Lecture 8: Cryptography Trust No One. 1 / 20 Cryptography: Basic - PowerPoint PPT Presentation

Lecture 8: Cryptography Trust No One. 1 / 20

Cryptography: Basic Set Up Alice Bob Eve Goal: system st Bob gets the message, Eve doesn’t 2 / 20

Cryptography: Basic Set Up Alice Bob Eve Goal: system st Bob gets the message, Eve doesn’t 2 / 20

Cryptography: Basic Set Up Alice Bob Eve Goal: system st Bob gets the message, Eve doesn’t 2 / 20

Cryptography: Basic Set Up Alice Bob Eve Goal: system st Bob gets the message, Eve doesn’t 2 / 20

Cryptography: Basic Set Up Alice Bob Eve Goal: system st Bob gets the message, Eve doesn’t 2 / 20

Cryptography: Basic Set Up Alice Bob Eve Goal: system st Bob gets the message, Eve doesn’t 2 / 20

Cryptography: Basic Set Up Alice Bob Eve Goal: system st Bob gets the message, Eve doesn’t 2 / 20

XOR 1 1 fmips twice 0 doesn’t fmip, b b x for any bits x , b b b x Claim : 0 1 1 First scheme built on the XOR operation: 0 1 1 1 0 0 0 0 y x 3 / 20 x ⊕ y

XOR First scheme built on the XOR operation: 1 fmips twice 0 doesn’t fmip, b b 0 1 1 1 0 1 1 1 0 0 0 0 y x 3 / 20 x ⊕ y Claim : ( x ⊕ b ) ⊕ b = x for any bits x , b

XOR First scheme built on the XOR operation: 0 1 1 1 0 1 1 1 0 0 0 0 y x 3 / 20 x ⊕ y Claim : ( x ⊕ b ) ⊕ b = x for any bits x , b b = 0 doesn’t fmip, b = 1 fmips twice

E p m B decrypts m D p c One-Time Pad Can Eve read the message? Does Bob receive the message correctly? p c p Decryption : Alice wants to send an n -bit message m to Bob m A creates ciphertext c Encryption : A and B generate random n -bit pad p Setup : 4 / 20

E p m B decrypts m D p c One-Time Pad Can Eve read the message? Does Bob receive the message correctly? p c p Decryption : Alice wants to send an n -bit message m to Bob m A creates ciphertext c Encryption : Setup : 4 / 20 ▶ A and B generate random n -bit pad p

B decrypts m D p c One-Time Pad Alice wants to send an n -bit message m to Bob Setup : Encryption : Decryption : c p Does Bob receive the message correctly? Can Eve read the message? 4 / 20 ▶ A and B generate random n -bit pad p ▶ A creates ciphertext c = E p ( m ) := m ⊕ p

One-Time Pad Alice wants to send an n -bit message m to Bob Setup : Encryption : Decryption : Does Bob receive the message correctly? Can Eve read the message? 4 / 20 ▶ A and B generate random n -bit pad p ▶ A creates ciphertext c = E p ( m ) := m ⊕ p ▶ B decrypts m = D p ( c ) := c ⊕ p

One-Time Pad Alice wants to send an n -bit message m to Bob Setup : Encryption : Decryption : Does Bob receive the message correctly? Can Eve read the message? 4 / 20 ▶ A and B generate random n -bit pad p ▶ A creates ciphertext c = E p ( m ) := m ⊕ p ▶ B decrypts m = D p ( c ) := c ⊕ p

messages m & pads p , D p E p m E p m p , so D p E p m By previous claim, each bit of m stays the same Thus D p E p m p m Each bit of m XORed by same bit twice p OTP Correctness m Claim : Bob always receives the message Alice sent. m Proof : m Formally: 5 / 20

E p m p , so D p E p m By previous claim, each bit of m stays the same Thus D p E p m OTP Correctness Claim : Bob always receives the message Alice sent. Proof : m m p p Each bit of m XORed by same bit twice m 5 / 20 Formally: ∀ messages m & pads p , D p ( E p ( m )) = m

By previous claim, each bit of m stays the same Thus D p E p m OTP Correctness Claim : Bob always receives the message Alice sent. Proof : Each bit of m XORed by same bit twice m 5 / 20 Formally: ∀ messages m & pads p , D p ( E p ( m )) = m ▶ E p ( m ) = m ⊕ p , so D p ( E p ( m )) = ( m ⊕ p ) ⊕ p

Thus D p E p m OTP Correctness Claim : Bob always receives the message Alice sent. Proof : m 5 / 20 Formally: ∀ messages m & pads p , D p ( E p ( m )) = m ▶ E p ( m ) = m ⊕ p , so D p ( E p ( m )) = ( m ⊕ p ) ⊕ p ▶ Each bit of m XORed by same bit twice ▶ By previous claim, each bit of m stays the same

OTP Correctness Claim : Bob always receives the message Alice sent. Proof : 5 / 20 Formally: ∀ messages m & pads p , D p ( E p ( m )) = m ▶ E p ( m ) = m ⊕ p , so D p ( E p ( m )) = ( m ⊕ p ) ⊕ p ▶ Each bit of m XORed by same bit twice ▶ By previous claim, each bit of m stays the same ▶ Thus D p ( E p ( m )) = m

pad p st E p m Then E p m m w/o pad, c says nothing about m ! 1 ifg i th bit needs to fmip Intuition: set p i c m m c OTP Security p Claim : Any message possible just given ciphertext. m c Take p Proof : c c & m , Formally: 6 / 20

Then E p m OTP Security c w/o pad, c says nothing about m ! 1 ifg i th bit needs to fmip Intuition: set p i c m m m Claim : Any message possible just given ciphertext. p m c Take p Proof : 6 / 20 Formally: ∀ c & m , ∃ pad p st E p ( m ) = c

Then E p m OTP Security Claim : Any message possible just given ciphertext. Proof : p m c m m c Intuition: set p i 1 ifg i th bit needs to fmip w/o pad, c says nothing about m ! 6 / 20 Formally: ∀ c & m , ∃ pad p st E p ( m ) = c ▶ Take p = c ⊕ m

OTP Security Claim : Any message possible just given ciphertext. Proof : Intuition: set p i 1 ifg i th bit needs to fmip w/o pad, c says nothing about m ! 6 / 20 Formally: ∀ c & m , ∃ pad p st E p ( m ) = c ▶ Take p = c ⊕ m ▶ Then E p ( m ) = p ⊕ m = ( c ⊕ m ) ⊕ m = c

OTP Security Claim : Any message possible just given ciphertext. Proof : w/o pad, c says nothing about m ! 6 / 20 Formally: ∀ c & m , ∃ pad p st E p ( m ) = c ▶ Take p = c ⊕ m ▶ Then E p ( m ) = p ⊕ m = ( c ⊕ m ) ⊕ m = c Intuition: set p i = 1 ifg i th bit needs to fmip

OTP Security Claim : Any message possible just given ciphertext. Proof : w/o pad, c says nothing about m ! 6 / 20 Formally: ∀ c & m , ∃ pad p st E p ( m ) = c ▶ Take p = c ⊕ m ▶ Then E p ( m ) = p ⊕ m = ( c ⊕ m ) ⊕ m = c Intuition: set p i = 1 ifg i th bit needs to fmip

Problems With OTP How do Alice and Bob agree on their pad? Can’t just send it over the channel! Secure only for a single message — can’t reuse pad! Solve these issues with public key cryptography Idea: don’t assume shared secret key Have separate private (only Bob) and public keys 7 / 20

Problems With OTP How do Alice and Bob agree on their pad? Can’t just send it over the channel! Secure only for a single message — can’t reuse pad! Solve these issues with public key cryptography Idea: don’t assume shared secret key Have separate private (only Bob) and public keys 7 / 20

Problems With OTP How do Alice and Bob agree on their pad? Can’t just send it over the channel! Secure only for a single message — can’t reuse pad! Solve these issues with public key cryptography Idea: don’t assume shared secret key Have separate private (only Bob) and public keys 7 / 20

Problems With OTP How do Alice and Bob agree on their pad? Can’t just send it over the channel! Secure only for a single message — can’t reuse pad! Solve these issues with public key cryptography Idea: don’t assume shared secret key Have separate private (only Bob) and public keys 7 / 20

Problems With OTP How do Alice and Bob agree on their pad? Can’t just send it over the channel! Secure only for a single message — can’t reuse pad! Solve these issues with public key cryptography Idea: don’t assume shared secret key Have separate private (only Bob) and public keys 7 / 20

e 1 E N e m D N d c p N c d B decrypts m Decryption : N m e A encrypts c Encryption : 1 1 q “Textbook” RSA Protocol Alice wants to send an n -bit message m to Bob B keeps p , q , d pq and e B publicizes N 1 1 1 q p e B chooses e st 2 n B chooses primes p , q st pq Setup : 8 / 20

E N e m D N d c m e N c d B decrypts m Decryption : N “Textbook” RSA Protocol Alice wants to send an n -bit message m to Bob A encrypts c Encryption : Setup : 8 / 20 ▶ B chooses primes p , q st pq > 2 n ▶ B chooses e st gcd( e , ( p − 1 )( q − 1 )) = 1 ▶ B publicizes N = pq and e ▶ B keeps p , q , d = e − 1 (mod ( p − 1 )( q − 1 ))

D N d c “Textbook” RSA Protocol Alice wants to send an n -bit message m to Bob Setup : Encryption : Decryption : B decrypts m c d N 8 / 20 ▶ B chooses primes p , q st pq > 2 n ▶ B chooses e st gcd( e , ( p − 1 )( q − 1 )) = 1 ▶ B publicizes N = pq and e ▶ B keeps p , q , d = e − 1 (mod ( p − 1 )( q − 1 )) ▶ A encrypts c = E N , e ( m ) := m e (mod N )

“Textbook” RSA Protocol Alice wants to send an n -bit message m to Bob Setup : Encryption : Decryption : 8 / 20 ▶ B chooses primes p , q st pq > 2 n ▶ B chooses e st gcd( e , ( p − 1 )( q − 1 )) = 1 ▶ B publicizes N = pq and e ▶ B keeps p , q , d = e − 1 (mod ( p − 1 )( q − 1 )) ▶ A encrypts c = E N , e ( m ) := m e (mod N ) ▶ B decrypts m = D N , d ( c ) := c d (mod N )

i i i ia i i i i 1 , get 1 Fermat’s Little Theorem p p a p 1 Multiply by p a p 1 Means p 1 a a 2 a 1 p 1 2 S p p is bijection S p ax Claim: f x 1 p 1 2 3 Consider set S p Proof : 9 / 20 Theorem : Let p be a prime and a ̸≡ 0 (mod p ) . Then a p − 1 ≡ 1 (mod p ) .