Secret Codes , Unforgeable Signatures , and Coin Flipping on the Phone Martin Tompa

Download Presentation

Secret Codes , Unforgeable Signatures , and Coin Flipping on the Phone Martin Tompa

Loading in 2 Seconds...

- 49 Views
- Uploaded on
- Presentation posted in: General

Secret Codes , Unforgeable Signatures , and Coin Flipping on the Phone Martin Tompa

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Secret Codes,

Unforgeable Signatures,

and

Coin Flipping on the Phone

Martin Tompa

Computer Science & Engineering

University of Washington

Secret Codes,

Unforgeable Signatures,

and

Coin Flipping on the Phone

KAB

KAB

A

Sender

B

Receiver

M

C = EAB(M)

M = DAB(C)

Cryptanalyst

(bad guy)

M C KAB

MessageEncryptionKey

PlaintextCyphertext

Cleartext

KAB

KAB

A

Sender

B

Receiver

M

C = EAB(M)

M = DAB(C)

Cryptanalyst

(bad guy)

M C KBEB

MessageEncryption Private Key Public Key

PlaintextCyphertext

Cleartext

- Invented by Rivest, Shamir, and Adleman in 1977.
- Has proven resistant to cryptanalytic attacks.

- Choose 500-digit primes p and q,
with p 2 (mod 3) and q 2 (mod 3)

p = 5, q = 11

- Let n = pq.
n = 55

- Let s = (1/3) (2(p - 1)(q - 1) + 1).
s = (1/3) (2 4 10 + 1) = 27

- Publish n.
Keep p, q, and s secret.

- I have simplified RSA to make it clearer.
- The version presented here is not considered secure, because of the small exponent 3 used in encryption. See http://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf, Section 4.2, first two paragraphs for an explanation of the vulnerability of small exponents.
- See Rosen’s textbook for the secure version of RSA.
- Thanks to DimitriosGklezakos for pointing out this vulnerability to me.

- Break the message into chunks.
H I C H R I S …

- Translate each chunk into an integer M (0 < M < n) by any convenient method.
8 9 3 8 18 9 19 …

- Let E(M) = M3 mod n.
M = 8, n = 55

83 = 512 = 9×55 + 17

E(8) = 17

- Let D(C) = Cs mod n.
C = 17, n = 55, s = 27

1727 = 1,667,711,322,168,688,287,513,535,727,415,473

= 30,322,024,039,430,696,136,609,740,498,463 × 55 + 8

D(17) = 8

- Translate D(C) into letters.
H

- C = 17, n = 55, s = 27
172 289 14 (mod 55)

174 172 172 14 14 196 31 (mod 55)

178 174 174 31 31 961 26 (mod 55)

1716 178 178 26 26 676 16 (mod 55)

1727 1716 178 172 171 16 26 14 17 416 14 17 31 14 17 434 17 (-6) 17 -102 8 (mod 55)

D(17) = 8

Euler’s Theorem (1736): Suppose

- p and q are distinct primes,
- n = pq,
- 0 <M < n, and
- k > 0.
Then Mk(p-1)(q-1)+1mod n = M.

(M3)s = (M3) (1/3)(2(p-1)(q-1)+1)

= M 2(p-1)(q-1)+1 M (mod n)

- To find M = D(C), you seem to need s.
- To find s, you seem to need p and q.
- All the cryptanalyst has is n = pq.
- How hard is it to factor a 1000-digit number n?
With the grade school method,

doing 1,000,000,000,000 steps per second

it would take …

10480 years.

- 1977: Inventors encrypt a challenge using “RSA129,” a 129-digit number n= pq.
- 1981: Pomerance invents Quadratic Sieve factoring method.
- 1994: Using Quadratic Sieve, RSA129 is factored over 8 months using 1000 computers on the Internet around the world.
- 1999: Using Number Field Sieve, RSA140 is factored over one month using 200 computers, about 8.9 CPU-years.
- 2009: Using Number Field Sieve, RSA-768, a 232-digit number, is factored over two years using hundreds of machines, about 1500 CPU-years.

Secret Codes,

Unforgeable Signatures,

and

Coin Flipping on the Phone

- How A sends a secret message to B
A B

C = EB(M)

M = DB(C)

- How A sends a signed message to B
A B

C = DA(M)

M = EA(C)

C

C

- How A sends a secret message to B ...
A B

C = EB(M)

M = DB(C)

- How A sends a signed secret message to B ...
A B

C = EB(DA(M))

M = EA (DB(C))

C

C

Secret Codes,

Unforgeable Signatures,

and

Coin Flipping on the Phone

AB

Choose random x < x <

y = EA(x)

Guess ifxis even or odd.

Checky = EA(x).

- B wins if the guess about x was right, or y= EA(x).

y

“even”

“odd”

x