David evans http www cs virginia edu evans
This presentation is the property of its rightful owner.
Sponsored Links
1 / 34

David Evans cs.virginia/evans PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on
  • Presentation posted in: General

Lecture 12: Non-secret Key Cryptosystems (How Euclid, Fermat and Euler Created E-Commerce). David Evans http://www.cs.virginia.edu/evans. Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by the theory of numbers.

Download Presentation

David Evans cs.virginia/evans

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


David evans http www cs virginia edu evans

Lecture 12:

Non-secret Key Cryptosystems

(How Euclid, Fermat

and Euler Created

E-Commerce)

David Evans

http://www.cs.virginia.edu/evans

Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by the theory of numbers.

G. H. Hardy, The Mathematician’s Apology, 1940.

CS588: Security and Privacy

University of Virginia

Computer Science


Applications of rsa

Applications of RSA

  • Privacy:

    • Bob encrypts message to Alice using EA

    • Only Alice knows DA

  • Signatures:

    • Alice encrypts a message to Alice using DA

    • Bob decrypts using EA

    • Knows it was from Alice, since only Alice knows DA

  • Things you use every day: ssh, SSL, DNS, ...

CS588 Spring 2005


Public key applications privacy

Public-Key Applications: Privacy

Bob

Alice

  • Alice encrypts message to Bob using Bob’s Private Key

  • Only Bob knows Bob’s Private Key only Bob can decrypt message

Decrypt

Ciphertext

Encrypt

Plaintext

Plaintext

Bob’s Public Key

Bob’s Private Key

CS588 Spring 2005


Signatures

Signatures

Bob

Alice

Signed

Message

Decrypt

Encrypt

  • Bob knows it was from Alice, since only Alice knows Alice’s Private Key

  • Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!)

  • Integrity: Bob can’t change message (doesn’t know Alice’s Private Key)

Plaintext

Plaintext

Alice’s Public Key

Alice’s Private Key

CS588 Spring 2005


Public key cryptography

Public-Key Cryptography

  • Private procedure: E

  • Public procedure: D

  • Identity: E (D(m)) = D (E(m)) = m

  • Secure: cannot determine E from D

  • But didn’t know how to find suitable E and D

CS588 Spring 2005


Properties of e and d

Properties of E and D

Trap-door one way function:

  • D (E (M)) = M

  • E and D are easy to compute.

  • Revealing E doesn’t reveal an easy way to compute D

    Trap-door one way permutation: also

  • E (D (M)) = M

CS588 Spring 2005


David evans cs virginia evans

RSA

E(M) = Me mod n

D(C) = Cd mod n

n = pqp, qare prime

dis relatively prime to(p – 1)(q – 1)

ed 1 (mod (p – 1)(q – 1))

(red things are secret)

CS588 Spring 2005


Properties of e and d1

Properties of E and D

Trap-door one way function:

  • D (E (M)) = M

  • E and D are easy to compute.

  • Revealing E doesn’t reveal an easy way to compute D

    Trap-door one way permutation: also

  • E (D (M)) = M

CS588 Spring 2005


Property 1 d e m m

Property 1: D (E (M)) = M

E(M) = Me mod n

D(E(M)) = (Me mod n)d mod n

= Med mod n(as in D-H proof)

Can we choosee, dandnwith this property:M  Med mod n

equivalently:1  Med-1mod n

CS588 Spring 2005


Finding e d and n

Finding e, d and n

  • We are looking for e, d and n such that:Med-11mod n

  • Euler’s Theorem: for a and n relatively prime:a(n)1mod n

  • Next:

    • What is (n)

    • Proof of Euler’s Theorem

    • How it works for arbitrary M

    • Given (n) how do we find e and d

CS588 Spring 2005


Euler s totient function

Euler’s Totient Function

 (n) = number of positive integers less than n that are relatively

prime to n

  • If n is prime, (n) = n – 1

    • Proof by contradiction

  • What if n = pq where p and q are prime?

CS588 Spring 2005


Totient products

Totient Products

For primes,pandq:n = pq

(n) = numbers < nnot relatively prime to pq

= pq – 1; numbers less thanpq

– (q – 1) ; size of p, 2p, …, (q –1)p

– (p – 1) ; size of q, 2q, …, (p –1)q

= pq – 1 – (q – 1) – (p – 1)

= pq – (p + q) + 1

= (p – 1) (q – 1) = (p)(q)

CS588 Spring 2005


Fermat s little theorem

Fermat’s Little Theorem

If n is prime and a is not divisible by nan-11mod n

CS588 Spring 2005


Fermat s little theorem proof

Fermat’s Little Theorem Proof

If n is prime and a is not divisible by n:

{a mod n, 2a mod n, … , (n-1)a mod n} = {1, 2, …, (n – 1) }

Product of all elements in sets:

a 2a  …  (n – 1) a (n – 1)! mod n

(n – 1)!an-1 (n – 1)! mod n

an-1  1 mod nQED.

CS588 Spring 2005


Euler s theorem

Euler’s Theorem

For a and n relatively prime:

a(n)1mod n

Partial Proof:

If n is prime, (n) = n – 1 and an - 11mod n

by Fermat’s Little Theorem

What if n is not prime?

CS588 Spring 2005


Euler s theorem cont

Euler’s Theorem, cont.

For a and n relatively prime:

a(n)1mod n

(n) = number of numbers < nnot relatively prime ton

We can write those numbers as:

R = { x1, x2, … , x(n)}

CS588 Spring 2005


Proving euler s theorem

Proving Euler’s Theorem

R = { x1, x2, … , x(n)} multiply bya mod n:

S = { ax1 mod n, ax2 mod n, …, ax (n) mod n}

S is a permutation of R:

  • a is relatively prime to n

  • a is relatively prime to all xi

  • axi is relatively prime to n

  • Hence all elements of S are in R.

  • There are no duplicates in S.

    If aximod n = axjmod n then i = j. since a is relatively prime to n

  • CS588 Spring 2005


    Proving euler s theorem1

    Proving Euler’s Theorem

    x1 x2 … x(n)

    = ax1 mod n ax2 mod n … ax(n) mod n

     (ax1 ax2 … ax(n)) mod n

    a(n) x1 x2 … x (n) mod n

    1 a (n)mod nQED.

    CS588 Spring 2005


    Recap

    What if M is not relatively prime to n?

    Recap

    • We are looking for e, d and n such that:

      Med-11mod n

    • Euler’s Theorem: 1 a (n)mod n

      for a and n relatively prime

    • If n is prime,  (n) = n – 1.

    • For p and q prime, (pq) =  (p) (q)

    n = pq

    ed – 1 =  (n) = (p-1)(q-1)

    CS588 Spring 2005


    M and n

    M and n

    • Suppose M and n not relatively prime:

      gcd (M, n)  1

    • Since n = pq and p and q are prime:

      gcd (M, p)  1 OR gcd (M, q)  1

      Case 1: M = cp

      gcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq).

      So, M(q) 1 mod q

      (by Euler’s theorem, since M and q are relatively prime)

    CS588 Spring 2005


    M and n cont

    M and n, cont

    Case 1: M = cp

    gcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq).

    So, M (q) 1 mod q

    (by Euler’s theorem, since M and q are relatively prime)

    M(q) 1 mod q

    (M(q))(p) 1 mod q

    M (q)(p) 1 mod q

    M(n) 1 mod q

    CS588 Spring 2005


    M and n1

    M and n

    M (n) 1 mod q

    M (n) = 1 + kq for some k

    M = cp recall gcd (M, p)  1

    M M (n) = (1 + kq)cp

    M(n) + 1 =cp + kqcp = M + kcn

    M(n) + 1M mod n

    CS588 Spring 2005


    Where s ed

    Where’s ED?

    ed – 1 = (n) = (p-1)(q-1)

    • So, we need to choose e and d:

      ed =  (n) + 1 = n – (p + q)

    • Pick random d, relatively prime to  (n)

      gcd (d,  (n)) = 1

    • Since d is relatively prime to  (n)it has a multiplicative inverse e:

      de  1 mod  (n)

    CS588 Spring 2005


    Identity

    Identity

    de  1 mod  (n)

    So,d * e = (k *  (n)) + 1 for some k.

    Hence,

    Med-1mod n = Mk * (n)mod n

    CS588 Spring 2005


    D e m m

    D (E (M)) = M

    Med-1mod n = Mk * (n)mod n

    Euler says 1 M(n)mod n.

    So 1 Mk * (n)mod n

    1  Med-1mod n

    M Med mod n

    QED.

    CS588 Spring 2005


    Properties of e and d2

    Properties of E and D

    Trap-door one way function:

    • D (E (M)) = M

    • E and D are easy to compute.

    • Revealing E doesn’t reveal an easy way to compute D

      Trap-door one way permutation: also

    • E (D (M)) = M

    CS588 Spring 2005


    Movie break

    Movie Break

    Adam Glaser and Portman Wills

    CS588 Fall 2001 PS4


    Questionable statements in rsa paper finalists

    1) "The reader is urged to  find a way to "break" the system. Once the method has withstood all attacks for a sufficient length of time it may be used with a reasonable amount of confidence." The authors appear to advocating the same method of validation that they called "fruitless" earlier in the paper (referring to the NBS certification). 2)  RSA seems to gloss over the whole PKI issue. They suggest either a single authority to hold all the keys or publishing a book to all the users. I'd also like to point out that RSA like to "excessively" to quotation marks for no apparent "purpose."

    1. The problem is mentioned on page 4 and 6 of the paper: The trusted distribution of the public portion of the key. If one were to modify the public keys in transport or to attack a central repository, then it would be impossible to be sure of the authenticity of the keys. (The suggestion of having a telephone book is not even possibly applicable due to the need to securely deliver it to all users from trusted central source). This can be seen as present problem with the loss of keys by Microsoft (resulting in forced revocation) and the limited trust one can put in Verisign due to limited checks done. 2. The assumption in conclusion that a protocol is secure due to lack of success in attacks for some period of time. The recent attacks upon SHA/MD5 show that even 10 years could be insufficient time to prove security.

    Questionable Statements in RSA Paper: Finalists

    CS588 Spring 2005


    Only two submissions

    Only Two Submissions

    • This is pathetic!

    • There will be a Short Quiz in class Tuesday

      • Closed book, closed notes

      • Covers material in RSA paper and new paper handed out today

      • Andrew and Aleks are exempt

    CS588 Spring 2005


    Two questionable statements in rsa paper

    Two “Questionable” Statements in RSA Paper

    • “The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.”

      (p. 6)

    CS588 Spring 2005


    Two questionable statements in rsa paper1

    Two “Questionable” Statements in RSA Paper

    • “(The NBS scheme (DES) is probably somewhat faster if special-purposed hardware encryption devices are used; our scheme may be faster on a general-purpose computer since multiprecision arithmetic operations are simpler to implement than complicated bit manipulations.)”

      (p. 4)

    CS588 Spring 2005


    Who really invented rsa

    Who really invented RSA?

    • General Communications Headquarters, Cheltenham (formed from Bletchley Park after WWII)

    • 1969 – James Ellis asked to work on key distribution problem

    • Secure telephone conversations by adding “noise” to line

    • Late 1969 – idea for PK, but function

    CS588 Spring 2005


    Rsa diffie hellman

    RSA & Diffie-Hellman

    • Asks Clifford Cocks, Cambridge mathematics graduate, for help

    • He discovers RSA (four years early)

    • Then (with Malcolm Williamson) discovered Diffie-Hellman

    • Kept secret until 1997!

    • NSA claims they had it even earlier

    CS588 Spring 2005


    Charge

    Charge

    • Reread the parts of RSA paper you didn’t understand the first time

    • Work on your project!

    • Short Quiz on RSA material and Encrypted Searches paper in class Tuesday

      • Closed-book, closed-notes, open-T-shirt

    • Next time: RSA Properties 2, 3 and 4

    CS588 Spring 2005


  • Login