cis 5371 cryptography n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CIS 5371 Cryptography PowerPoint Presentation
Download Presentation
CIS 5371 Cryptography

Loading in 2 Seconds...

play fullscreen
1 / 41

CIS 5371 Cryptography - PowerPoint PPT Presentation


  • 152 Views
  • Uploaded on

CIS 5371 Cryptography. 7 . Asymmetric encryption-. Public Key Cryptography. Alice Bob. Alice and Bob want to exchange a private key in public. Public Key Cryptography The Diffie -Hellman protocol. Let p is a large prime and . The order of is a factor of .

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CIS 5371 Cryptography' - bryson


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cis 5371 cryptography

CIS 5371 Cryptography

7. Asymmetric encryption-

public key cryptography
Public Key Cryptography

AliceBob

Alice and Bob want to exchange a private key in public.

public key cryptography the diffie hellman protocol
Public Key CryptographyThe Diffie-Hellman protocol

Let p is a large prime and .

  • The order of is a factor of .
  • has a generator for any factor h of .
  • p is called a safe prime if h = 2q, with q a prime.
public key cryptography the diffie hellman protocol1
Public Key CryptographyThe Diffie-Hellman protocol

Alicega mod p Bob

gb mod p

The private key is: gab mod p

where p is a prime and g is a generator of Zp*

example
Example
  • p = 43, g = 3,
  • Alice and Bob share (p,g) = (43,3).
  • Alice picks her (secret) exponent: a random a = 8 U [0:42].
  • Alice sends Bob: 38 25 (mod 43).
  • Bob picks his (secret) exponent: a random b = 37U [0:42].
  • Bob sends Alice: 337 20 (mod 43).
  • The secret key agreed between the two is:

9  208 2537 (mod 43).

man in the middle attack
Man-in-the-middle attack
  • Alice picks a U Zp* and sends Malice (“Bob”): ga (mod p)
  • Malice (“Alice”) picks m Zp* and sends Bob: gm (mod p)
  • Bob picks b U Zp* and sends Malice (“Bob) Bob: gb (mod p)
  • Malice (“Bob”) sends Alice: gm (mod p)
  • Alice computes: k1 (gm)a (mod p)
  • Bob computes: k2 (gm)b (mod p)
the computational diffie hellman problem cdh
The Computational Diffie-Hellman Problem, CDH
  • INPUT
    • The description of a finite cyclic group of prime order q
    • A generator element of
    • , for some integers .
  • OUTPUT
the computational diffie hellman assumption
The Computational Diffie-Hellman Assumption
  • A CDH solver is a PPT algorithm that solves the CDH problem.
  • The CDH Assumption is that, for any CDH solver there exists a negligible function neglsuch that:
    • for an arbitrary instance of the CDH problem, the CDH solver will succeed with probability negl for all sufficiently large inputs.
the decisional diffie hellman problem ddh
The Decisional Diffie-Hellman Problem, DDH
  • INPUT
    • The description of a finite cyclic group G of prime order q
    • A generator element g of G
    • ga, gb,gcG, for some integers 0 < a,b,c< q.
  • OUTPUT
    • 1 ---Decision that gc = gab or
    • 0 ---Decision that gc gab
the decisional diffie hellman assumption
The Decisional Diffie-Hellman Assumption
  • A DDH solver is a PPT algorithm that solves the DDH problem.
  • The DDH Assumption is that, for any DDH solver, there exists a negligible function negl such that:
    • for an arbitrary instance of the DDH problem, the DDH solver will succeed with probability  negl for all sufficiently large inputs.
the discrete logarithm problem
The Discrete Logarithm Problem
  • The Discrete Logarithm Problem -- DL
  • INPUT
    • The description of a finite cyclic group of order(say )
    • A generator element of
    • hG.
  • OUTPUT
    • The unique integersuch that
  • We call the integer the discrete logarithm of in
  • base and write:
the discrete logarithm assumption
The Discrete Logarithm Assumption
  • A DL solver is a PPT algorithm that solves the DL problem.
  • The DL Assumption is that, for any DL solver, there exists a negligible function neglsuch that:
    • for an arbitrary instance of the DL problem, the DDH solver will succeed with probability  neglfor all sufficiently large inputs.
the rsa cryptosystem
The RSA cryptosystem

Alice performs the following steps

  • Choose p, q large primes with |p|  |q|.
  • Compute N = pq.
  • Compute  (N) = (p-1)(q-1).
  • Choose a random integer e <  (N) such that gcd(e, (N)) = 1 and compute the integer d such that ed = 1 (mod  (N)).
  • Make (N,e) the public key, keep (N,d) as private key, and discard p,qand  (N).
the rsa cryptosystem1
The RSA cryptosystem

Encryption

Let m < N be the confidential message that Bob wants to send to Alice.

  • Bob creates the ciphertext: c .
  • Bob sends Alice: c

Decryption

To decrypt the ciphertextc Alice computes:

.

check
Check

We have:

  • ed1 (mod  (N)) , so ed 1 + t (N).

Therefore,

  • Dd(Ee(m))(me)d m edmt(N)+1

(m(n))t m  1m  m mod n

example1
Example
  • Let p = 101, q = 113. Then N = 11413.
  •  (N) = 100 x 112 = 11200 = 26527
  • For encryption use e = 3533.
  • Alice publishes: N = 11413, e = 3533.
  • Suppose Bob wants to encrypt: 9726.
  • Bob computes 97263533 mod 11413 = 5761
  • Bob sends Alice the ciphertext 5761.
  • To decrypt it Alice computes the plaintext:

57616597 (mod 11413) = 9726

implementation
Implementation
  • Generate two large primes: p,q
  • N pqand = (p-1)(q-1)
  • Choose random e: with 1 < e <  (N) & gcd(e, (N))=1
  • The public key is (N,e)and the private key is (N,d)
slide18
Cost

In :

  • Cost of a modular multiplication (xy) mod nis

O (k2), where k = log2n

  • Cost of a modular exponentiation xz (mod n) is

O (k2 log2z) = O (k2 log2n)

cryptanalysis of public key cryptosystems
Cryptanalysis of Public-key cryptosystems
  • Active attacks on cryptosystems
  • Chosen-Plaintext Attack (CPA):
    • The attacker chooses plaintexts and obtains the corresponding ciphertexts: the task of the attacker is successful if he can decrypt a (new) target ciphertext.
  • Chosen-Ciphertext Attack (CCA1):
    • The attacker chooses a number of ciphertexts and obtains the corresponding plaintexts: the task of the attacker is successful if he can decrypt a (new) target ciphertext.
  • Adaptive Chosen-Ciphertext Attack (CCA2):
    • This is a CCS1 attack in which the attacker can adaptively choose ciphertexts: the task of the attacker is successful if he can decrypt a (new) target ciphertext.
the rsa problem
The RSA Problem
  • INPUT
    • N = pq with p,q prime nmbers.
    • e an integer such that gcd(e,(p-1)(q-1)) =1
    • cZN.
  • OUTPUT
    • The unique integer mZNsuch that me c (mod N )
the rsa assumption
The RSA Assumption
  • An RSA solver is a PPT algorithm that solves the RSA problem.
  • The RSA Assumption is that, for any RSA solver, there exists a negligible function negl such that:
    • for an arbitrary instance of the RSA problem, the RSA solver will succeed with probability  neglfor all sufficiently large inputs.
the integer factorization problem
The Integer Factorization Problem
  • The IF Problem (IF)
  • INPUT
    • N an odd composite integer with at least two distinct prime factors.
  • OUTPUT
    • A prime p such that p | N.
the if assumption
The IF Assumption
  • An integer factorizer is a PPT algorithm that solves the IF problem.
  • The IF Assumption is that, for any IF solver, there exists a negligible function negl such that:
    • for an arbitrary instance of the IF problem, the IF solver will succeed with probability  negl for all sufficiently large inputs.
security of rsa
Security of RSA
  • Relation to factoring.
    • If Factoring is easy then the RSA problem is easy: recovering the plaintext m from an RSA ciphertextc is easy if factoring is possible
    • The converse is likely not to be true.
  • Relation between factoring and the RSA problem
    • If Factoring is easy then the RSA problem is easy.
    • The converse is likely not to be true.
the rabin cryptosystem
The Rabin cryptosystem

Alice performs the following steps

  • Choose p, q large primes with |p| = |q|.
  • Compute n = pq.
  • Pick a random integer b UZn*
  • Make (n,b) public key, keep (p,q) as private key.
the rabin cryptosystem1
The Rabin cryptosystem

Encryption

Let m Zn* be the confidential message that Bob wants to send to Alice.

  • Bob creates the ciphertext: c m(m+b)(mod n).
  • Bob sends Alice: c

Decryption

To decrypt the ciphertextc Alice solves the quadratic equation:

m2 + bm –c  0(mod n),

for m < n.

the rabin cryptosystem2
The Rabin cryptosystem

Decryption

From elementary mathematics:

where  = b2 +4c (mod n).

Since m was chosen in Zn*,  must be in QRn .

Notice that ifp,qare such that p  q  3(mod4), then it iseasier to compute square roots modulo N, as we shall see below.

remarks
Remarks
  • Suppose p  q  3 (mod 4), n = pq.
  • Let y (mod p).
  • Then:

because,

remarks continued
Remarks (continued)
  • It follows that:

is a square root of y modulo p.

  • A similar argument applies for the other prime q.
  • So we get the quadratic residues modulo p and modulo q.
  • We then get the quadratic residue modulo n by using the Chinese Remainder Theorem.
example2
Example

Suppose n = 77.

Then e(x) = x 2 (mod 77)

d(y) = (mod 77)

Suppose Bob wants to decrypt y = 23

example continued
Example, continued

Using the Chinese Remainder Theorem we compute

the 4 square roots of 23 modulo 77 to be:

the rabin problem
The Rabin Problem
  • INPUT
    • N = pq with p,q prime numbers.
    • y  x 2 (mod N), xZN*
  • OUTPUT
    • zZN*such that z  x2 (mod N).
security of rabin
Security of Rabin
  • Relation to factoring.

Recovering the plaintext m from a Rabin ciphertextc

is easy if the IF problem is easy.

  • Relation between factoring and the Rabin problem
    • Under CPA attacks the Rabin system is secure

iffthe IF problem is hard.

    • Under CCA attacks the Rabin problem

is completely insecure.

security of rabin1
Security of Rabin

Under CCA attacks the Rabin system is completely insecure.

Proof:

We show this for the case when

The adversary picks an and computes

Then he gets its decryption .

This is one of the 4 square roots of , and with probability ½,

or q.

Then the adversary can decrypt any ciphertext.

the elgamal cryptosystem
The ELGamal cryptosystem

Alice performs the following steps

  • Choose a large random primes p.
  • Compute a random multiplicative generator g  Zp*
  • Pick x UZp-1 as private key
  • Compute the public key y  gx(mod p).
  • Make (p,g,y) public key, and keep (p,x) as private key.
the elgamal cryptosystem1
The ElGamal cryptosystem

Encryption

Let m < p be the confidential message that Bob wants to send to Alice.

Bob picks k UZp-1 and computes the ciphertext(c1, c2)

  • c1 gk(mod p).
  • c2 ykm (mod p).

Decryption

To decrypt the ciphertext(c1, c2) Alice computes

m c2/c1x(mod p).

example3
Example

Use p = 43, g =3, m = 14, x = 7, y = 37.

Alice’s private key: x = 7

Alice’s public key: (p,g,y) = (43,3,37).

Encryption with k = 26:

  • c1= gk(mod p) = 326(mod 43) =15.
  • c2= ykm (mod p) = 3726 ×14 (mod 43) =31 .

Decryption:

m = c2/c1x(mod p) = 31/157(mod 43) = 14 .

security of elgamal
Security of ElGamal
  • Relation to the DL.

Recovering the plaintext m from an ElGamal

ciphertextc is easy if the DL problem is easy.

  • ELGamal and the CDH problem

For messages that are uniformly distributed, the

ElGamal encryption system is secure against CPAs

iffthe CDH problem is hard.

security of elgamal1
Security of ElGamal

For messages that are uniformly distributed, the ElGamal encryption system is secure against CPAs iff the CDH problem is hard.

security of elgamal2
Security of ElGamal

Proof:

Suppose there exists an oracle that breaks ElGamal with non negligible probability  > 0.

Then since can be computed,

= can also be computed.

For an arbitrary CDH instance

,

take as the ElGamal public key and as ciphertext.

Then the oracle outputs

=

which is a solution for the CDH instance.