asymmetric encryption
play

ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto . - PowerPoint PPT Presentation

Feb 24, 2024 •463 likes •1.93k views

ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto . Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall Symmetric Cryptography Before

  1. Squares We say that a is a square (or quadratic residue) modulo p if there exists b such that b 2 ≡ a (mod p ). We let  1 if a is a square mod p  J p ( a ) = 0 if a mod p = 0  − 1 otherwise be the Legendre or Jacobi symbol of a modulo p . Let p = 11. Then • Is 4 a square modulo p ? 23 / 1

  2. Squares We say that a is a square (or quadratic residue) modulo p if there exists b such that b 2 ≡ a (mod p ). We let  1 if a is a square mod p  J p ( a ) = 0 if a mod p = 0  − 1 otherwise be the Legendre or Jacobi symbol of a modulo p . Let p = 11. Then • Is 4 a square modulo p ? YES because 2 2 ≡ 4 (mod 11) • Is 5 a square modulo p ? 23 / 1

  3. Squares We say that a is a square (or quadratic residue) modulo p if there exists b such that b 2 ≡ a (mod p ). We let  1 if a is a square mod p  J p ( a ) = 0 if a mod p = 0  − 1 otherwise be the Legendre or Jacobi symbol of a modulo p . Let p = 11. Then • Is 4 a square modulo p ? YES because 2 2 ≡ 4 (mod 11) • Is 5 a square modulo p ? YES because 4 2 ≡ 5 (mod 11) • What is J 11 (5)? 23 / 1

  4. Squares We say that a is a square (or quadratic residue) modulo p if there exists b such that b 2 ≡ a (mod p ). We let  1 if a is a square mod p  J p ( a ) = 0 if a mod p = 0  − 1 otherwise be the Legendre or Jacobi symbol of a modulo p . Let p = 11. Then • Is 4 a square modulo p ? YES because 2 2 ≡ 4 (mod 11) • Is 5 a square modulo p ? YES because 4 2 ≡ 5 (mod 11) • What is J 11 (5)? It equals +1 23 / 1

  5. The set of squares We let QR ( Z ∗ { a ∈ Z ∗ p ) = p : a is a square mod p } p such that b 2 ≡ a (mod p ) } { a ∈ Z ∗ p : ∃ b ∈ Z ∗ = 24 / 1

  6. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 25 / 1

  7. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 25 / 1

  8. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 4 25 / 1

  9. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 4 9 25 / 1

  10. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 4 9 5 25 / 1

  11. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 4 9 5 3 25 / 1

  12. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 4 9 5 3 3 25 / 1

  13. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 4 9 5 3 3 5 25 / 1

  14. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 4 9 5 3 3 5 9 25 / 1

  15. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 4 9 5 3 3 5 9 4 25 / 1

  16. Example Let p = 11 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 1 4 9 5 3 3 5 9 4 1 Then QR ( Z ∗ p ) = { 1 , 3 , 4 , 5 , 9 } a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 Observe • There are 5 squares and 5 non-squares. • Every square has exactly 2 square roots. 25 / 1

  17. Relation to discrete log Recall that 2 is a generator of Z ∗ 11 a 1 2 3 4 5 6 7 8 9 10 11 , 2 ( a ) 0 1 8 2 4 9 7 3 6 5 DLog Z ∗ J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 26 / 1

  18. Relation to discrete log Recall that 2 is a generator of Z ∗ 11 a 1 2 3 4 5 6 7 8 9 10 11 , 2 ( a ) 0 1 8 2 4 9 7 3 6 5 DLog Z ∗ J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 so J 11 ( a ) = 1 iff 11 , 2 ( a ) is even DLog Z ∗ This makes sense because for any generator g , g 2 j = ( g j ) 2 is always a square! 26 / 1

  19. Squares and discrete logs Fact: If p ≥ 3 is a prime and g is a generator of Z ∗ p then p ) = { g i : 0 ≤ i ≤ p − 2 and i is even } QR ( Z ∗ Example: If p = 11 and g = 2 then p − 2 = 9 and the squares are • 2 0 mod 11 = 1 • 2 2 mod 11 = 4 • 2 4 mod 11 = 5 • 2 6 mod 11 = 9 • 2 8 mod 11 = 3 27 / 1

  20. Computing the Legendre symbol Is there an algorithm that given p and a ∈ Z ∗ p returns J p ( a ), meaning determines whether or not a is a square mod p ? 28 / 1

  21. Computing the Legendre symbol Is there an algorithm that given p and a ∈ Z ∗ p returns J p ( a ), meaning determines whether or not a is a square mod p ? Sure! Alg TEST - SQ ( p , a ) Let g be a generator of Z ∗ p Let i ← DLog Z ∗ p , g ( a ) if i is even then return 1 else return − 1 28 / 1

  22. Computing the Legendre symbol Is there an algorithm that given p and a ∈ Z ∗ p returns J p ( a ), meaning determines whether or not a is a square mod p ? Sure! Alg TEST - SQ ( p , a ) Let g be a generator of Z ∗ p Let i ← DLog Z ∗ p , g ( a ) if i is even then return 1 else return − 1 This is correct, but • How do we find g ? • How do we compute DLog Z ∗ p , g ( a )? 28 / 1

  23. Fermat’s Theorem Fact: If p ≥ 3 is a prime then for any a p − 1 J p ( a ) ≡ a (mod p ) 2 Example: Let p = 11. • Let a = 5. We know that 5 is a square, meaning J 11 (5) = 1. Now compute p − 1 ≡ 5 5 ≡ (25)(25)(5) ≡ 3 · 3 · 5 ≡ 45 ≡ 1 a (mod 11) . 2 • Let a = 6. We know that 6 is not a square, meaning J 11 (6) = − 1. Now compute p − 1 ≡ 6 5 ≡ (36)(36)(6) ≡ 3 · 3 · 6 ≡ 54 ≡ − 1 a (mod 11) . 2 29 / 1

  24. Fermat’s Theorem Fact: If p ≥ 3 is a prime then for any a p − 1 J p ( a ) ≡ a (mod p ) 2 This yields a cubic-time algorithm to compute the Legendre symbol, meaning determine whether or not a given number is a square: Alg TEST - SQ ( p , a ) p − 1 s ← a mod p 2 if s = 1 then return 1 else return − 1 30 / 1

  25. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 31 / 1

  26. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 31 / 1

  27. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 31 / 1

  28. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 31 / 1

  29. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 31 / 1

  30. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 31 / 1

  31. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 − 1 31 / 1

  32. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 − 1 − 1 31 / 1

  33. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 − 1 − 1 2 31 / 1

  34. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 − 1 − 1 2 7 31 / 1

  35. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 − 1 − 1 2 7 3 31 / 1

  36. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 − 1 − 1 2 7 3 − 1 31 / 1

  37. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 − 1 − 1 2 7 3 − 1 − 1 31 / 1

  38. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 − 1 − 1 2 7 3 − 1 − 1 1 31 / 1

  39. Multiplicity of Legendre symbol Fact: If p ≥ 3 is a prime then for any a , b J p ( ab ) = J p ( a ) · J p ( b ) Example: Let p = 11. 1 2 3 4 5 6 7 8 9 10 a J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a b ab J 11 ( a ) J 11 ( b ) J 11 ( ab ) J 11 ( a ) · J 11 ( b ) 5 6 8 1 − 1 − 1 − 1 2 7 3 − 1 − 1 1 1 31 / 1

  40. Inversion of Legendre symbol Fact: If p ≥ 3 is a prime then for any a ∈ Z ∗ p J p ( a − 1 ) = J p ( a ) Example: p = 11 a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a − 1 J 11 ( a − 1 ) a J 11 ( a ) 32 / 1

  41. Inversion of Legendre symbol Fact: If p ≥ 3 is a prime then for any a ∈ Z ∗ p J p ( a − 1 ) = J p ( a ) Example: p = 11 a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a − 1 J 11 ( a − 1 ) a J 11 ( a ) 3 32 / 1

  42. Inversion of Legendre symbol Fact: If p ≥ 3 is a prime then for any a ∈ Z ∗ p J p ( a − 1 ) = J p ( a ) Example: p = 11 a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a − 1 J 11 ( a − 1 ) a J 11 ( a ) 3 4 32 / 1

  43. Inversion of Legendre symbol Fact: If p ≥ 3 is a prime then for any a ∈ Z ∗ p J p ( a − 1 ) = J p ( a ) Example: p = 11 a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a − 1 J 11 ( a − 1 ) a J 11 ( a ) 3 4 1 32 / 1

  44. Inversion of Legendre symbol Fact: If p ≥ 3 is a prime then for any a ∈ Z ∗ p J p ( a − 1 ) = J p ( a ) Example: p = 11 a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a − 1 J 11 ( a − 1 ) a J 11 ( a ) 3 4 1 1 32 / 1

  45. Inversion of Legendre symbol Fact: If p ≥ 3 is a prime then for any a ∈ Z ∗ p J p ( a − 1 ) = J p ( a ) Example: p = 11 a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a − 1 J 11 ( a − 1 ) a J 11 ( a ) 3 4 1 1 7 32 / 1

  46. Inversion of Legendre symbol Fact: If p ≥ 3 is a prime then for any a ∈ Z ∗ p J p ( a − 1 ) = J p ( a ) Example: p = 11 a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a − 1 J 11 ( a − 1 ) a J 11 ( a ) 3 4 1 1 7 8 32 / 1

  47. Inversion of Legendre symbol Fact: If p ≥ 3 is a prime then for any a ∈ Z ∗ p J p ( a − 1 ) = J p ( a ) Example: p = 11 a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a − 1 J 11 ( a − 1 ) a J 11 ( a ) 3 4 1 1 7 8 − 1 32 / 1

  48. Inversion of Legendre symbol Fact: If p ≥ 3 is a prime then for any a ∈ Z ∗ p J p ( a − 1 ) = J p ( a ) Example: p = 11 a 1 2 3 4 5 6 7 8 9 10 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 a − 1 J 11 ( a − 1 ) a J 11 ( a ) 3 4 1 1 7 8 − 1 − 1 32 / 1

  49. Legendre symbol of EG key Fact: Let p ≥ 3 be a prime and x , y ∈ Z p − 1 . Let X = g x and Y = g y and K = g xy . Then � 1 if J p ( X ) = 1 or J p ( Y ) = 1 J p ( K ) = − 1 otherwise In particular one can determine J p ( K ) given J p ( X ) and J p ( Y ) Proof: � 1 if xy is even J p ( g xy ) = J p ( K ) = − 1 otherwise � 1 if x is even or y is even = − 1 otherwise � 1 if J p ( g x ) = 1 or J p ( g y ) = 1 = − 1 otherwise 33 / 1

  50. EG modulo a prime Let p be a prime and g a generator of Z ∗ p . The EG PKE scheme AE EG = ( K , E , D ) is defined by Alg K Alg E X ( M ) Alg D x ( Y , W ) K = Y x $ ← Z p − 1 ; Y ← g y $ x ← Z p − 1 y M ← W · K − 1 X ← g x K ← X y return M return ( X , x ) W ← K · M return ( Y , W ) $ The weakness: Suppose ( Y , W ) ← E X ( M ). Then we claim that given • the public key X • the ciphertext ( Y , W ) an adversary can easily compute J p ( M ). This represents a loss of partial information. 34 / 1

  51. EG modulo a prime Suppose ( Y , W ) is an encryption of M under public key X = g x , where Y = g y . Then • W = K · M • K = g xy So J p ( W · K − 1 ) = J p ( W ) · J p ( K − 1 ) = J p ( W ) · J p ( K ) J p ( M ) = = J p ( W ) · s � 1 if J p ( X ) = 1 or J p ( Y ) = 1 where s = − 1 otherwise. So we can compute J p ( M ) via Alg FIND - J ( X , Y , W ) if J p ( X ) = 1 or J p ( Y ) = 1 then s ← 1 else s ← − 1 return J p ( W ) · s 35 / 1

  52. EG modulo a prime Let p be a prime and g a generator of Z ∗ p . The EG PKE scheme AE EG = ( K , E , D ) is defined by Alg E X ( M ) Alg K Alg D x ( Y , W ) ← Z p − 1 ; Y ← g y $ y $ K = Y x ← Z p − 1 x K ← X y M ← W · K − 1 X ← g x W ← K · M return ( X , x ) return M return ( Y , W ) The weakness: There is an algorithm FIND - J X FIND - J J p ( M ) E ( Y , W ) M 36 / 1

  53. IND-CPA attack Given public key X • Produce two messages M 0 , M 1 • Receive encryption ( Y , W ) of M b • Figure out b 37 / 1

  54. IND-CPA attack Given public key X • Produce two messages M 0 , M 1 • Receive encryption ( Y , W ) of M b • Figure out b How? Use: X FIND - J J p ( M b ) E ( Y , W ) M b 37 / 1

  55. IND-CPA attack Given public key X • Let M 0 , M 1 be such that J p ( M 0 ) = − 1 and J p ( M 1 ) = 1 • Receive encryption ( Y , W ) of M b X FIND - J J p ( M b ) E ( Y , W ) M b • if FIND - J ( X , Y , W ) = 1 then return 1 else return 0 38 / 1

  56. IND-CPA attack on EG Let AE EG = ( K , E , D ) be the EG PKE scheme over Z ∗ p where p is a prime. Right world Left world LR M 0 , M 1 M 0 , M 1 LR A A ✲ $ ✲ $ C ← E pk ( M 0 ) C ← E pk ( M 1 ) C C ✛ ✛ adversary A ( X ) M 1 ← 1 ; M 0 ← g $ ( Y , W ) ← LR ( M 0 , M 1 ) if FIND - J ( X , Y , W ) = 1 then return 1 else return 0 Then � � � � Adv ind - cpa Right A Left A = Pr AE EG ⇒ 1 − Pr AE EG ⇒ 1 AE EG , A = 1 − 0 = 1 39 / 1

  57. IND-CPA security of EG We have seen that EG is not IND-CPA over groups G = Z ∗ p for prime p . However it is IND-CPA secure over any group G where the DDH problem is hard. This is not a contradiction because if p is prime then the DDH problem in Z ∗ p is easy even though DL, CDH seem to be hard. We can in particular securely implement EG over • Appropriate prime-order subgroups of Z ∗ p for a prime p • Elliptic curve groups of prime order 40 / 1

  58. Message encoding in AE EG The AE EG asymmetric encryption scheme assumes that messages can be encoded as elements of the underlying group G . But • Messages may be of large and varying lengths, but we want the group to be fixed beforehand and as small as possible • For some groups this encoding is hard even if the messages are short 41 / 1

  59. Speed Asymmetric cryptography is orders of magnitude slower than symmetric cryptography An exponentiation in a 160-bit elliptic curve group costs about the same as 3000-4000 hashes or block cipher operations 42 / 1

  60. Hybrid encryption Build an asymmetric encryption scheme by combining symmetric and asymmetric techniques: • Symmetrically encrypt data under a key K • Asymmetrically encrypt K Benefits: • Speed • No encoding problems 43 / 1

  61. EG again Let G = � g � be a cyclic group of order m and let sk = x and pk = X = g x be AE EG keys. Alg E X ( M ) ← Z p − 1 ; Y ← g y $ y K ← X y W ← K · M return ( Y , W ) In EG, the “symmetric key” is K and it “symmetrically” encrypts M as W = K · M . 44 / 1

  62. An alternative to AE EG Let the “symmetric key” be K = H ( g y � g xy ) rather than merely g xy , where H : { 0 , 1 } ∗ → { 0 , 1 } k is a hash function. Instead of K · M , let W be an encryption of M under K with some known-secure symmetric scheme such as AES-CBC. In this case k = 128 above. 45 / 1

  63. DHIES [ABR] Let G = � g � be a cyclic group of order m , H : { 0 , 1 } ∗ → { 0 , 1 } k a hash function, and SE = ( KS , ES , DS ) a symmetric encryption scheme with k -bit keys. Then DHIES is ( K , E , D ) where Alg K Alg E X ( M ) Alg D x ( Y , C s ) $ Z ← Y x $ x ← Z m ← Z m ; Y ← g y y X ← g x Z ← X y K ← H ( Y � Z ) $ return ( X , x ) K ← H ( Y � Z ) ← DS K ( C s ) M $ return M C s ← ES K ( M ) return ( Y , C s ) 46 / 1

  64. ECIES ECIES is DHIES when G is an elliptic curve group. Operation Cost encryption 2 160-bit exp decryption 1 160-bit exp ciphertext expansion 160-bits ciphertext expansion = (length of ciphertext) - (length of plaintext) 47 / 1

  65. RSA Math Recall that ϕ ( N ) = | Z ∗ N | . Claim: Suppose e , d ∈ Z ∗ ϕ ( N ) satisfy ed ≡ 1 (mod ϕ ( N )). Then for any x ∈ Z ∗ N we have ( x e ) d ≡ x (mod N ) Proof: ( x e ) d ≡ x ed mod ϕ ( N ) ≡ x 1 ≡ x modulo N 48 / 1

  66. The RSA function A modulus N and encryption exponent e define the RSA function f : Z ∗ N → Z ∗ N defined by f ( x ) = x e mod N for all x ∈ Z ∗ N . A value d ∈ Z ∗ ϕ ( N ) satisfying ed ≡ 1 (mod ϕ ( N )) is called a decryption exponent. Claim: The RSA function f : Z ∗ N → Z ∗ N is a permutation with inverse f − 1 : Z ∗ N → Z ∗ N given by f − 1 ( y ) = y d mod N Proof: For all x ∈ Z ∗ N we have f − 1 ( f ( x )) ≡ ( x e ) d ≡ x (mod N ) by previous claim. 49 / 1

  67. Example Let N = 15. So Z ∗ = { 1 , 2 , 4 , 7 , 8 , 11 , 13 , 14 } N ϕ ( N ) = 50 / 1

  68. Example Let N = 15. So Z ∗ = { 1 , 2 , 4 , 7 , 8 , 11 , 13 , 14 } N ϕ ( N ) = 8 Z ∗ = { 1 , 3 , 5 , 7 } ϕ ( N ) x f ( x ) g ( f ( x )) Let e = 3 and d = 3. Then 1 1 ed ≡ 9 ≡ 1 (mod 8) 2 8 4 7 Let 8 x 3 mod 15 f ( x ) = 11 y 3 mod 15 13 g ( y ) = 14 50 / 1

  69. Example Let N = 15. So Z ∗ = { 1 , 2 , 4 , 7 , 8 , 11 , 13 , 14 } N ϕ ( N ) = 8 Z ∗ = { 1 , 3 , 5 , 7 } ϕ ( N ) x f ( x ) g ( f ( x )) Let e = 3 and d = 3. Then 1 1 ed ≡ 9 ≡ 1 (mod 8) 2 8 4 4 7 Let 8 x 3 mod 15 f ( x ) = 11 y 3 mod 15 13 g ( y ) = 14 50 / 1

  70. Example Let N = 15. So Z ∗ = { 1 , 2 , 4 , 7 , 8 , 11 , 13 , 14 } N ϕ ( N ) = 8 Z ∗ = { 1 , 3 , 5 , 7 } ϕ ( N ) x f ( x ) g ( f ( x )) Let e = 3 and d = 3. Then 1 1 ed ≡ 9 ≡ 1 (mod 8) 2 8 4 4 7 13 Let 8 x 3 mod 15 f ( x ) = 11 y 3 mod 15 13 g ( y ) = 14 50 / 1

  71. Example Let N = 15. So Z ∗ = { 1 , 2 , 4 , 7 , 8 , 11 , 13 , 14 } N ϕ ( N ) = 8 Z ∗ = { 1 , 3 , 5 , 7 } ϕ ( N ) x f ( x ) g ( f ( x )) Let e = 3 and d = 3. Then 1 1 ed ≡ 9 ≡ 1 (mod 8) 2 8 4 4 7 13 Let 8 2 x 3 mod 15 f ( x ) = 11 y 3 mod 15 13 g ( y ) = 14 50 / 1

  72. Example Let N = 15. So Z ∗ = { 1 , 2 , 4 , 7 , 8 , 11 , 13 , 14 } N ϕ ( N ) = 8 Z ∗ = { 1 , 3 , 5 , 7 } ϕ ( N ) x f ( x ) g ( f ( x )) Let e = 3 and d = 3. Then 1 1 ed ≡ 9 ≡ 1 (mod 8) 2 8 4 4 7 13 Let 8 2 x 3 mod 15 f ( x ) = 11 11 y 3 mod 15 13 g ( y ) = 14 50 / 1

Recommend

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key

Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key

Network and Communications Security (IN3210/IN4210) Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key exchange Eve 6R4Y2 hlbMZ CB... Dear Dear Bob Decryption Bob Encryption .... ....

831 views • 63 slides
Asymmetric Message Franking Content Moderation for Metadata-Private End-to-End Encryption Nirvan

Asymmetric Message Franking Content Moderation for Metadata-Private End-to-End Encryption Nirvan

Asymmetric Message Franking Content Moderation for Metadata-Private End-to-End Encryption Nirvan Tyagi Paul Grubbs Julia Len Ian Miers Tom Ristenpart CRYPTO 2019 1 Setting: End-to-end encrypted messaging Hello From: Alice To: Bob

1k views • 75 slides
Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

I5020 Computer Security Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License.

740 views • 53 slides
Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption

Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption

Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption Algorithms Symmetric Algorithms: DES and AES Asymmetric Algorithm: RSA Pretty Good Privacy (PGP) Chapter 5 Symmetric vs. Asymmetric

363 views • 8 slides
Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim Gneysu Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim

590 views • 22 slides
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key PKE scheme Encryption (a.k.a. private-key encryption) a.k.a. asymmetric-key encryption PKE SKE: Syntax Syntax KeyGen outputs KeyGen

366 views • 13 slides
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto .

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto .

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto . Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. Mihir Bellare UCSD 2

917 views • 59 slides
Recall: symmetric setting CS 4803 A Computer and Network Security K K Alexandra (Sasha)

Recall: symmetric setting CS 4803 A Computer and Network Security K K Alexandra (Sasha)

Recall: symmetric setting CS 4803 A Computer and Network Security K K Alexandra (Sasha) Boldyreva S R Public-key encryption 1 2 Public-key (asymmetric) setting Asymmetric encryption schemes A scheme AE is specified a key generation

280 views • 4 slides
Recommended Book ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Steven Levy. Crypto . Penguin books. 2001. A

Recommended Book ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Steven Levy. Crypto . Penguin books. 2001. A

Recommended Book ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Steven Levy. Crypto . Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. Mihir Bellare UCSD 1 Mihir Bellare UCSD 2

363 views • 24 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Understanding and Implementing Encryption Backdoors By Derek Kern CSC7002 March 31, 2012

Understanding and Implementing Encryption Backdoors By Derek Kern CSC7002 March 31, 2012

Understanding and Implementing Encryption Backdoors By Derek Kern CSC7002 March 31, 2012 Contents The Setup History: The Zimmerman Telegram The Conceit Where to conceal the backdoor Asymmetric vs. Symmetric RSA

711 views • 46 slides
Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key Cryptography Security Requirements Advantages Modes of Use Diffie-Hellman Key Exchange RSA Cryptosystem ElGamal

584 views • 32 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
CSCE 790 Secure Computer Systems Asymmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Asymmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Asymmetric Cryptography Professor Qiang Zeng Spring 2020 Previous Class Symmetric Encryption Block Ciphers DES (dont use it), 3-DES, AES Mode of operation: ECB (dont use it), CBC,

563 views • 24 slides
FAST (Harder Better) FAster STronger Cryptography 2020/02/19 Bordeaux Damien Robert

FAST (Harder Better) FAster STronger Cryptography 2020/02/19 Bordeaux Damien Robert

FAST (Harder Better) FAster STronger Cryptography 2020/02/19 Bordeaux Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Goal Cryptology: Encryption; Authenticity; Integrity. asymmetric encryption, signatures, zero-knowledge

225 views • 20 slides
FAST (Harder Better) FAster STronger Cryptography 2018/09/18 LIRIMA Meeting, Paris, France

FAST (Harder Better) FAster STronger Cryptography 2018/09/18 LIRIMA Meeting, Paris, France

FAST (Harder Better) FAster STronger Cryptography 2018/09/18 LIRIMA Meeting, Paris, France Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Goal Cryptology: Encryption; Authenticity; Integrity. asymmetric encryption, signatures,

683 views • 31 slides
Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and

478 views • 23 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
Overview What is an Asymmetric Barrier? Median barrier with unbalanced roadway elevations

Overview What is an Asymmetric Barrier? Median barrier with unbalanced roadway elevations

Asymmetric Barrier Design 2/16/2017 Asymmetric Barriers Pete White, PE Systems Assessment Manager - Greenfield, INDOT February 16, 2017 Overview What is an Asymmetric Barrier? Median barrier with unbalanced roadway elevations

706 views • 19 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security January 26, 2005 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2005 CS 239,

321 views • 13 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides

More recommend