slide1
Download
Skip this Video
Download Presentation
Secret Codes , Unforgeable Signatures , and Coin Flipping on the Phone Martin Tompa

Loading in 2 Seconds...

play fullscreen
1 / 19

Secret Codes , Unforgeable Signatures , and Coin Flipping on the Phone Martin Tompa - PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on

Secret Codes , Unforgeable Signatures , and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University of Washington. Secret Codes , Unforgeable Signatures, and Coin Flipping on the Phone. What Is a Cryptosystem?. K AB. K AB. A Sender. B Receiver. M.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Secret Codes , Unforgeable Signatures , and Coin Flipping on the Phone Martin Tompa' - starr


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Secret Codes,

Unforgeable Signatures,

and

Coin Flipping on the Phone

Martin Tompa

Computer Science & Engineering

University of Washington

slide2
Secret Codes,

Unforgeable Signatures,

and

Coin Flipping on the Phone

what is a cryptosystem
What Is a Cryptosystem?

KAB

KAB

A

Sender

B

Receiver

M

C = EAB(M)

M = DAB(C)

Cryptanalyst

(bad guy)

M C KAB

Message Encryption Key

Plaintext Cyphertext

Cleartext

what is a public key cryptosystem
What Is a Public Key Cryptosystem?

KAB

KAB

A

Sender

B

Receiver

M

C = EAB(M)

M = DAB(C)

Cryptanalyst

(bad guy)

M C KBEB

Message Encryption Private Key Public Key

Plaintext Cyphertext

Cleartext

the rsa public key cryptosystem
The RSA Public Key Cryptosystem
  • Invented by Rivest, Shamir, and Adleman in 1977.
  • Has proven resistant to cryptanalytic attacks.
receiver s set up
Receiver’s Set-Up
  • Choose 500-digit primes p and q,

with p 2 (mod 3) and q 2 (mod 3)

p = 5, q = 11

  • Let n = pq.

n = 55

  • Let s = (1/3) (2(p - 1)(q - 1) + 1).

s = (1/3) (2  4  10 + 1) = 27

  • Publish n.

Keep p, q, and s secret.

note on the version presented here
Note on the Version Presented Here
  • I have simplified RSA to make it clearer.
  • The version presented here is not considered secure, because of the small exponent 3 used in encryption. See http://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf, Section 4.2, first two paragraphs for an explanation of the vulnerability of small exponents.
  • See Rosen’s textbook for the secure version of RSA.
  • Thanks to DimitriosGklezakos for pointing out this vulnerability to me.
encrypting a message
Encrypting a Message
  • Break the message into chunks.

H I C H R I S …

  • Translate each chunk into an integer M (0 < M < n) by any convenient method.

8 9 3 8 18 9 19 …

  • Let E(M) = M3 mod n.

M = 8, n = 55

83 = 512 = 9×55 + 17

E(8) = 17

decrypting a cyphertext c
Decrypting a Cyphertext C
  • Let D(C) = Cs mod n.

C = 17, n = 55, s = 27

1727 = 1,667,711,322,168,688,287,513,535,727,415,473

= 30,322,024,039,430,696,136,609,740,498,463 × 55 + 8

D(17) = 8

  • Translate D(C) into letters.

H

decrypting a cyphertext c efficiently
Decrypting a Cyphertext C Efficiently
  • C = 17, n = 55, s = 27

172 289  14 (mod 55)

174 172  172 14 14 196  31 (mod 55)

178 174  174 31 31 961  26 (mod 55)

1716 178  178 26 26 676  16 (mod 55)

1727 1716  178  172  171 16  26  14  17 416  14  17  31  14  17  434  17  (-6)  17  -102  8 (mod 55)

D(17) = 8

why does it work
Why Does It Work?

Euler’s Theorem (1736): Suppose

  • p and q are distinct primes,
  • n = pq,
  • 0 <M < n, and
  • k > 0.

Then Mk(p-1)(q-1)+1mod n = M.

(M3)s = (M3) (1/3)(2(p-1)(q-1)+1)

= M 2(p-1)(q-1)+1  M (mod n)

why is it secure
Why Is It Secure?
  • To find M = D(C), you seem to need s.
  • To find s, you seem to need p and q.
  • All the cryptanalyst has is n = pq.
  • How hard is it to factor a 1000-digit number n?

With the grade school method,

doing 1,000,000,000,000 steps per second

it would take …

10480 years.

state of the art in factoring
State of the Art in Factoring
  • 1977: Inventors encrypt a challenge using “RSA129,” a 129-digit number n= pq.
  • 1981: Pomerance invents Quadratic Sieve factoring method.
  • 1994: Using Quadratic Sieve, RSA129 is factored over 8 months using 1000 computers on the Internet around the world.
  • 1999: Using Number Field Sieve, RSA140 is factored over one month using 200 computers, about 8.9 CPU-years.
  • 2009: Using Number Field Sieve, RSA-768, a 232-digit number, is factored over two years using hundreds of machines, about 1500 CPU-years.
slide15
Secret Codes,

Unforgeable Signatures,

and

Coin Flipping on the Phone

signed messages
Signed Messages
  • How A sends a secret message to B

A B

C = EB(M)

M = DB(C)

  • How A sends a signed message to B

A B

C = DA(M)

M = EA(C)

C

C

signed and secret messages
Signed and Secret Messages
  • How A sends a secret message to B ...

A B

C = EB(M)

M = DB(C)

  • How A sends a signed secret message to B ...

A B

C = EB(DA(M))

M = EA (DB(C))

C

C

slide18
Secret Codes,

Unforgeable Signatures,

and

Coin Flipping on the Phone

flipping a coin over the phone
Flipping a Coin Over the Phone

A B

Choose random x < x <

y = EA(x)

Guess ifxis even or odd.

Checky = EA(x).

  • B wins if the guess about x was right, or y= EA(x).

y

“even”

“odd”

x

ad