Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Non-secret Key Cryptosystems.

Published byAlexander Green Modified over 8 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Non-secret Key Cryptosystems."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Non-secret Key Cryptosystems (How Euclid, Fermat and Euler Created E-Commerce) Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by the theory of numbers. G. H. Hardy, The Mathematician’s Apology, 1940.

2 24 Sept 2001University of Virginia CS 5882 Public-Key Applications: Privacy Alice encrypts message to Bob using Bob’s Private Key Only Bob knows Bob’s Private Key  only Bob can decrypt message Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob Bob’s Public Key Bob’s Private Key

3 24 Sept 2001University of Virginia CS 5883 Signatures Bob knows it was from Alice, since only Alice knows Alice’s Private Key Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!) Integrity: Bob can’t change message (doesn’t know Alice’s Private Key) Encrypt Decrypt Plaintext Signed Message Plaintext Alice Bob Alice’s Private Key Alice’s Public Key

4 24 Sept 2001University of Virginia CS 5884 Public-Key Cryptography Private procedure: E Public procedure: D Identity: E (D (m)) = D (E (m)) = m Secure: cannot determine E from D But didn’t know how to find suitable E and D

5 24 Sept 2001University of Virginia CS 5885 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M

6 24 Sept 2001University of Virginia CS 5886 RSA E(M) = M e mod n d D(C) = C d mod n (red = secret) pqpq n = pqp, q are prime d d is relatively prime to (p – 1)(q – 1) d ed  1 (mod (p – 1)(q – 1))

7 24 Sept 2001University of Virginia CS 5887 RSA in Perl print pack"C*", split/\D+/, `echo "16iII*o\U@{$/=$z; [(pop,pop,unpack"H*",<>)]} \EsMsKsN0[lN*1lK[d2%Sa2/d0 <X+d*lMLa^*lN%0]dsXx++lMlN /dsM0<J]dsJxp"|dc` (by Adam Back) Until 1997 – Illegal to show this slide to non-US citizens! Until Jan 2000: can export RSA, but only with 512 bit keys Now: can export RSA except to embargoed destinations

8 24 Sept 2001University of Virginia CS 5888 First Amendment Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment. Sixth Circuit Court of Appeals, April 4, 2000 Ruling that Peter Junger could post RSA source code on his web site

9 24 Sept 2001University of Virginia CS 5889 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M

10 24 Sept 2001University of Virginia CS 58810 Property 1: D (E (M)) = M E(M) = M e mod n D(E(M)) = (M e mod n) d mod n = M ed mod n (as in D-H proof) Can we choose e, d and n so: M  M ed mod n 1  M ed-1 mod n

11 24 Sept 2001University of Virginia CS 58811 Euler’s totient (phi) function  (n) = number of positive integers < n which are relatively prime to n. If n is prime,  (n) = n – 1. –Proof by contradiction.

12 24 Sept 2001University of Virginia CS 58812 Totient Products For primes, p and q: n = pq  (n) =  (pq)  (n) = numbers < n not relatively prime to pq = pq – 1 numbers less than pq – p, 2p, 3p, …, (q – 1)p ; q-1 of them – q, 2q, 3q, …, (p – 1)q ; p-1 of them = pq – 1 – (q – 1) – (p – 1) = pq – (p + q) + 1 = (p – 1) (q – 1) =  (p)  (q)

13 24 Sept 2001University of Virginia CS 58813 Euler’s Theorem For a and n relatively prime: a  (n)  1 mod n Recall: we are looking for e, d and n such that: M ed-1  1 mod n

14 24 Sept 2001University of Virginia CS 58814 Fermat’s Little Theorem If n is prime and a is not divisible by n a n-1  1 mod n Stronger version: (in MBC p. 200): If n is prime, for any a: a n  a mod n

15 24 Sept 2001University of Virginia CS 58815 Fermat’s Little Theorem Proof {a mod n, 2a mod n, …, (n-1)a mod n} = {1, 2, …, (n – 1) } if ab mod n = ac mod n and a is relatively prime to n then b = c mod n

16 24 Sept 2001University of Virginia CS 58816 Fermat’s Little Theorem Proof {a mod n, 2a mod n, …, (n-1)a mod n} = {1, 2, …, (n – 1) } a  2a  …  (n – 1) a  (n – 1)! mod n (n – 1)!a n-1  (n – 1)! mod n a n-1  1 mod n

17 24 Sept 2001University of Virginia CS 58817 Euler’s Theorem For a and n relatively prime: a  (n)  1 mod n Proof: If n is prime,  (n) = n – 1 and a n - 1  1 mod n by Fermat’s Little Theorem. What if n is not prime?

18 24 Sept 2001University of Virginia CS 58818 Euler’s Theorem, cont. For a and n relatively prime: a  (n)  1 mod n  (n) = number of numbers < n not relatively prime to n We can write those numbers as: R = { x 1, x 2, …, x  (n) }

19 24 Sept 2001University of Virginia CS 58819 Proving Euler’s Theorem R = { x 1, x 2, …, x  (n) } multiply by a mod n : S = { ax 1 mod n, ax 2 mod n, …, ax  (n) mod n} S is a permutation of R : –a is relatively prime to n and x i so ax i is relatively prime to n hence all elements of S are in R. –There are no duplicates in S. If ax i mod n = ax j mod n then i = j. since a is relatively prime to n.

20 24 Sept 2001University of Virginia CS 58820 Proving Euler’s Theorem x 1  x 2 …  x  (n) = ax 1 mod n  ax 2 mod n …  ax  (n) mod n  (ax 1  ax 2 …  ax  (n) ) mod n  a  (n)  x 1  x 2 …  x  (n) mod n 1  a  (n) mod nQED.

21 24 Sept 2001University of Virginia CS 58821 Recap Euler’s Theorem: 1  a  (n) mod n for a and n relatively prime If n is prime,  (n) = n – 1. For p and q prime,  (pq) =  (p)  (q) We are looking for e, d and n such that: M ed-1  1 mod n ed – 1 =  (n) = (p-1)(q-1) What if M is not relatively prime to n ?

22 24 Sept 2001University of Virginia CS 58822 M and n Suppose M and n not relatively prime: gcd (M, n)  1 Since n = pq and p and q are prime: gcd (M, p)  1 OR gcd (M, q)  1 Case 1: M = cp gcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq). So, M  (q)  1 mod q (by Euler’s theorem, since M and q are relatively prime)

23 24 Sept 2001University of Virginia CS 58823 M and n, cont Case 1: M = cp gcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq). So, M  (q)  1 mod q (by Euler’s theorem, since M and q are relatively prime) M  (q)  1 mod q (M  (q) )  (p)  1 mod q M  (q)  (p)  1 mod q M  (n)  1 mod q

24 24 Sept 2001University of Virginia CS 58824 M and n M  (n)  1 mod q M  (n) = 1 + k q for some k M = cp recall gcd (M, p)  1 M  M  (n) = (1 + k q)cp M  (n) + 1 = cp + k qcp = M + k cn M  (n) + 1  M mod n

25 24 Sept 2001University of Virginia CS 58825 Where’s ED? ed – 1 =  (n) = (p-1)(q-1) So, we need to choose e and d: ed =  (n) + 1 = n – (p + q) Pick random d, relatively prime to  (n) gcd (d,  (n)) = 1 Since d is relatively prime to  (n) it has a multiplicative inverse e : de  1 mod  (n)

26 24 Sept 2001University of Virginia CS 58826 Identity de  1 mod  (n) So, d * e = (k *  (n)) + 1 for some k. Hence, M ed-1 mod n = M k *  (n) mod n

27 24 Sept 2001University of Virginia CS 58827 D (E (M)) = M M ed-1 mod n = M k *  (n) mod n Euler says 1  M  (n) mod n. So 1  M k *  (n) mod n 1  M ed-1 mod n M  M ed mod n QED.

28 24 Sept 2001University of Virginia CS 58828 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M 

29 24 Sept 2001University of Virginia CS 58829 Property 2: Easy to Compute E(M) = M e mod n Easy – every 4 th grader can to exponents, every kindergartner can do mod n. How big are M, e, and n ? –M: 2 n where n is the number of bits in M –M and n must be big (~ 10 200 ) for security

30 24 Sept 2001University of Virginia CS 58830 Fast Exponentiation a m + n = a m * a n a b = a b/2 * a b/2 (if 2 divides b ) So, can compute M e in about log 2 e multiplies 10 150 < 2 512, 512 multiplies is doable (by a computer, not a kindergartner) Faster bitwise algorithms known

31 24 Sept 2001University of Virginia CS 58831 Anything else hard to compute? We need to find large prime numbers p and q Obvious way: Pick big number x for i = 2 to x - 1 if i divides x its not prime, start over with x + 1 done – x is prime sqrt (x)

32 24 Sept 2001University of Virginia CS 58832 How many prime numbers? Infinite (proved by Euclid, 300BC) Proof by contradiction: Suppose that there exist only finitely many primes p 1 < p 2 <... < p r. Let N = (p 1 )(p 2 )...(p r ) + 1 N > p r so it is composite, N = p * M If p = p i for some 1 … r, then, N = p i * M = p i * (p 1 )(p 2 )...(p i-1 ) (p i+1 )...(p r ) + 1 p i ( M - (p 1 )(p 2 )...(p i-1 ) (p i+1 )...(p r ) ) = 1 Contradiction: p i > 1 Hence, there must be infinitely many primes.

33 24 Sept 2001University of Virginia CS 58833 Density of Primes From http://www.utm.edu/research/primes/howmany.shtml  (x) is the number of primes  x

34 24 Sept 2001University of Virginia CS 58834 Approximating  (x) The Prime Number Theorem:  (x) ~ x/ln x So, to find a prime bigger than x, we need to make about ln x/2 guesses (Naïvely) Each guess requires sqrt( x ) work For 200 digits (worst imaginable case): 230 guesses * 10 100 More work than breaking 3DES!

35 24 Sept 2001University of Virginia CS 58835 Need a faster prime test There are several fast probabilistic prime tests Can quickly test a prime with high probability, with a small amount of work If we pick a non-prime, its not a disaster (exercise for reader, will be on PS3)

36 24 Sept 2001University of Virginia CS 58836 Fermat Test Recall Fermat’s Little Theorem: if n is prime and a is not divisible by n then a n-1  1 mod n Prove n is composite by finding a n-1  1 mod n Showing a n-1  1 mod n does not prove it is prime But if it holds for many a’ s it is likely than n is prime –Holds for all a’ s for some non-primes known as Carmichael Numbers: 561, 645, 1105, …)

37 24 Sept 2001University of Virginia CS 58837 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M  

38 24 Sept 2001University of Virginia CS 58838 Property 4: E (D (M)) = M D(M) = M d mod n E(D(M)) = (M d mod n) e mod n = M de mod n = M ed mod n = M (from the property 1 proof)

39 24 Sept 2001University of Virginia CS 58839 Applications of RSA Privacy: –Bob encrypts message to Alice using E A –Only Alice knows D A Signatures: –Alice encrypts a message to Alice using D A –Bob decrypts using E A –Knows it was from Alice, since only Alice knows D A Things you use every day: ssh, SSL, DNS, etc.

40 24 Sept 2001University of Virginia CS 58840 Two “Questionable” Statements in RSA Paper 1.“The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.” (p. 6)

41 24 Sept 2001University of Virginia CS 58841 Two “Questionable” Statements in RSA Paper 2.“(The NBS scheme (DES) is probably somewhat faster if special-purposed hardware encryption devices are used; our scheme may be faster on a general-purpose computer since multiprecision arithmetic operations are simpler to implement than complicated bit manipulations.)” (p. 4)

42 24 Sept 2001University of Virginia CS 58842 Who really invented RSA? General Communications Headquarters, Cheltenham (formed from Bletchley Park after WWII) 1969 – James Ellis asked to work on key distribution problem Secure telephone conversations by adding “noise” to line Late 1969 – idea for PK, but function

43 24 Sept 2001University of Virginia CS 58843 RSA & Diffie-Hellman Asks Clifford Cocks, Cambridge mathematics graduate, for help He discovers RSA (four years early) Then (with Malcolm Williamson) discovered Diffie-Hellman Kept secret until 1997! NSA claims they had it even earlier

44 24 Sept 2001University of Virginia CS 58844 Charge Reread the parts of RSA paper you didn’t understand the first time PS2 Due Weds Next time: security of RSA (third property) 3.Revealing E doesn’t reveal an easy way to compute D

Download ppt "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Non-secret Key Cryptosystems."

Similar presentations

Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Public Encryption: RSA

Public Encryption: RSA
Cryptography & Number Theory

Cryptography & Number Theory
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Similar presentations

Ads by Google