Practical aspects of modern cryptography
Download
1 / 216

Practical Aspects of Modern Cryptography - PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on

Practical Aspects of Modern Cryptography. Josh Benaloh Brian LaMacchia John Manferdelli. Cryptography is. Protecting Privacy of Data Authentication of Identities Preservation of Integrity … basically any protocols designed to operate in an environment absent of universal trust.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Practical Aspects of Modern Cryptography' - carol-matthews


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Practical aspects of modern cryptography

Practical Aspects of Modern Cryptography

Josh Benaloh

Brian LaMacchia

John Manferdelli


Cryptography is
Cryptography is ...

  • Protecting Privacy of Data

  • Authentication of Identities

  • Preservation of Integrity

    … basically any protocols designed to operate in an environment absent of universal trust.

Practical Aspects of Modern Cryptography


Characters
Characters

Alice

Practical Aspects of Modern Cryptography


Characters1
Characters

Bob

Practical Aspects of Modern Cryptography


Basic communication
Basic Communication

Alice talking to Bob

Practical Aspects of Modern Cryptography


Another character
Another Character

Eve

Practical Aspects of Modern Cryptography


Basic communication problem
Basic Communication Problem

Eve listening to Alice talking to Bob

Practical Aspects of Modern Cryptography


Two party environments
Two-Party Environments

Alice Bob

Practical Aspects of Modern Cryptography


Remote coin flipping
Remote Coin Flipping

  • Alice and Bob decide to make a decision by flipping a coin.

  • Alice and Bob are not in the same place.

Practical Aspects of Modern Cryptography


Ground rule
Ground Rule

Protocol must be asynchronous.

  • We cannot assume simultaneous actions.

  • Players must take turns.

Practical Aspects of Modern Cryptography


Is remote coin flipping possible
Is Remote Coin Flipping Possible?

Practical Aspects of Modern Cryptography


Is remote coin flipping possible1
Is Remote Coin Flipping Possible?

Two-part answer:

Practical Aspects of Modern Cryptography


Is remote coin flipping possible2
Is Remote Coin Flipping Possible?

Two-part answer:

  • NO – I will sketch a formal proof.

Practical Aspects of Modern Cryptography


Is remote coin flipping possible3
Is Remote Coin Flipping Possible?

Two-part answer:

  • NO – I will sketch a formal proof.

  • YES – I will provide an effective protocol.

Practical Aspects of Modern Cryptography


A protocol flow tree
A Protocol Flow Tree

A:

B:

A:

B:

Practical Aspects of Modern Cryptography


A protocol flow tree1
A Protocol Flow Tree

A:

B:

B

B

B

A

B

A

A:

A

B

B

B

B

A

B

A

B:

B

A

B

B

A

B

A

Practical Aspects of Modern Cryptography


Pruning the tree
Pruning the Tree

A

A

A

A

B

B

B

B

Practical Aspects of Modern Cryptography


Pruning the tree1
Pruning the Tree

A:

A

A

B:

B

B

Practical Aspects of Modern Cryptography


A protocol flow tree2
A Protocol Flow Tree

A:

B:

B

B

B

A

B

A

A:

A

B

B

B

B

A

B

A

B:

B

A

B

B

A

B

A

Practical Aspects of Modern Cryptography


A protocol flow tree3
A Protocol Flow Tree

A:

B:

B

B

B

A

B

A

A:

A

B

B

B

B

B

A

B

A

B:

A

B

A

Practical Aspects of Modern Cryptography


A protocol flow tree4
A Protocol Flow Tree

A:

B:

B

B

B

A

B

A

A:

A

B

B

B

B

B

B

A

B

A

B:

Practical Aspects of Modern Cryptography


A protocol flow tree5
A Protocol Flow Tree

A:

B:

B

B

A

B

A

B

A

A:

B

B

B

B

B

A

B

A

B:

Practical Aspects of Modern Cryptography


A protocol flow tree6
A Protocol Flow Tree

A:

B:

B

B

A

A

B

A

B

A

A:

B

B

B

B

A

B:

Practical Aspects of Modern Cryptography


A protocol flow tree7
A Protocol Flow Tree

A:

B:

B

B

A

A

A

B

A

B

A

A:

B

B

B

B:

Practical Aspects of Modern Cryptography


A protocol flow tree8
A Protocol Flow Tree

A:

B:

B

B

A

A

A

B

B

A

B

A

A:

B:

Practical Aspects of Modern Cryptography


A protocol flow tree9
A Protocol Flow Tree

A:

B

B:

B

A

A

B

A

B

A

A:

B:

Practical Aspects of Modern Cryptography


A protocol flow tree10
A Protocol Flow Tree

A:

B

A

B:

B

A

B

B

A

A:

B:

Practical Aspects of Modern Cryptography


A protocol flow tree11
A Protocol Flow Tree

A:

B

A

B

B:

B

B

A

A:

B:

Practical Aspects of Modern Cryptography


A protocol flow tree12
A Protocol Flow Tree

A:

B

A

B

B

B:

A:

B:

Practical Aspects of Modern Cryptography


A protocol flow tree13
A Protocol Flow Tree

A

A:

B:

A:

B:

Practical Aspects of Modern Cryptography


A protocol flow tree14
A Protocol Flow Tree

A

Practical Aspects of Modern Cryptography


Completing the pruning
Completing the Pruning

When the pruning is complete one will end up with either

Practical Aspects of Modern Cryptography


Completing the pruning1
Completing the Pruning

When the pruning is complete one will end up with either

  • a winner before the protocol has begun, or

Practical Aspects of Modern Cryptography


Completing the pruning2
Completing the Pruning

When the pruning is complete one will end up with either

  • a winner before the protocol has begun, or

  • a useless infinite game.

Practical Aspects of Modern Cryptography


Conclusion of part i
Conclusion of Part I

Remote coin flipping is utterly impossible!!!

Practical Aspects of Modern Cryptography


How to remotely flip a coin
How to Remotely Flip a Coin

Practical Aspects of Modern Cryptography


How to remotely flip a coin1
How to Remotely Flip a Coin

The INTEGERS

Practical Aspects of Modern Cryptography


How to remotely flip a coin2
How to Remotely Flip a Coin

The INTEGERS

0 4 8 12 16 …

Practical Aspects of Modern Cryptography


How to remotely flip a coin3
How to Remotely Flip a Coin

The INTEGERS

0 4 8 12 16 …

1 5 9 13 17 …

Practical Aspects of Modern Cryptography


How to remotely flip a coin4
How to Remotely Flip a Coin

The INTEGERS

0 4 8 12 16 …

1 5 9 13 17 …

2 6 10 14 18 …

Practical Aspects of Modern Cryptography


How to remotely flip a coin5
How to Remotely Flip a Coin

The INTEGERS

0 4 8 12 16 …

1 5 9 13 17 …

2 6 10 14 18 …

3 7 11 15 19 …

Practical Aspects of Modern Cryptography


How to remotely flip a coin6
How to Remotely Flip a Coin

The INTEGERS

0 4 8 12 16 …

1 5 9 13 17 …

2 6 10 14 18 …

3 7 11 15 19 …

Even

Practical Aspects of Modern Cryptography


How to remotely flip a coin7
How to Remotely Flip a Coin

The INTEGERS

0 4 8 12 16 …

1 5 9 13 17 …

2 6 10 14 18 …

3 7 11 15 19 …

4n + 1:

4n -1:

Practical Aspects of Modern Cryptography


How to remotely flip a coin8
How to Remotely Flip a Coin

The INTEGERS

0 4 8 12 16 …

1 5 9 13 17 …

2 6 10 14 18 …

3 7 11 15 19 …

Type +1:

Type-1:

Practical Aspects of Modern Cryptography


How to remotely flip a coin9
How to Remotely Flip a Coin

Fact 1

Multiplying two (odd) integers of the same type always yields a product of Type +1.

(4p+1)(4q+1)= 16pq+4p+4q+1 = 4(4pq+p+q)+1

(4p–1)(4q–1) =16pq–4p–4q+1 = 4(4pq–p–q)+1

Practical Aspects of Modern Cryptography


How to remotely flip a coin10
How to Remotely Flip a Coin

Fact 2

There is no known method (other than factoring) to distinguish a product of two “Type +1” integers from a product of two “Type –1” integers.

Practical Aspects of Modern Cryptography


How to remotely flip a coin11
How to Remotely Flip a Coin

Fact 3

Factoring large integers is believed to be much harder than multiplying large integers.

Practical Aspects of Modern Cryptography


How to remotely flip a coin12
How to Remotely Flip a Coin

Practical Aspects of Modern Cryptography


How to remotely flip a coin13

Alice

Bob

How to Remotely Flip a Coin

Practical Aspects of Modern Cryptography


How to remotely flip a coin14

Alice

Randomly select a bit b{1} and two large integers P and Q – both of type b.

Bob

How to Remotely Flip a Coin

Practical Aspects of Modern Cryptography


How to remotely flip a coin15

Alice

Randomly select a bit b{1} and two large integers P and Q – both of type b.

Compute N = PQ.

Bob

How to Remotely Flip a Coin

Practical Aspects of Modern Cryptography


How to remotely flip a coin16

Alice

Randomly select a bit b{1} and two large integers P and Q – both of type b.

Compute N = PQ.

Send N to Bob.

Bob

How to Remotely Flip a Coin

Practical Aspects of Modern Cryptography


How to remotely flip a coin17
How to Remotely Flip a Coin

Alice Bob

N

Practical Aspects of Modern Cryptography


How to remotely flip a coin18

Alice

Randomly select a bit b{1} and two large integers P and Q – both of type b.

Compute N = PQ.

Send N to Bob.

Bob

How to Remotely Flip a Coin

Practical Aspects of Modern Cryptography


How to remotely flip a coin19

Bob

After receiving N from Alice, guess the value of band send this guess to Alice.

How to Remotely Flip a Coin

Alice

  • Randomly select a bit b{1} and two large integers P and Q – both of type b.

  • Compute N = PQ.

  • Send N to Bob.

Practical Aspects of Modern Cryptography


How to remotely flip a coin20
How to Remotely Flip a Coin

Alice Bob

b

Practical Aspects of Modern Cryptography


How to remotely flip a coin21

Bob

After receiving N from Alice, guess the value of band send this guess to Alice.

How to Remotely Flip a Coin

Alice

  • Randomly select a bit b{1} and two large integers P and Q – both of type b.

  • Compute N = PQ.

  • Send N to Bob.

Practical Aspects of Modern Cryptography


How to remotely flip a coin22

Bob

After receiving N from Alice, guess the value of band send this guess to Alice.

Alice

Randomly select a bit b{1} and two large integers P and Q – both of type b.

Compute N = PQ.

Send N to Bob.

How to Remotely Flip a Coin

Bob wins if and only

if he correctly guesses

the value of b.

Practical Aspects of Modern Cryptography


How to remotely flip a coin23

Bob

After receiving N from Alice, guess the value of band send this guess to Alice.

Alice

Randomly select a bit b{1} and two large integers P and Q – both of type b.

Compute N = PQ.

Send N to Bob.

After receiving bfrom Bob, reveal Pand Q.

How to Remotely Flip a Coin

Bob wins if and only

if he correctly guesses

the value of b.

Practical Aspects of Modern Cryptography


How to remotely flip a coin24
How to Remotely Flip a Coin

Alice Bob

P,Q

Practical Aspects of Modern Cryptography


How to remotely flip a coin25

Bob

After receiving N from Alice, guess the value of band send this guess to Alice.

Alice

Randomly select a bit b{1} and two large integers P and Q – both of type b.

Compute N = PQ.

Send N to Bob.

After receiving bfrom Bob, reveal Pand Q.

How to Remotely Flip a Coin

Bob wins if and only

if he correctly guesses

the value of b.

Practical Aspects of Modern Cryptography


Let s play
Let’s Play

The INTEGERS

0 4 8 12 16 …

1 5 9 13 17 …

2 6 10 14 18 …

3 7 11 15 19 …

Type +1:

Type-1:

Practical Aspects of Modern Cryptography


How to remotely flip a coin26

Bob

After receiving N from Alice, guess the value of band send this guess to Alice.

Alice

Randomly select a bit b{1} and two large integers P and Q – both of type b.

Compute N = PQ.

Send N to Bob.

After receiving bfrom Bob, reveal Pand Q.

How to Remotely Flip a Coin

Bob wins if and only

if he correctly guesses

the value of b.

Practical Aspects of Modern Cryptography


How to remotely flip a coin27

Bob

After receiving N from Alice, guess the value of band send this guess to Alice.

Alice

Randomly select a bit b{1} and two large primesP and Q – both of type b.

Compute N = PQ.

Send N to Bob.

After receiving bfrom Bob, reveal Pand Q.

How to Remotely Flip a Coin

Bob wins if and only

if he correctly guesses

the value of b.

Practical Aspects of Modern Cryptography


Checking primality
Checking Primality

Basic result from group theory –

If pis a prime, then for integers a such that 0 < a < p, then ap-1 mod p = 1.

This is almost never true when p is composite.

Practical Aspects of Modern Cryptography


How are the answers reconciled
How are the Answers Reconciled?

Practical Aspects of Modern Cryptography


How are the answers reconciled1
How are the Answers Reconciled?

  • The impossibility proof assumed unlimited computational ability.

Practical Aspects of Modern Cryptography


How are the answers reconciled2
How are the Answers Reconciled?

  • The impossibility proof assumed unlimited computational ability.

  • The protocol is not 50/50 – Bob has a small advantage.

Practical Aspects of Modern Cryptography


Applications of remote flipping
Applications of Remote Flipping

  • Remote Card Playing

  • Internet Gambling

  • Various “Fair” Agreement Protocols

Practical Aspects of Modern Cryptography


Bit commitment
Bit Commitment

We have implemented remote coin flipping via bit commitment.

Commitment protocols can also be used for

  • Sealed bidding

  • Undisclosed contracts

  • Authenticated predictions

Practical Aspects of Modern Cryptography


One way functions
One-Way Functions

We have implemented bit commitment via one-way functions.

One-way functions can be used for

  • Authentication

  • Data integrity

  • Strong “randomness”

Practical Aspects of Modern Cryptography


One way functions1
One-Way Functions

Practical Aspects of Modern Cryptography


One way functions2
One-Way Functions

Two basic classes of one-way functions

Practical Aspects of Modern Cryptography


One way functions3
One-Way Functions

Two basic classes of one-way functions

  • Mathematical

Practical Aspects of Modern Cryptography


One way functions4
One-Way Functions

Two basic classes of one-way functions

  • Mathematical

    • Multiplication: Z=X•Y

Practical Aspects of Modern Cryptography


One way functions5
One-Way Functions

Two basic classes of one-way functions

  • Mathematical

    • Multiplication: Z=X•Y

    • Modular Exponentiation: Z =YXmod N

Practical Aspects of Modern Cryptography


One way functions6
One-Way Functions

Two basic classes of one-way functions

  • Mathematical

    • Multiplication: Z=X•Y

    • Modular Exponentiation: Z =YXmod N

  • Ugly

Practical Aspects of Modern Cryptography


The fundamental equation
The Fundamental Equation

Z=YX mod N

Practical Aspects of Modern Cryptography


The fundamental equation1
The Fundamental Equation

Z=YX mod N

When Z is unknown, it can be efficiently computed.

Practical Aspects of Modern Cryptography


The fundamental equation2
The Fundamental Equation

Z=YXmod N

When X is unknown, the problem is known as the discrete logarithm and is generally believed to be hard to solve.

Practical Aspects of Modern Cryptography


The fundamental equation3
The Fundamental Equation

Z=YXmod N

When Y is unknown, the problem is known as discrete root finding and is generally believed to be hard to solve...

Practical Aspects of Modern Cryptography


The fundamental equation4
The Fundamental Equation

Z=YXmod N

… unless the factorization of Nis known.

Practical Aspects of Modern Cryptography


The fundamental equation5
The Fundamental Equation

Z=YX modN

The problem is not well-studied for the case when N is unknown.

Practical Aspects of Modern Cryptography


Implementation
Implementation

Z=YX mod N

Practical Aspects of Modern Cryptography


How to compute y x mod n
How to compute YX mod N

Practical Aspects of Modern Cryptography


How to compute y x mod n1
How to compute YX mod N

Compute YX and then reduce modN.

Practical Aspects of Modern Cryptography


How to compute y x mod n2
How to compute YX mod N

Compute YX and then reduce modN.

  • If X, Y, and Neach are 1,000-bit integers, YXconsists of ~21010 bits.

Practical Aspects of Modern Cryptography


How to compute y x mod n3
How to compute YX mod N

Compute YX and then reduce modN.

  • If X, Y, and Neach are 1,000-bit integers, YXconsists of ~21010 bits.

  • Since there are roughly 2250 particles in the universe, storage is a problem.

Practical Aspects of Modern Cryptography


How to compute y x mod n4
How to compute YX mod N

Practical Aspects of Modern Cryptography


How to compute y x mod n5
How to compute YX mod N

  • Repeatedly multiplying by Y(followed each time by a reduction modulo N) Xtimes solves the storage problem.

Practical Aspects of Modern Cryptography


How to compute y x mod n6
How to compute YX mod N

  • Repeatedly multiplying by Y(followed each time by a reduction modulo N) Xtimes solves the storage problem.

  • However, we would need to perform ~2900 32-bit multiplications per second to complete the computation before the sun burns out.

Practical Aspects of Modern Cryptography


How to compute y x mod n7
How to compute YX mod N

Practical Aspects of Modern Cryptography


How to compute y x mod n8
How to compute YX mod N

Multiplication by Repeated Doubling

Practical Aspects of Modern Cryptography


How to compute y x mod n9
How to compute YX mod N

Multiplication by Repeated Doubling

To compute X • Y,

Practical Aspects of Modern Cryptography


How to compute y x mod n10
How to compute YX mod N

Multiplication by Repeated Doubling

To compute X • Y,

computeY, 2Y, 4Y, 8Y, 16Y,…

Practical Aspects of Modern Cryptography


How to compute y x mod n11
How to compute YX mod N

Multiplication by Repeated Doubling

To compute X • Y,

computeY, 2Y, 4Y, 8Y, 16Y,…

and sum up those values dictated by the binary representation of X.

Practical Aspects of Modern Cryptography


How to compute y x mod n12
How to compute YX mod N

Multiplication by Repeated Doubling

To compute X • Y,

computeY, 2Y, 4Y, 8Y, 16Y,…

and sum up those values dictated by the binary representation of X.

Example: 26Y=2Y+8Y+16Y.

Practical Aspects of Modern Cryptography


How to compute y x mod n13
How to compute YX mod N

Practical Aspects of Modern Cryptography


How to compute y x mod n14
How to compute YX mod N

Exponentiation by Repeated Squaring

Practical Aspects of Modern Cryptography


How to compute y x mod n15
How to compute YX mod N

Exponentiation by Repeated Squaring

To compute YX,

Practical Aspects of Modern Cryptography


How to compute y x mod n16
How to compute YX mod N

Exponentiation by Repeated Squaring

To compute YX,

computeY, Y2, Y4, Y8, Y16, …

Practical Aspects of Modern Cryptography


How to compute y x mod n17
How to compute YX mod N

Exponentiation by Repeated Squaring

To compute YX,

computeY, Y2, Y4, Y8, Y16, …

and multiply those values dictated by the binary representation of X.

Practical Aspects of Modern Cryptography


How to compute y x mod n18
How to compute YX mod N

Exponentiation by Repeated Squaring

To compute YX,

computeY, Y2, Y4, Y8, Y16, …

and multiply those values dictated by the binary representation of X.

Example: Y26=Y2•Y8•Y16.

Practical Aspects of Modern Cryptography


How to compute y x mod n19
How to compute YXmodN

We can now perform a 1,000-bit modular exponentiation using ~1,500 1,000-bit modular multiplications.

  • 1,000 squarings: y, y2, y4, …, y21000

  • ~500 “ordinary” multiplications

Practical Aspects of Modern Cryptography


Sliding window method
Sliding Window Method

One way to speed up modular exponentiation is by precomputation of many small products.

For instance, if you have y, y2, y3, …, y15 computed in advance, you can multiply by (for example) y13 without having to multiply individually by y,y4, and y8.

Practical Aspects of Modern Cryptography


Large integer operations
Large-Integer Operations

  • Addition and Subtraction

  • Multiplication

  • Division and Remainder (Mod N)

  • Exponentiation

Practical Aspects of Modern Cryptography


Large integer addition
Large-Integer Addition

+

Practical Aspects of Modern Cryptography


Large integer addition1
Large-Integer Addition

+

Practical Aspects of Modern Cryptography


Large integer addition2
Large-Integer Addition

+

Practical Aspects of Modern Cryptography


Large integer addition3
Large-Integer Addition

+

Practical Aspects of Modern Cryptography


Large integer addition4
Large-Integer Addition

+

Practical Aspects of Modern Cryptography


Large integer addition5
Large-Integer Addition

+

Practical Aspects of Modern Cryptography


Large integer addition6
Large-Integer Addition

In general, adding two large integers – each consisting of n small blocks – requires O(n) small-integer additions.

Large-integer subtraction is similar.

Practical Aspects of Modern Cryptography


Large integer multiplication
Large-Integer Multiplication

Practical Aspects of Modern Cryptography


Large integer multiplication1
Large-Integer Multiplication

Practical Aspects of Modern Cryptography


Large integer multiplication2
Large-Integer Multiplication

Practical Aspects of Modern Cryptography


Large integer multiplication3
Large-Integer Multiplication

Practical Aspects of Modern Cryptography


Large integer multiplication4
Large-Integer Multiplication

Practical Aspects of Modern Cryptography


Large integer multiplication5
Large-Integer Multiplication

Practical Aspects of Modern Cryptography


Large integer multiplication6
Large-Integer Multiplication

In general, multiplying two large integers – each consisting of n small blocks – requires O(n2) small-integer multiplications and O(n)large-integer additions.

Practical Aspects of Modern Cryptography


Large integer squaring
Large-Integer Squaring

Practical Aspects of Modern Cryptography


Large integer squaring1
Large-Integer Squaring

Practical Aspects of Modern Cryptography


Large integer squaring2
Large-Integer Squaring

Practical Aspects of Modern Cryptography


Large integer squaring3
Large-Integer Squaring

Careful bookkeeping can save nearly half of the small-integer multiplications (and nearly half of the time).

Practical Aspects of Modern Cryptography


Recall computing y x mod n
Recall computing YXmodN

  • About 2/3 of the multiplications required to compute YX are actually squarings.

  • Overall, efficient squaring can save about 1/3 of the small multiplications required for modular exponentiation.

Practical Aspects of Modern Cryptography


Karatsuba multiplication
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

Practical Aspects of Modern Cryptography


Karatsuba multiplication1
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

Practical Aspects of Modern Cryptography


Karatsuba multiplication2
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

Practical Aspects of Modern Cryptography


Karatsuba multiplication3
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

Practical Aspects of Modern Cryptography


Karatsuba multiplication4
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

Practical Aspects of Modern Cryptography


Karatsuba multiplication5
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

Practical Aspects of Modern Cryptography


Karatsuba multiplication6
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

Practical Aspects of Modern Cryptography


Karatsuba multiplication7
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

Practical Aspects of Modern Cryptography


Karatsuba multiplication8
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

Practical Aspects of Modern Cryptography


Karatsuba multiplication9
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Karatsuba multiplication10
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Karatsuba multiplication11
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Karatsuba multiplication12
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Karatsuba multiplication13
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Karatsuba multiplication14
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Karatsuba multiplication15
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Karatsuba multiplication16
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Karatsuba multiplication17
Karatsuba Multiplication

(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Karatsuba multiplication18
Karatsuba Multiplication

  • This can be done on integers as well as on polynomials, but it’s not as nice on integers because of carries.

  • The larger the integers, the larger the benefit.

Practical Aspects of Modern Cryptography


Karatsuba multiplication19
Karatsuba Multiplication

(A•2k+B)(C•2k+D) =

AC•22k + (AD+BC)•2k+ BD

4 multiplications, 1 addition

(A+B)(C+D) = AC+ AD+ BC+ BD

(A+B)(C+D) – AC – BD = AD+ BC

3 multiplications, 2 additions, 2 subtractions

Practical Aspects of Modern Cryptography


Chinese remaindering
Chinese Remaindering

If X =A mod P and X=B mod Q then (as long as P and Q have no common factors) X can be derived as

X = A·Q·(Q-1 mod P) + B·P·(P-1 mod Q).

Practical Aspects of Modern Cryptography


Chinese remaindering1
Chinese Remaindering

If N = PQ, then a computation modN can be accomplished by performing the same computation modP and again modQ and then using Chinese Remaindering to derive the answer to the modN computation.

Practical Aspects of Modern Cryptography


Chinese remaindering2
Chinese Remaindering

Since modular exponentiation of n-bit integers requires O(n3) time, performing two modular exponentiations on half size values requires only about one quarter of the time of a single n-bit modular exponentiation.

Practical Aspects of Modern Cryptography


Modular reduction
Modular Reduction

Generally, computing (A•B) modNrequires much more than twice the time to compute A•B.

Division is slow and cumbersome.

Practical Aspects of Modern Cryptography


Modular reduction1
Modular Reduction

Generally, computing (A•B) modNrequires much more than twice the time to compute A•B.

Division is disgusting.

Practical Aspects of Modern Cryptography


Modular reduction2
Modular Reduction

Generally, computing (A•B) modNrequires much more than twice the time to compute A•B.

Division is slow and cumbersome.

Practical Aspects of Modern Cryptography


Modular reduction3
Modular Reduction

Generally, computing (A•B) modNrequires much more than twice the time to compute A•B.

Division is dreadful.

Practical Aspects of Modern Cryptography


Modular reduction4
Modular Reduction

Generally, computing (A•B) modNrequires much more than twice the time to compute A•B.

Division is slow and cumbersome.

Practical Aspects of Modern Cryptography


Modular reduction5
Modular Reduction

Generally, computing (A•B) modNrequires much more than twice the time to compute A•B.

Division is wretched.

Practical Aspects of Modern Cryptography


Modular reduction6
Modular Reduction

Generally, computing (A•B) modNrequires much more than twice the time to compute A•B.

Division is slow and cumbersome.

Practical Aspects of Modern Cryptography


The montgomery method
The Montgomery Method

The Montgomery Method performs a domain transform to a domain in which the modular reduction operation can be achieved by multiplication and simple truncation.

Since a single modular exponentiation requires many modular multiplications and reductions, transforming the arguments is well justified.

Practical Aspects of Modern Cryptography


Montgomery multiplication
Montgomery Multiplication

Let A, B, and M be n-block integers represented in base x with 0  M  xn.

Let R = xn. GCD(R,M) = 1.

The Montgomery Product of A and B modulo M is the integer ABR–1 mod M.

Let M = –M–1 mod R and S = ABM mod R.

Fact: (AB+SM)/R ABR–1 (mod M).

Practical Aspects of Modern Cryptography


Using the montgomery product
Using the Montgomery Product

The Montgomery Product ABR–1 mod M can be computed in the time required for two ordinary large-integer multiplications.

Montgomery transform: AARmod M.

The Montgomery product of (AR mod M) and (BR mod M) is (ABR mod M).

Practical Aspects of Modern Cryptography


One way functions7
One-Way Functions

Z=YXmod N

Practical Aspects of Modern Cryptography


One way functions8
One-Way Functions

Informally, F : X  Y is a one-way if

  • Given x,y = F(x) is easily computable.

  • Given y, it is difficult to find any x for which y = F(x).

Practical Aspects of Modern Cryptography


One way functions9
One-Way Functions

The family of functions

FY,N(X) = YX mod N

is believed to be one-way for most N and Y.

Practical Aspects of Modern Cryptography


One way functions10
One-Way Functions

The family of functions

FY,N(X) = YX mod N

is believed to be one-way for most N and Y.

No one has ever proven a function to be one-way, and doing so would, at a minimum, yield as a consequence that PNP.

Practical Aspects of Modern Cryptography


One way functions11
One-Way Functions

When viewed as a two-argument function, the (candidate) one-way function

FN(Y,X) = YX mod N

also satisfies a useful additional property which has been termed quasi-commutivity:

F(F(Y,X1),X2) = F(F(Y,X2),X1)

since YX1X2 = YX2X1.

Practical Aspects of Modern Cryptography


Diffie hellman key exchange

Alice

Bob

Diffie-Hellman Key Exchange

Practical Aspects of Modern Cryptography


Diffie hellman key exchange1

Alice

Randomly select a large integer aand send A = Ya mod N.

Bob

Randomly select a large integer band send B = Yb mod N.

Diffie-Hellman Key Exchange

Practical Aspects of Modern Cryptography


Diffie hellman key exchange2
Diffie-Hellman Key Exchange

Alice Bob

A

B

Practical Aspects of Modern Cryptography


Diffie hellman key exchange3

Alice

Randomly select a large integer aand send A = Ya mod N.

Bob

Randomly select a large integer band send B = Yb mod N.

Diffie-Hellman Key Exchange

Practical Aspects of Modern Cryptography


Diffie hellman key exchange4

Alice

Randomly select a large integer aand send A = Ya mod N.

Compute the key K =Bamod N.

Bob

Randomly select a large integer band send B = Yb mod N.

Compute the key K =Ab mod N.

Diffie-Hellman Key Exchange

Practical Aspects of Modern Cryptography


Diffie hellman key exchange5

Alice

Randomly select a large integer aand send A = Ya mod N.

Compute the key K =Bamod N.

Bob

Randomly select a large integer band send B = Yb mod N.

Compute the key K =Ab mod N.

Diffie-Hellman Key Exchange

Ba = Yba = Yab = Ab

Practical Aspects of Modern Cryptography


Diffie hellman key exchange6
Diffie-Hellman Key Exchange

Practical Aspects of Modern Cryptography


Diffie hellman key exchange7
Diffie-Hellman Key Exchange

What does Eve see?

Practical Aspects of Modern Cryptography


Diffie hellman key exchange8
Diffie-Hellman Key Exchange

What does Eve see?

Y, Ya, Yb

Practical Aspects of Modern Cryptography


Diffie hellman key exchange9
Diffie-Hellman Key Exchange

What does Eve see?

Y, Ya, Yb

… but the exchanged key is Yab.

Practical Aspects of Modern Cryptography


Diffie hellman key exchange10
Diffie-Hellman Key Exchange

What does Eve see?

Y, Ya, Yb

… but the exchanged key is Yab.

Belief: Given Y, Ya, Yb it is difficult to compute Yab .

Practical Aspects of Modern Cryptography


Diffie hellman key exchange11
Diffie-Hellman Key Exchange

What does Eve see?

Y, Ya, Yb

… but the exchanged key is Yab.

Belief: Given Y, Ya, Yb it is difficult to compute Yab .

Contrast with discrete logarithm assumption: Given Y, Yait is difficult to compute a.

Practical Aspects of Modern Cryptography


More on quasi commutivity
More on Quasi-Commutivity

Quasi-commutivity has additional applications.

  • decentralized digital signatures

  • membership testing

  • digital time-stamping

Practical Aspects of Modern Cryptography


One way trap door functions
One-Way Trap-Door Functions

Z=YXmod N

Practical Aspects of Modern Cryptography


One way trap door functions1
One-Way Trap-Door Functions

Z=YXmod N

Recall that this equation is solvable for Y if the factorization of N is known, but is believed to be hard otherwise.

Practical Aspects of Modern Cryptography


Rsa public key cryptosystem

Alice

Anyone

RSA Public-Key Cryptosystem

Practical Aspects of Modern Cryptography


Rsa public key cryptosystem1

Alice

Select two large random primes P & Q.

Anyone

RSA Public-Key Cryptosystem

Practical Aspects of Modern Cryptography


Rsa public key cryptosystem2

Alice

Select two large random primes P & Q.

Publish the product N=PQ.

Anyone

RSA Public-Key Cryptosystem

Practical Aspects of Modern Cryptography


Rsa public key cryptosystem3

Alice

Select two large random primes P & Q.

Publish the product N=PQ.

Anyone

To send message Y to Alice, compute Z=YX mod N.

RSA Public-Key Cryptosystem

Practical Aspects of Modern Cryptography


Rsa public key cryptosystem4

Alice

Select two large random primes P & Q.

Publish the product N=PQ.

Anyone

To send message Y to Alice, compute Z=YX mod N.

Send Z and X to Alice.

RSA Public-Key Cryptosystem

Practical Aspects of Modern Cryptography


Rsa public key cryptosystem5

Alice

Select two large random primes P & Q.

Publish the product N=PQ.

Use knowledge of P & Q to compute Y.

Anyone

To send message Y to Alice, compute Z=YX mod N.

Send Z and X to Alice.

RSA Public-Key Cryptosystem

Practical Aspects of Modern Cryptography


Rsa public key cryptosystem6
RSA Public-Key Cryptosystem

In practice, the exponent X is almost always fixed to be X = 65537 = 216 + 1.

Practical Aspects of Modern Cryptography


Some rsa details
Some RSA Details

When N=PQ is the product of distinct primes,

YX mod N = Y

whenever

X mod (P-1)(Q-1) = 1 and 0 YN.

Practical Aspects of Modern Cryptography


Some rsa details1
Some RSA Details

When N=PQ is the product of distinct primes,

YX mod N = Y

whenever

X mod (P-1)(Q-1) = 1 and 0 YN.

Alice can easily select integers E and D such that E•D mod (P-1)(Q-1) = 1.

Practical Aspects of Modern Cryptography


Some rsa details2
Some RSA Details

Encryption: E(Y) = YE mod N.

Decryption: D(Y) = YD mod N.

D(E(Y))

= (YE mod N)D mod N

= YED mod N

= Y

Practical Aspects of Modern Cryptography


Rsa signatures
RSA Signatures

Practical Aspects of Modern Cryptography


Rsa signatures1
RSA Signatures

An additional property

Practical Aspects of Modern Cryptography


Rsa signatures2
RSA Signatures

An additional property

D(E(Y)) = YED mod N = Y

Practical Aspects of Modern Cryptography


Rsa signatures3
RSA Signatures

An additional property

D(E(Y)) = YED mod N = Y

E(D(Y)) = YDE mod N = Y

Practical Aspects of Modern Cryptography


Rsa signatures4
RSA Signatures

An additional property

D(E(Y)) = YED mod N = Y

E(D(Y)) = YDE mod N = Y

Only Alice (knowing the factorization of N) knows D. Hence only Alice can compute D(Y) = YD mod N.

Practical Aspects of Modern Cryptography


Rsa signatures5
RSA Signatures

An additional property

D(E(Y)) = YED mod N = Y

E(D(Y)) = YDE mod N = Y

Only Alice (knowing the factorization of N) knows D. Hence only Alice can compute D(Y) = YD mod N.

This D(Y) serves as Alice’s signature on Y.

Practical Aspects of Modern Cryptography


Public key directory
Public Key Directory

Practical Aspects of Modern Cryptography


Public key directory1
Public Key Directory

(Recall that E is commonly fixed to be E=65537.)

Practical Aspects of Modern Cryptography


Certificate authority
Certificate Authority

“Alice’s public modulus is

NA = 331490324840…”

-- signed CA.

Practical Aspects of Modern Cryptography


Trust chains
Trust Chains

Alice certifies Bob’s key.

Bob certifies Carol’s key.

If I trust Alice should I accept Carol’s key?

Practical Aspects of Modern Cryptography


Authentication
Authentication

Practical Aspects of Modern Cryptography


Authentication1
Authentication

How can I use RSA to authenticate someone’s identity?

Practical Aspects of Modern Cryptography


Authentication2
Authentication

How can I use RSA to authenticate someone’s identity?

If Alice’s public key EA, just pick a random message m and send EA(m).

Practical Aspects of Modern Cryptography


Authentication3
Authentication

How can I use RSA to authenticate someone’s identity?

If Alice’s public key EA, just pick a random message m and send EA(m).

If m comes back, I must be talking to Alice.

Practical Aspects of Modern Cryptography


Authentication4
Authentication

Should Alice be happy with this method of authentication?

Bob sends Alice the authentication string y =“I owe Bob $1,000,000 - signed Alice.”

Alice dutifully authenticates herself by decrypting (putting her signature on) y.

Practical Aspects of Modern Cryptography


Authentication5
Authentication

What if Alice only returns authentication queries when the decryption has a certain format?

Practical Aspects of Modern Cryptography


Rsa cautions
RSA Cautions

Is it reasonable to sign/decrypt something given to you by someone else?

Note that RSA is multiplicative. Can this property be used/abused?

Practical Aspects of Modern Cryptography


Rsa cautions1
RSA Cautions

D(Y1) • D(Y2) = D(Y1 • Y2)

Thus, if I’ve decrypted (or signed) Y1 and Y2, I’ve also decrypted (or signed) Y1 • Y2.

Practical Aspects of Modern Cryptography


The hastad attack
The Hastad Attack

Given

E1(x) = x3 mod n1

E2(x) = x3 mod n2

E3(x) = x3 mod n3

one can easily compute x.

Practical Aspects of Modern Cryptography


The bleichenbacher attack
The Bleichenbacher Attack

PKCS#1 Message Format:

00 01 XX XX ... XX 00 YY YY ... YY

random

non-zero

bytes

message

Practical Aspects of Modern Cryptography


Man in the middle attacks
“Man-in-the-Middle” Attacks

Practical Aspects of Modern Cryptography


The practical side
The Practical Side

Practical Aspects of Modern Cryptography


The practical side1
The Practical Side

  • RSA can be used to encrypt any data.

Practical Aspects of Modern Cryptography


The practical side2
The Practical Side

  • RSA can be used to encrypt any data.

  • Public-key (asymmetric) cryptography is very inefficient when compared to traditional private-key (symmetric) cryptography.

Practical Aspects of Modern Cryptography


The practical side3
The Practical Side

Practical Aspects of Modern Cryptography


The practical side4
The Practical Side

For efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.

Practical Aspects of Modern Cryptography


The practical side5
The Practical Side

For efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.

The private session key is used to encrypt any subsequent data.

Practical Aspects of Modern Cryptography


The practical side6
The Practical Side

For efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.

The private session key is used to encrypt any subsequent data.

Digital signatures are only used to sign a digest of the message.

Practical Aspects of Modern Cryptography


ad