Lecture 10: Cryptography creditSagnik Credit: https://xkcd.com/177/ - PowerPoint PPT Presentation

Lecture 10: Cryptography creditSagnik Credit: https://xkcd.com/177/ 1/20

Basic Setup ELM Elm receiver sender Credit: https://flylib.com/books/en/1.581.1.188/1/ 2/20

Recall: XOR Recall the XOR operation: M b f x y x � y x b b 0 0 0 O 0 1 1 O 1 0 1 I 1 1 0 l Notice that for any bits x , b we have ( x � b ) � b = x E 3/20

One-Time Pad Alice (the sender) wants to send a n -bit message m to Bob (the receiver). Setup: I Alice and Bob generate a random key k . Encryption: Decryption: Notice that D ( E ( m )) = ( m � k ) � k = m , i.e. Bob always receives the message Alice sent. 4/20

One-Time Pad Alice (the sender) wants to send a n -bit message m to Bob (the receiver). Setup: I Alice and Bob generate a random key k . Encryption: I Alice encrypts c = E ( m ) := m � k . Decryption: Notice that D ( E ( m )) = ( m � k ) � k = m , i.e. Bob always receives the message Alice sent. 4/20

One-Time Pad Alice (the sender) wants to send a n -bit message m to Bob (the receiver). Setup: I Alice and Bob generate a random key k . Encryption: I Alice encrypts c = E ( m ) := m � k . Decryption: I Bob decrypts D ( c ) := c � k . Notice that D ( E ( m )) = ( m � k ) � k = m , i.e. Bob always receives the message Alice sent. 4/20

One-Time Pad: Disadvantages One-Time Pad is the only existing mathematically unbreakable encryption. But if only one of the following is not met, it is no longer unbreakable: I k is at least as long as m ; 5/20

One-Time Pad: Disadvantages One-Time Pad is the only existing mathematically unbreakable encryption. But if only one of the following is not met, it is no longer unbreakable: I k is at least as long as m ; I k truly random (not generated by a simple computer function); 5/20

One-Time Pad: Disadvantages One-Time Pad is the only existing mathematically unbreakable encryption. But if only one of the following is not met, it is no longer unbreakable: I k is at least as long as m ; I k truly random (not generated by a simple computer function); I each key is used only once; 5/20

One-Time Pad: Disadvantages One-Time Pad is the only existing mathematically unbreakable encryption. But if only one of the following is not met, it is no longer unbreakable: I k is at least as long as m ; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and one for Bob. 5/20

One-Time Pad: Disadvantages One-Time Pad is the only existing mathematically unbreakable encryption. But if only one of the following is not met, it is no longer unbreakable: I k is at least as long as m ; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and one for Bob. But what if I (Alice) want to send my credit card information to Amazon (Bob) to make a purchase? I Not practical; I would need to somehow communicate with Amazon to agree on a key for every single purchase. 6/20

One-Time Pad: Disadvantages One-Time Pad is the only existing mathematically unbreakable encryption. But if only one of the following is not met, it is no longer unbreakable: I k is at least as long as m ; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and one for Bob. But what if I (Alice) want to send my credit card information to Amazon (Bob) to make a purchase? I Not practical; I would need to somehow communicate with Amazon to agree on a key for every single purchase. I And every single user would’ve had to do this. 6/20

One-Time Pad: Disadvantages One-Time Pad is the only existing mathematically unbreakable encryption. But if only one of the following is not met, it is no longer unbreakable: I k is at least as long as m ; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and one for Bob. Solve these issues with public-key cryptography : use pairs of keys I public keys : everyone knows! 7/20

One-Time Pad: Disadvantages One-Time Pad is the only existing mathematically unbreakable encryption. But if only one of the following is not met, it is no longer unbreakable: I k is at least as long as m ; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and one for Bob. Solve these issues with public-key cryptography : use pairs of keys I public keys : everyone knows! I private keys : only Bob knows. 7/20

RSA Protocol Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p , q . Encryption: Decryption: 8/20

RSA Protocol Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p , q . I Bob chooses e such that gcd( e , ( p � 1)( q � 1)) = 1. Encryption: Decryption: 8/20

RSA Protocol Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p , q . I Bob chooses e such that gcd( e , ( p � 1)( q � 1)) = 1. I the public key is ( N , e ), where N = pq . Encryption: Decryption: 8/20

RSA Protocol Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p , q . I Bob chooses e such that gcd( e , ( p � 1)( q � 1)) = 1. I the public key is ( N , e ), where N = pq . I Bob computes the private key d := e − 1 mod ( p � 1)( q � 1). Encryption: Decryption: 8/20

RSA Protocol Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p , q . I Bob chooses e such that gcd( e , ( p � 1)( q � 1)) = 1. I the public key is ( N , e ), where N = pq . I Bob computes the private key d := e − 1 mod ( p � 1)( q � 1). Encryption: I Alice encrypts c = E ( m ) := m e mod N Decryption: 8/20

RSA Protocol Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p , q . I Bob chooses e such that gcd( e , ( p � 1)( q � 1)) = 1. I the public key is ( N , e ), where N = pq . I Bob computes the private key d := e − 1 mod ( p � 1)( q � 1). Encryption: I Alice encrypts c = E ( m ) := m e mod N Decryption: I Bob decrypts D ( c ) := c d mod N Cd N s 8/20

# TODO We need to analyze: I Correctness: D ( E ( m )) = m ? 9/20

# TODO We need to analyze: I Correctness: D ( E ( m )) = m ? I E ffi ciency: Can Alice and Bob perform their steps e ffi ciently? 9/20

# TODO We need to analyze: I Correctness: D ( E ( m )) = m ? I E ffi ciency: Can Alice and Bob perform their steps e ffi ciently? I Security: Can Eve break it? 9/20

Fermat’s Little Theorem Theorem: Let p be a prime and a 6⌘ 0 (mod p ). Then f a p − 1 ⌘ 1 O Goal (mod p ) . domain codomain woo h f Proof. 0,1 2 30,1 P t P I O mod p k t ax i is a bijection Since flo 0 t O.amodp omodp O Has ftp 3V xEl f P l E axcmodp un Axmodp p I p l M a III x Tx Ff mode 1 Kei since p is a prime god modulo p exists x p III.sc Ftx aP lmodp aP fIixTIIICmodp 71 10/20

Goal D Efm Min are coprime m 2 X moan d 3 me N m N X E3 mod m q Notice that Find me a solution OED Elm LN 1 avnb i i Find me all solutions se 3 1 ask.kz cd N Dk cd modal DIET'D Ehmd mId medcmodN at CToal Med modN m 11/20

FLT prime P and M 0 mod mic RSA correctness Theorem: Let D , E be the RSA decryption and RSA encryption functions respectively. Then D ( E ( m )) = m , i.e. RSA protocol always decrypts correctly. N pq e MlmodN med.fm mCmodNXTE Proof. Let ioal x Since so FREI Ed I mod k p Dcg D th mltkCP Dcg D Then l z Ma as If M 0 Im dp MP LP Dca DEM mod B mod p m Mmk x If m eocm.TT pT TsT mcmodpsingyT aynes.ie Thus Sy by CRT the solution is ddDg unique modulo N pq Notice that x m is a solution ie m modN x 12/20

RSA E ffi ciency Setup I Bob chooses two large distinct primes p and q . how??? e si gcd Ce CpDog D Encryption: Decryption: 13/20

RSA E ffi ciency Setup I Bob chooses two large distinct primes p and q . how??? I Bob chooses e such that gcd( e , ( p � 1)( q � 1)) = 1. how??? (choose a prime, like 3) e 1 mod p Dcg D Encryption: Decryption: 13/20

RSA E ffi ciency Setup I Bob chooses two large distinct primes p and q . how??? I Bob chooses e such that gcd( e , ( p � 1)( q � 1)) = 1. how??? (choose a prime, like 3) I Bob computes d := e − 1 mod ( p � 1)( q � 1). how??? (extended Euclidean algorithm is fast!) Encryption: Elm me N Decryption: 13/20

RSA E ffi ciency Setup I Bob chooses two large distinct primes p and q . how??? I Bob chooses e such that gcd( e , ( p � 1)( q � 1)) = 1. how??? (choose a prime, like 3) I Bob computes d := e − 1 mod ( p � 1)( q � 1). how??? (extended Euclidean algorithm is fast!) Encryption: I Alice encrypts c = E ( m ) := m e mod N . how??? (repeated squaring is fast!) Decryption: Cd D c N 13/20