1. 報告人：呂恩佑 1

2.  Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keystone a public key and one a private key. It is also known as public-key encryption.  Asymmetric encryption transforms plaintext into ciphertext using a one of two keys and an encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered from the ciphertext. 2

3.  Asymmetric encryption can be used for confidentiality, authentication, or both.  The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on the difficulty of finding the prime factors of a composite number. 3

4.  That public-key encryption is more secure from cryptanalysis than is symmetric encryption.  That public-key encryption is a general-purpose technique that has made symmetric encryption obsolete.  That key distribution is trivial when using public- key encryption, compared to the rather cumbersome handshaking involved with key distribution centers for symmetric encryption. 4

5.  如何能夠確保金鑰的安全？？？ 5

6. Public Key Private Key Public Key Private Key Public Key ++= 6

7. 今晚８點 橢圓辦公室 小文上 Public Key 今晚８點 橢圓辦公室 小文上 Public Key Private Key 7

8. Y = E(PU b, X) X = D(PR b, Y) 8

9. 今晚８點 橢圓辦公室 小文上 Public Key 我想我們該 分手吧 小文上 Public Key Private Key 我想我們該 分手吧 小文上 Public Key 我想我們該 分手吧 小文上 Public Key 9

10. 今晚８點 橢圓辦公室 小文上 Private Key 今晚８點 橢圓辦公室 小文上 Private Key Public Key 10

11. 今晚８點 橢圓辦公室 小文上 Private Key 今晚８點 橢圓辦公室 小文上 Private Key Public Key 我想我們該 分手吧 小文上 我想我們該 分手吧 小文上 Private Key Public Key 11

12. Y = E(PR a, X) X = D(PU a, Y) 12

13. Z = E(PU b, E(PR a, X)) X = D(PU a, D(PR b, Z)) 13

14. Algorithm Encryption/Decrption Digital SignatureKey Exchange RSAYes Elliptic CurveYes Diffie-HellmanNo Yes DSSNoYesNo 14

15. 1. 金鑰容易產生 2. 知道明文和 Public Key ，容易計算出密文 3. 知道密文和 Private Key ，容易計算出明文 4. 無法由 Public Key 計算出 Private Key 5. 無法只靠密文及 Public Key 來計算出明文 15

16.  One-Way Function  Y = f(X)easy  X = f -1 (Y)infeasible  Trap-Door One-Way Function  Y = f k (X)easy, if k and X are known  X = f k -1 (Y)easy, if k and Y are known  X = f k -1 (Y)infeasible, if Y is known but k is not known 16

17.  Brute-force attack  Find some way to compute the private key given the public key  Probable-message attack 17

18. Conventional EncryptionPublic-Key Encryption Needed to Work: 1.The same algorithm with the same key is used for encryption and decryption. 1.One algorithm is used for encryption and decryption with a pair of keys, one for encryption and one for decryption. 2.The sender and receiver must share the algorithm and the key. 2.The sender and receiver must each have one of the matched pair of keys (not the same one). Needed for Security: 1.The key must be kept secret.1.One of the two keys must be kept secret. 2.It must be impossible or at least impractical to decipher a message if no other information is available. 3.Knowledge of the algorithm plus samples of ciphertext must be insufficient to determine the key. 3.Knowledge of the algorithm plus one of the keys plus samples of ciphertext must be insufficient to determine the other key. 18

19.  It was developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT and first published in 1978  The RSA scheme is a block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n 19

20.  The scheme makes use of an expression with exponentials.  Plaintext is encrypted in blocks, with each block having a binary value less than some number n. 20

21.  Keys  PU = { e, n } ， PR = { d, n }  Encryption  C = M e mod n  Decryption  M = C d mod n = (M e ) d mod n = M ed mod n 21

22.  It is possible to find values of e, d, n such that M ed mod n = M for all M < n.  It is relatively easy to calculate M e mod n and C d mod n for all values of M < n.  It is infeasible to determine d given e and n. 22

23.  The preceding relationship holds if e and d are multiplicative inverses modulo φ(n), where φ(n) is the Euler totient function. 23

24. Key Generation Select p, qp and q are both prime, p ≠ q Calculate n = p × q Calculate φ(n) = ( p – 1 ) × ( q – 1 ) Select integer egcd( φ(n), e ) = 1; 1 < e < φ(n) Calculate ded ≡ 1 ( mod φ(n) ) Public keyPU = { e, n } Private keyPR = { d, n } 24 Encryption PlaintextM < n CiphertextC = M e mod n Decryption CiphertextC PlaintextM = C d mod n

25.  Select two prime numbers, p = 17 and q = 11.  Calculate n = pq = 17 x 11 = 187.  Calculate φ(n) = (p - 1)(q - 1) = 16 x 10 = 160.  Select e such that e is relatively prime to φ(n) = 160 and less than φ(n); we choose e = 7.  Determine d such that ed ≡ 1 ( mod φ(n) ) and d < 160. The correct value is d = 23. 25

26.  Public Key ： { 7, 187 } ; Private key ： { 23, 187 }  Plaintext ： M = 88  Ciphertext ： C = M e mod n =88 7 mod 187  88 7 mod 187 = [(88 4 mod 187) x (88 2 mod 187) x (88 1 mod 187)] mod 187  88 1 mod 187 = 88  88 2 mod 187 = 7744 mod 187 = 77  88 4 mod 187 = 77 2 mod 187 = 5929 mod 187 = 132  88 7 mod 187 = (88 x 77 x 132) mod 187 = 894,432 mod 187 = 11  Ciphertext = 11 26

27.  Public Key ： { 7, 187 } ; Private key ： { 23, 187 }  Ciphertext ： C = 11  Plaintext ： M = C d mod n =11 23 mod 187  11 23 mod 187 = 11 ( 1+2+4+16 ) mod 187  Plaintext ： M = 88 27

28.  suppose we wish to find the value a b with a and b positive integers. If we express b as a binary number b k b k1... b 0 then we have  a b = a =  a b mod n = mod n = （ ） mod n 28

29. f ← 1; for i ← k downto 0 do f ← ( f x f ) mod n if b i = 1 do f ← ( f x a ) mod n return f 29 Result of the Fast Modular Exponentiation Algorithm for a b mod n, where a = 7, b = 560 = 1000110000 (2), n = 561 i9876543210 bibi 1000110000 f749157526160241298166671

30.  To speed up the operation of the RSA algorithm using the public key, a specific choice of e is usually made. The most common choice is 65537 (2 16 + 1); two other popular choices are 3 and 17. 30

31.  RSA becomes vulnerable to a simple attack if we use a very small public key. 31

32.  Determining two prime numbers, p and q.  Selecting either e or d and calculating the other. 32

33.  At present, there are no useful techniques that yield arbitrarily large primes.  States that the primes near N are spaced on the average one every ln(N/2) integers 33

34.  We need to select an e such that gcd(φ(n), e) = 1 and then calculate ed ≡ 1 ( mod φ(n) ).  The probability that two random numbers are relatively prime is about 0.6 34

35.  Brute force  Mathematical attacks  Timing attacks  Chosen ciphertext attacks 35

36.  Factor n into its two prime factors. This enables calculation of φ(n) = (p - 1) x (q - 1), which, in turn, enables determination of ed ≡ 1 ( mod φ(n) ).  Determine φ(n) directly, without first determining p and q. Again, this enables determination of d ed ≡ 1 ( mod φ(n) ).  Determine d directly, without first determining φ(n). 36

37. Number of Decimal Digits Approximate Number of Bits Date AchievedMIPS-yearsAlgorithm 100332April 19917Quadratic sieve 110365April 199275Quadratic sieve 120398June 1993830Quadratic sieve 129428April 19945000Quadratic sieve 130431April 19961000 Generalized number field sieve 140465February 19992000 Generalized number field sieve 155512August 19998000 Generalized number field sieve 160530April 2003Lattice sieve 174576December 2003Lattice sieve 200663May 2005Lattice sieve 37

38. 38 MIPS-years: a million-instructions-per-second processor running for one year

39.  p and q should differ in length by only a few digits. Thus, for a 1024-bit key (309 decimal digits), both p and q should be on the order of magnitude of 10 75 to 10 100.  Both (p - 1) and (q - 1) should contain a large prime factor.  gcd(p - 1, q - 1) should be small. 39

40.  Paul Kocher, a cryptographic consultant, demonstrated that a snooper can determine a private key by keeping track of how long a computer takes to decipher messages. 40

41.  Constant exponentiation time.  Random delay  Blinding 41

42.  The basic RSA algorithm is vulnerable to a chosen ciphertext attack.  The adversary could select a plaintext, encrypt it with the target's public key and then be able to get the plaintext back by having it decrypted with the private key. 42

43.  E(PU, M 1 ) x E(PU, M 2 ) = E(PU, [M 1 x M 2 ])  C = M e mod n  X = ( C x 2 e ) mod n  Submit X as a chosen ciphertext and receive back Y = X d mod n. 43

44.  X = (C mod n) x (2 e mod n) = (M e mod n) x (2 e mod n) = (2M) e mod n  Therefore, Y = (2M) mod n 44