mod N, |
|
compute (A×B) and take the result mod N. |
|
To compute (A÷B) mod N, … |
|
|
|
|
What is the value of (1÷2) mod 7? |
|
We
need a solution to 2x mod 7 = 1. |
|
Try x = 4. |
|
|
|
What is the value of (7÷5) mod 11? |
|
We
need a solution to 5x mod 11 = 7. |
|
Try x = 8. |
|
|
|
|
Is modular division always well-defined? |
|
(1÷3) mod 6 = ? |
|
3x mod 6 = 1 has no solution! |
|
|
|
Fact |
|
(A÷B) mod N always has a solution when gcd(B,N)
= 1. |
|
|
|
|
gcd(A , B) = gcd(B , A - B) |
|
gcd(21,12) = gcd(12,9) = gcd(9,3) |
|
=
gcd(6,3) = gcd(3,3) = gcd(0,3) = 3 |
|
gcd(A , B) = gcd(B , A mod B) |
|
gcd(21,12) = gcd(12,9) = gcd(9,3) |
|
=
gcd(0,3) = 3 |
|
|
|
|
Given integers A and B, find integers X and Y
such that AX + BY = gcd(A,B). |
|
|
|
When gcd(A,B) = 1, solve AX mod B = 1, by finding X and Y such that |
|
AX + BY = gcd(A,B) = 1. |
|
|
|
Compute (C÷A) mod B as C×(1÷A) mod B. |
|
|
|
|
Given A,B > 0, set x1=1, x2=0,
y1=0, y2=1, a1=A, b1=B, i=1. |
|
|
|
Repeat while bi>0: {i = i + 1; |
|
q = ai-1
div bi-1; bi = ai-1-qbi-1;
ai = bi-1; |
|
xi+1=xi-1-qxi;
yi+1=yi-1-qyi}. |
|
|
|
Axi + Byi = ai
= gcd(A,B). |
|
|
|
|
Why is YX mod PQ = Y whenever |
|
X
mod (P-1)(Q-1) = 1, 0 £Y<PQ, |
|
and P and Q are distinct primes? |
|
|
|
How can Alice can select integers E and D such
that E•D mod (P-1)(Q-1) = 1? |
|
|
|
|
If p is prime, |
|
then x
p-1 mod p = 1 for all 0 < x < p. |
|
|
|
Equivalently … |
|
|
|
If p is prime, |
|
then x
p mod p = x mod p for all integers x. |
|
|
|
|
The Binomial Theorem |
|
(x + y) p = x p + ( )x p-1y + … + ( )xy p-1 + y
p |
|
|
|
If p is prime, then ( ) mod p = 0 for 0 < i < p. |
|
|
|
Thus, (x + y) p mod p = (x p
+ y p) mod p. |
|
|
|
|
By induction on x… |
|
|
|
Basis |
|
If x = 0, then x p mod p = 0 = x mod p. |
|
If x = 1, then x p mod p = 1 = x mod p. |
|
|
|
|
|
|
Inductive Step |
|
|
|
Assume that x p mod p = x mod p. |
|
Then (x + 1) p mod p = (x p
+ 1p) mod p |
|
= (x + 1) mod p. |
|
Hence, x p mod p = x mod p for
integers x ≥ 0. |
|
|
|
Also true for negative x, since (-x) p
= (-1) px p. |
|
|
|
|
We have shown … |
|
YP mod P = Y whenever 0 ≤ Y
< P |
|
and P is prime! |
|
|
|
You will show … |
|
YK(P-1)(Q-1)+1 mod PQ = Y when 0 ≤
Y < PQ |
|
P and Q are distinct primes and K ≥ 0. |
|
|
|
|
How can I use RSA to authenticate someone’s
identity? |
|
|
|
If Alice’s public key EA, just pick a
random message m and send EA(m). |
|
|
|
If m comes back, I must be talking to Alice. |
|
|
|
|
Should Alice be happy with this method of
authentication? |
|
|
|
Bob sends Alice the authentication string y = “I owe Bob $1,000,000 - signed
Alice.” |
|
|
|
Alice dutifully authenticates herself by
decrypting (putting her signature on) y. |
|
|
|
|
What if Alice only returns authentication
queries when the decryption has a certain format? |
|
|
|
|
Is it reasonable to sign/decrypt something given
to you by someone else? |
|
|
|
Note that RSA is multiplicative. Can this property be used/abused? |
|
|
|
|
D(Y1) • D(Y2) = D(Y1
• Y2) |
|
|
|
Thus, if I’ve decrypted (or signed) Y1
and Y2, I’ve also decrypted (or signed) Y1 • Y2. |
|
|
|
|
Given |
|
E1(x) = x3 mod n1 |
|
E2(x) = x3
mod n2 |
|
E3(x) = x3 mod n3 |
|
one can easily compute x. |
|
|
|
|
PKCS#1 Message Format: |
|
|
|
00 01 XX XX ... XX 00 YY YY ... YY |
|
|
|
|
|
|
RSA can be used to encrypt any data. |
|
|
|
Public-key (asymmetric) cryptography is very
inefficient when compared to traditional private-key (symmetric)
cryptography. |
|
|
|
|
For efficiency, one generally uses RSA (or
another public-key algorithm) to transmit a private (symmetric) key. |
|
The private session key is used to encrypt and
authenticate any subsequent data. |
|
|
|
Digital signatures are only used to sign a digest
of the message. |
|
|
|
|
Private-key (symmetric) ciphers are usually
divided into two classes. |
|
|
|
Block ciphers |
|
|
|
Stream ciphers |
|
|
|
|
Private-key (symmetric) ciphers are usually
divided into two classes. |
|
|
|
Block ciphers |
|
|
|
Stream ciphers |
|
|
|
|
|
|
|
|
Electronic Code Book (ECB) Encryption: |
|
|
|
|
Electronic Code Book (ECB) Decryption: |
|
|
|
|
Electronic Code Book (ECB) Encryption: |
|
|
|
|
Cipher Block Chaining (CBC) Encryption: |
|
|
|
|
Cipher Block Chaining (CBC) Decryption: |
|
|
|
|
Cipher Block Chaining (CBC) Encryption: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Typically, most Feistel ciphers are iterated for
about 16 rounds. |
|
Different “sub-keys” are used for each round. |
|
|
|
Even a weak round function can yield a strong
Feistel cipher if iterated sufficiently. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Private-key (symmetric) ciphers are usually
divided into two classes. |
|
|
|
Block ciphers |
|
|
|
Stream ciphers |
|
|
|
|
Use the key as a seed to a pseudo-random
number-generator. |
|
Take the stream of output bits from the PRNG and
XOR it with the plaintext to form the ciphertext. |
|
|
|
|
|
|
|
|
Initialization |
|
S[0..255] = 0,1,…,255 |
|
K[0..255] = Key,Key,Key,… |
|
for i = 0 to 255 |
|
j = (j + S[i] + K[i]) mod 256 |
|
swap S[i] and S[j] |
|
|
|
|
Iteration |
|
i = (i + 1) mod 256 |
|
j = (j + S[i]) mod 256 |
|
swap S[i] and S[j] |
|
t = (S[i] + S[j]) mod 256 |
|
Output S[t] |
|
|
|
|
It is easy for an adversary (even one who can’t
decrypt the ciphertext) to alter the plaintext in a known way. |
|
Bob to Bob’s Bank: Please transfer $0,000,002.00
to the account of my good friend Alice. |
|
|
|
|
It is easy for an adversary (even one who can’t
decrypt the ciphertext) to alter the plaintext in a known way. |
|
Bob to Bob’s Bank: Please transfer $1,000,002.00
to the account of my good friend Alice. |
|
|
|
|
It is easy for an adversary (even one who can’t
decrypt the ciphertext) to alter the plaintext in a known way. |
|
Bob to Bob’s Bank: Please transfer $1,000,002.00
to the account of my good friend Alice. |
|
This can be protected against by the careful
addition of appropriate redundancy. |
|
|
|
|
The idea of a check sum is great, but it is
designed to prevent accidental changes in a message. |
|
For cryptographic integrity, we need an
integrity check that is resilient against a smart and determined adversary. |
|
|
|
|
Generally, a one-way hash function is a function
H : {0,1}* ® {0,1}k (typically k is 128 or 160)
such that given an input value x, one cannot find a value x¢ ¹ x such H(x)
= H(x¢ ). |
|
|
|
|
There are many measures for one-way hashes. |
|
|
|
Non-invertability: given y, it’s difficult to find any x such that H(x) = y. |
|
|
|
Collision-intractability: one cannot find a pair of values x¢ ¹ x such that
H(x) = H(x¢ ). |
|
|
|
|
When using a stream cipher, a hash of the
message can be appended to ensure integrity. [Message Authentication Code] |
|
|
|
When forming a digital signature, the signature
need only be applied to a hash of the message. [Message Digest] |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
|
|
|
|
|
Depending on the round, the “non-linear”
function f is one of the following. |
|
|
|
f(X,Y,Z) = (XÙY) Ú ((ØX)ÙZ) |
|
f(X,Y,Z) = (XÙY) Ú (XÙZ) Ú (YÙZ) |
|
f(X,Y,Z) = X Å Y Å Z |
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
Add in a round-dependent constant. |
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
Add in a round-dependent constant. |
|
Add in a portion of the 512-bit message. |
|
|
|
|
|
|
One-Way Trapdoor Functions |
|
Public-Key Encryption Schemes |
|
One-Way Functions |
|
One-Way Hash Functions |
|
Pseudo-Random Number-Generators |
|
Secret-Key Encryption Schemes |
|
Digital Signature Schemes |
|
Notes