Practical Aspects of Modern Cryptography Fall 2016 Tolga Acar Josh Benaloh

Diffie-Hellman Key Exchange Alice Randomly select a large integer 𝑎 and send 𝐴= 𝑌 𝑎 mod 𝑁. Compute the key 𝐾= 𝐵 𝑎 mod 𝑁. Bob Randomly select a large integer 𝑏 and send 𝐵= 𝑌 𝑏 mod 𝑁. Compute the key 𝐾= 𝐴 𝑏 mod 𝑁. 𝐵 𝑎 = 𝑌 𝑏𝑎 = 𝑌 𝑎𝑏 = 𝐴 𝑏 October 11, 2016 Practical Aspects of Modern Cryptography

The Fundamental Equation 𝑍= 𝑌 𝑋 mod 𝑁 October 11, 2016 Practical Aspects of Modern Cryptography

𝑍= 𝑌 𝑋 mod 𝑁 One-Way Functions October 11, 2016 Practical Aspects of Modern Cryptography

𝑍= 𝑌 𝑋 mod 𝑁 One-Way Functions When 𝑋 is unknown, the problem is known as the discrete logarithm and is generally believed to be hard to solve. October 11, 2016 Practical Aspects of Modern Cryptography

One-Way Trap-Door Functions 𝑍= 𝑌 𝑋 mod 𝑁 October 11, 2016 Practical Aspects of Modern Cryptography

One-Way Trap-Door Functions 𝑍= 𝑌 𝑋 mod 𝑁 Recall that this equation is solvable for 𝑌 if the factorization of 𝑁 is known, but is believed to be hard otherwise. October 11, 2016 Practical Aspects of Modern Cryptography

RSA Public-Key Cryptosystem Alice Anyone October 11, 2016 Practical Aspects of Modern Cryptography

RSA Public-Key Cryptosystem Alice Select two large random primes 𝑃 & 𝑄. Anyone October 11, 2016 Practical Aspects of Modern Cryptography

RSA Public-Key Cryptosystem Alice Select two large random primes 𝑃 & 𝑄. Publish the product 𝑁=𝑃𝑄. Anyone October 11, 2016 Practical Aspects of Modern Cryptography

RSA Public-Key Cryptosystem Alice Select two large random primes 𝑃 & 𝑄. Publish the product 𝑁=𝑃𝑄. Anyone To send message 𝑌 to Alice, compute 𝑍= 𝑌 𝑋 mod 𝑁. October 11, 2016 Practical Aspects of Modern Cryptography

RSA Public-Key Cryptosystem Alice Select two large random primes 𝑃 & 𝑄. Publish the product 𝑁=𝑃𝑄. Anyone To send message 𝑌 to Alice, compute 𝑍= 𝑌 𝑋 mod 𝑁. Send 𝑍 and 𝑋 to Alice. October 11, 2016 Practical Aspects of Modern Cryptography

RSA Public-Key Cryptosystem Alice Select two large random primes 𝑃 & 𝑄. Publish the product 𝑁=𝑃𝑄. Use knowledge of 𝑃 & 𝑄 to compute 𝑌. Anyone To send message 𝑌 to Alice, compute 𝑍= 𝑌 𝑋 mod 𝑁. Send 𝑍 and 𝑋 to Alice. October 11, 2016 Practical Aspects of Modern Cryptography

𝑋 mod (𝑃−1)(𝑄−1)=1 and 0≤𝑌<𝑁. Some RSA Details When 𝑁=𝑃𝑄 is the product of distinct primes, 𝑌 𝑋 mod 𝑁=𝑌 whenever 𝑋 mod (𝑃−1)(𝑄−1)=1 and 0≤𝑌<𝑁. October 11, 2016 Practical Aspects of Modern Cryptography

𝑋 mod (𝑃−1)(𝑄−1)=1 and 0≤𝑌<𝑁. Some RSA Details When 𝑁=𝑃𝑄 is the product of distinct primes, 𝑌 𝑋 mod 𝑁=𝑌 whenever 𝑋 mod (𝑃−1)(𝑄−1)=1 and 0≤𝑌<𝑁. Alice can easily select integers 𝐸 and 𝐷 such that 𝐸×𝐷 mod (𝑃−1)(𝑄−1)=1. October 11, 2016 Practical Aspects of Modern Cryptography

Some RSA Details Encryption: 𝐸(𝑌) = 𝑌 𝐸 mod 𝑁. Decryption: 𝐷 𝑌 = 𝑌 𝐷 mod 𝑁. 𝐷(𝐸(𝑌)) = 𝑌 𝐸 mod 𝑁 𝐷 mod 𝑁 = 𝑌 𝐸𝐷 mod 𝑁 = 𝑌 October 11, 2016 Practical Aspects of Modern Cryptography

Some RSA Details In practice, the encryption exponent 𝐸 is almost always fixed to be 𝐸=65537= 2 16 +1. October 11, 2016 Practical Aspects of Modern Cryptography

Some RSA Details In practice, the encryption exponent 𝐸 is almost always fixed to be 𝐸=65537= 2 16 +1. The decryption exponent 𝐷 is then computed as 𝐷=(1÷𝐸) mod 𝑃−1 (𝑄−1). October 11, 2016 Practical Aspects of Modern Cryptography

Public-Key Directory October 11, 2016 Practical Aspects of Modern Cryptography

Public-Key Directory (Recall that 𝐸 is commonly fixed to be 𝐸=65537.) October 11, 2016 Practical Aspects of Modern Cryptography

RSA Signatures October 11, 2016 Practical Aspects of Modern Cryptography

RSA Signatures An additional property October 11, 2016 Practical Aspects of Modern Cryptography

RSA Signatures An additional property 𝐷(𝐸(𝑌))= 𝑌 𝐸𝐷 mod 𝑁=𝑌 October 11, 2016 Practical Aspects of Modern Cryptography

RSA Signatures An additional property 𝐷(𝐸(𝑌))= 𝑌 𝐸𝐷 mod 𝑁=𝑌 October 11, 2016 Practical Aspects of Modern Cryptography

RSA Signatures An additional property 𝐷(𝐸(𝑌))= 𝑌 𝐸𝐷 mod 𝑁=𝑌 Only Alice (knowing the factorization of 𝑁) knows 𝐷. Hence only Alice can compute 𝐷(𝑌)= 𝑌 𝐷 mod 𝑁. October 11, 2016 Practical Aspects of Modern Cryptography

RSA Signatures An additional property 𝐷(𝐸(𝑌))= 𝑌 𝐸𝐷 mod 𝑁=𝑌 Only Alice (knowing the factorization of 𝑁) knows 𝐷. Hence only Alice can compute 𝐷(𝑌)= 𝑌 𝐷 mod 𝑁. This 𝐷(𝑌) serves as Alice’s signature on 𝑌. October 11, 2016 Practical Aspects of Modern Cryptography

Certificate Authority “Alice’s public modulus is 𝑁𝐴=331490324840…” -- signed CA. October 11, 2016 Practical Aspects of Modern Cryptography

Trust Chains Alice certifies Bob’s key. Bob certifies Carol’s key. If I trust Alice should I accept Carol’s key? October 11, 2016 Practical Aspects of Modern Cryptography

Basic Authentication October 11, 2016 Practical Aspects of Modern Cryptography

Basic Authentication How can I use RSA to authenticate someone’s identity? October 11, 2016 Practical Aspects of Modern Cryptography

Basic Authentication How can I use RSA to authenticate someone’s identity? If Alice’s public key 𝐸 𝐴 , just pick a random message 𝑚 and send 𝐸 𝐴 (𝑚). October 11, 2016 Practical Aspects of Modern Cryptography

Basic Authentication How can I use RSA to authenticate someone’s identity? If Alice’s public key 𝐸 𝐴 , just pick a random message 𝑚 and send 𝐸 𝐴 (𝑚). If 𝑚 comes back, I must be talking to Alice. October 11, 2016 Practical Aspects of Modern Cryptography

Basic Authentication Should Alice be happy with this method of authentication? October 11, 2016 Practical Aspects of Modern Cryptography

Basic Authentication Should Alice be happy with this method of authentication? Bob sends Alice the authentication string 𝑦= “I owe Bob $1 million - signed Alice.” October 11, 2016 Practical Aspects of Modern Cryptography

Basic Authentication Should Alice be happy with this method of authentication? Bob sends Alice the authentication string 𝑦= “I owe Bob $1 million - signed Alice.” Alice dutifully authenticates herself by decrypting (putting her signature on) 𝑦. October 11, 2016 Practical Aspects of Modern Cryptography

Basic Authentication What if Alice only returns authentication queries when the decryption has a certain format? October 11, 2016 Practical Aspects of Modern Cryptography

RSA Cautions Is it reasonable to sign/decrypt something given to you by someone else? Note that RSA is multiplicative. Can this property be used/abused? October 11, 2016 Practical Aspects of Modern Cryptography

RSA Cautions 𝐷 𝑌 1 ×𝐷( 𝑌 2 )=𝐷( 𝑌 1 × 𝑌 2 ) 𝐷 𝑌 1 ×𝐷( 𝑌 2 )=𝐷( 𝑌 1 × 𝑌 2 ) Thus, if I’ve decrypted (or signed) 𝑌 1 and 𝑌 2 , I’ve also decrypted (or signed) 𝑌 1 × 𝑌 2 . October 11, 2016 Practical Aspects of Modern Cryptography

The Hastad Attack Given 𝐸 1 (𝑥) = 𝑥 3 mod 𝑛 1 𝐸 2 (𝑥) = 𝑥 3 mod 𝑛 2 one can easily compute 𝑥. October 11, 2016 Practical Aspects of Modern Cryptography

The Bleichenbacher Attack PKCS#1 Message Format: 00 01 XX XX ... XX 00 YY YY ... YY random non-zero bytes message October 11, 2016 Practical Aspects of Modern Cryptography

“Man-in-the-Middle” Attacks October 11, 2016 Practical Aspects of Modern Cryptography

The Practical Side October 11, 2016 Practical Aspects of Modern Cryptography

The Practical Side RSA can be used to encrypt any data. October 11, 2016 Practical Aspects of Modern Cryptography

The Practical Side RSA can be used to encrypt any data. Public-key (asymmetric) cryptography is very inefficient when compared to traditional private-key (symmetric) cryptography. October 11, 2016 Practical Aspects of Modern Cryptography

The Practical Side October 11, 2016 Practical Aspects of Modern Cryptography

The Practical Side For efficiency, one generally uses RSA or DH to transmit a private (symmetric) key. October 11, 2016 Practical Aspects of Modern Cryptography

The Practical Side For efficiency, one generally uses RSA or DH to transmit a private (symmetric) key. The private session key is used to encrypt any subsequent data. October 11, 2016 Practical Aspects of Modern Cryptography

The Practical Side For efficiency, one generally uses RSA or DH to transmit a private (symmetric) key. The private session key is used to encrypt any subsequent data. Digital signatures are only used to sign a digest of the message. October 11, 2016 Practical Aspects of Modern Cryptography

Public-Key History Whit Diffie and Marty Hellman 1976 New Directions in Cryptography Whit Diffie and Marty Hellman One-Way functions Diffie-Hellman Key Exchange 1978 RSA paper Ron Rivest, Adi Shamir, and Len Adleman RSA Encryption System RSA Digital Signature Mechanism October 11, 2016 Practical Aspects of Modern Cryptography

Authenticated Channels October 11, 2016 Practical Aspects of Modern Cryptography

Authenticated Channels If Alice send a key or other data to Bob using Bob’s certified RSA key, then they have one-sided authentication. October 11, 2016 Practical Aspects of Modern Cryptography

Authenticated Channels If Alice send a key or other data to Bob using Bob’s certified RSA key, then they have one-sided authentication. One-sided authentication is good enough for many applications, but not all. October 11, 2016 Practical Aspects of Modern Cryptography

Authenticated Channels If Alice send a key or other data to Bob using Bob’s certified RSA key, then they have one-sided authentication. One-sided authentication is good enough for many applications, but not all. Alice can take an additional step to authenticate herself to Bob October 11, 2016 Practical Aspects of Modern Cryptography

Authenticated Diffie-Hellman October 11, 2016 Practical Aspects of Modern Cryptography

Authenticated Diffie-Hellman Raw Diffie-Hellman is unauthenticated. October 11, 2016 Practical Aspects of Modern Cryptography

Authenticated Diffie-Hellman Raw Diffie-Hellman is unauthenticated. Several options are available to add one-sided of full authentication. October 11, 2016 Practical Aspects of Modern Cryptography

Authenticated Diffie-Hellman Raw Diffie-Hellman is unauthenticated. Several options are available to add one-sided of full authentication. One or both parties can sign the (unauthenticated) exchanged key. October 11, 2016 Practical Aspects of Modern Cryptography

Authenticated Diffie-Hellman Raw Diffie-Hellman is unauthenticated. Several options are available to add one-sided of full authentication. One or both parties can sign the (unauthenticated) exchanged key. One or both parties can include an authenticate public key in the exchange. October 11, 2016 Practical Aspects of Modern Cryptography

Forward Secrecy October 11, 2016 Practical Aspects of Modern Cryptography

Forward Secrecy Stuff happens October 11, 2016 Practical Aspects of Modern Cryptography

Forward Secrecy Stuff happens … keys get compromised. October 11, 2016 Practical Aspects of Modern Cryptography

Forward Secrecy Stuff happens … keys get compromised. Best practices suggest mitigating damage. October 11, 2016 Practical Aspects of Modern Cryptography

Forward Secrecy Stuff happens … keys get compromised. Best practices suggest mitigating damage. If an RSA decryption key is leaked, … October 11, 2016 Practical Aspects of Modern Cryptography

Forward Secrecy Stuff happens … keys get compromised. Best practices suggest mitigating damage. If an RSA decryption key is leaked, … everything it was ever used for is at risk. October 11, 2016 Practical Aspects of Modern Cryptography

Forward Secrecy Stuff happens … keys get compromised. Best practices suggest mitigating damage. If an RSA decryption key is leaked, … everything it was ever used for is at risk. With DH, a fresh exchange key is generated with each session. October 11, 2016 Practical Aspects of Modern Cryptography

Forward Secrecy The principle of forward secrecy is that while a compromised key will reveal all messages from the time of compromise until the key’s replacement, … October 11, 2016 Practical Aspects of Modern Cryptography

Forward Secrecy The principle of forward secrecy is that while a compromised key will reveal all messages from the time of compromise until the key’s replacement, … it should not reveal data exchanged prior to the key’s compromise. October 11, 2016 Practical Aspects of Modern Cryptography

𝑋 mod (𝑃−1)(𝑄−1)=1 and 0≤𝑌<𝑁. Why Does RSA Work? Fact When 𝑁=𝑃𝑄 is the product of distinct primes, 𝑌𝑋 mod 𝑁=𝑌 whenever 𝑋 mod (𝑃−1)(𝑄−1)=1 and 0≤𝑌<𝑁. October 11, 2016 Practical Aspects of Modern Cryptography

Fermat’s Little Theorem If 𝑝 is prime, then 𝑥 𝑝−1 mod 𝑝=1 for all 0<𝑥<𝑝. Equivalently … If 𝑝 is prime, then 𝑥𝑝 mod 𝑝 = 𝑥 mod 𝑝 for all integers 𝑥. October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem The Binomial Theorem 𝑥+𝑦 𝑝 = 𝑖=0 𝑝 𝑝 𝑖 𝑥 𝑖 𝑦 𝑝−𝑖 where 𝑝 𝑖 = 𝑝! 𝑖! 𝑝−𝑖 ! October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem The Binomial Theorem 𝑥+𝑦 𝑝 = 𝑖=0 𝑝 𝑝 𝑖 𝑥 𝑖 𝑦 𝑝−𝑖 where 𝑝 𝑖 = 𝑝! 𝑖! 𝑝−𝑖 ! If 𝑝 is prime, then 𝑝 𝑖 =0 for 0<𝑖<𝑝. October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem The Binomial Theorem 𝑥+𝑦 𝑝 = 𝑖=0 𝑝 𝑝 𝑖 𝑥 𝑖 𝑦 𝑝−𝑖 where 𝑝 𝑖 = 𝑝! 𝑖! 𝑝−𝑖 ! If 𝑝 is prime, then 𝑝 𝑖 =0 for 0<𝑖<𝑝. Thus, 𝑥+𝑦 𝑝 mod 𝑝=( 𝑥 𝑝 + 𝑦 𝑝 ) mod 𝑝. October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem 𝑥 𝑝 mod 𝑝=𝑥 mod 𝑝 October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem 𝑥 𝑝 mod 𝑝=𝑥 mod 𝑝 By induction on 𝑥… October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem 𝑥 𝑝 mod 𝑝=𝑥 mod 𝑝 By induction on 𝑥… Basis October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem 𝑥 𝑝 mod 𝑝=𝑥 mod 𝑝 By induction on 𝑥… Basis If 𝑥=0, then 𝑥𝑝 mod 𝑝=0=𝑥 mod 𝑝. October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem 𝑥 𝑝 mod 𝑝=𝑥 mod 𝑝 By induction on 𝑥… Basis If 𝑥=0, then 𝑥𝑝 mod 𝑝=0=𝑥 mod 𝑝. If 𝑥=1, then 𝑥𝑝 mod 𝑝=1=𝑥 mod 𝑝. October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem Inductive Step October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem Inductive Step Assume that 𝑥𝑝 mod 𝑝 = 𝑥 mod 𝑝. October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem Inductive Step Assume that 𝑥𝑝 mod 𝑝 = 𝑥 mod 𝑝. Then (𝑥+1)𝑝 mod 𝑝=(𝑥𝑝+1𝑝) mod 𝑝 (by the binomial theorem) October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem Inductive Step Assume that 𝑥𝑝 mod 𝑝 = 𝑥 mod 𝑝. Then (𝑥+1)𝑝 mod 𝑝=(𝑥𝑝+1𝑝) mod 𝑝 =(𝑥+1) mod 𝑝 (by inductive hypothesis). October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem Inductive Step Assume that 𝑥𝑝 mod 𝑝 = 𝑥 mod 𝑝. Then (𝑥+1)𝑝 mod 𝑝=(𝑥𝑝+1𝑝) mod 𝑝 =(𝑥+1) mod 𝑝 (by inductive hypothesis). Hence, 𝑥𝑝 mod 𝑝=𝑥 mod 𝑝 for integers 𝑥≥0. October 11, 2016 Practical Aspects of Modern Cryptography

Proof of Fermat’s Little Theorem Inductive Step Assume that 𝑥𝑝 mod 𝑝 = 𝑥 mod 𝑝. Then (𝑥+1)𝑝 mod 𝑝=(𝑥𝑝+1𝑝) mod 𝑝 =(𝑥+1) mod 𝑝 (by inductive hypothesis). Hence, 𝑥𝑝 mod 𝑝=𝑥 mod 𝑝 for integers 𝑥≥0. Also true for negative 𝑥, since (−𝑥)𝑝=(−1)𝑝𝑥𝑝. October 11, 2016 Practical Aspects of Modern Cryptography

Proof of RSA October 11, 2016 Practical Aspects of Modern Cryptography

𝑌 𝑃 mod 𝑃=𝑌 whenever 0≤𝑌<𝑃 Proof of RSA We have shown … 𝑌 𝑃 mod 𝑃=𝑌 whenever 0≤𝑌<𝑃 and 𝑃 is prime. October 11, 2016 Practical Aspects of Modern Cryptography

Proof of RSA We have shown … 𝑌 𝑃 mod 𝑃=𝑌 whenever 0≤𝑌<𝑃 and 𝑃 is prime. This can be generalized to show … 𝑌 𝐾 𝑃−1 𝑄−1 +1 mod 𝑃𝑄=𝑌 when 0≤𝑌<𝑃𝑄 𝑃 and 𝑄 are distinct primes and 𝐾≥0. October 11, 2016 Practical Aspects of Modern Cryptography

Corollary of Fermat 𝑥𝑝 mod 𝑝 = 𝑥 mod 𝑝 ⇓ 𝑥 𝑘 𝑝−1 +1 mod 𝑝 = 𝑥 mod 𝑝 For all prime 𝑝 and 𝑘≥0. October 11, 2016 Practical Aspects of Modern Cryptography

Finding Primes October 11, 2016 Practical Aspects of Modern Cryptography

Finding Primes Euclid’s proof of the infinity of primes October 11, 2016 Practical Aspects of Modern Cryptography

Finding Primes Euclid’s proof of the infinity of primes Suppose that the set of all primes were finite. October 11, 2016 Practical Aspects of Modern Cryptography

Finding Primes Euclid’s proof of the infinity of primes Suppose that the set of all primes were finite. Let 𝑁 be the product of all of the primes. October 11, 2016 Practical Aspects of Modern Cryptography

Finding Primes Euclid’s proof of the infinity of primes Suppose that the set of all primes were finite. Let 𝑁 be the product of all of the primes. Consider 𝑁+1. October 11, 2016 Practical Aspects of Modern Cryptography

Finding Primes Euclid’s proof of the infinity of primes Suppose that the set of all primes were finite. Let 𝑁 be the product of all of the primes. Consider 𝑁+1. Is 𝑁+1 prime or composite? October 11, 2016 Practical Aspects of Modern Cryptography

Finding Primes Euclid’s proof of the infinity of primes Suppose that the set of all primes were finite. Let 𝑁 be the product of all of the primes. Consider 𝑁+1. Is 𝑁+1 prime or composite? The prime factors of 𝑁+1 are not among the finite set of primes multiplied to form 𝑁. October 11, 2016 Practical Aspects of Modern Cryptography

Finding Primes Euclid’s proof of the infinity of primes Suppose that the set of all primes were finite. Let 𝑁 be the product of all of the primes. Consider 𝑁+1. Is 𝑁+1 prime or composite? The prime factors of 𝑁+1 are not among the finite set of primes multiplied to form 𝑁. So 𝑁 must be a prime not in the set. October 11, 2016 Practical Aspects of Modern Cryptography

Finding Primes Euclid’s proof of the infinity of primes Suppose that the set of all primes were finite. Let 𝑁 be the product of all of the primes. Consider 𝑁+1. Is 𝑁+1 prime or composite? The prime factors of 𝑁+1 are not among the finite set of primes multiplied to form 𝑁. So 𝑁 must be a prime not in the set. This contradicts the assumption that the set of all primes is finite. October 11, 2016 Practical Aspects of Modern Cryptography

The Prime Number Theorem October 11, 2016 Practical Aspects of Modern Cryptography

The Prime Number Theorem The number of primes less than 𝑁 is approximately 𝑁 ( ln 𝑁 ) . October 11, 2016 Practical Aspects of Modern Cryptography

The Prime Number Theorem The number of primes less than 𝑁 is approximately 𝑁 ( ln 𝑁 ) . Thus, approximately 1 out of every 𝑛 randomly selected 𝑛-bit integers will be prime. October 11, 2016 Practical Aspects of Modern Cryptography

But How Do We Find Primes? October 11, 2016 Practical Aspects of Modern Cryptography

Testing Primality October 11, 2016 Practical Aspects of Modern Cryptography

Testing Primality Recall Fermat’s Little Theorem If 𝑝 is prime, then 𝑎 𝑝−1 mod 𝑝=1 for all 𝑎 in the range 0<𝑎<𝑝. October 11, 2016 Practical Aspects of Modern Cryptography

Testing Primality Recall Fermat’s Little Theorem If 𝑝 is prime, then 𝑎 𝑝−1 mod 𝑝=1 for all 𝑎 in the range 0<𝑎<𝑝. Fact For almost all composite 𝑝 and 𝑎>1, 𝑎 𝑝−1 mod 𝑝≠1. October 11, 2016 Practical Aspects of Modern Cryptography

The Miller-Rabin Primality Test October 11, 2016 Practical Aspects of Modern Cryptography

The Miller-Rabin Primality Test To test an integer 𝑁 for primality, write 𝑁–1 as 𝑁–1=𝑚2𝑘 where 𝑚 is odd. October 11, 2016 Practical Aspects of Modern Cryptography

The Miller-Rabin Primality Test To test an integer 𝑁 for primality, write 𝑁–1 as 𝑁–1=𝑚2𝑘 where 𝑚 is odd. Repeat several (many) times October 11, 2016 Practical Aspects of Modern Cryptography

The Miller-Rabin Primality Test To test an integer 𝑁 for primality, write 𝑁–1 as 𝑁–1=𝑚2𝑘 where 𝑚 is odd. Repeat several (many) times Select a random 𝑎 in 1<𝑎<𝑁–1 October 11, 2016 Practical Aspects of Modern Cryptography

The Miller-Rabin Primality Test To test an integer 𝑁 for primality, write 𝑁–1 as 𝑁–1=𝑚2𝑘 where 𝑚 is odd. Repeat several (many) times Select a random 𝑎 in 1<𝑎<𝑁–1 Compute 𝑎 𝑚 , 𝑎 2𝑚 , 𝑎 4𝑚 , …, 𝑎 (𝑁−1) 2 all mod 𝑁. October 11, 2016 Practical Aspects of Modern Cryptography

The Miller-Rabin Primality Test To test an integer 𝑁 for primality, write 𝑁–1 as 𝑁–1=𝑚2𝑘 where 𝑚 is odd. Repeat several (many) times Select a random 𝑎 in 1<𝑎<𝑁–1 Compute 𝑎 𝑚 , 𝑎 2𝑚 , 𝑎 4𝑚 , …, 𝑎 (𝑁−1) 2 all mod 𝑁. If 𝑎 𝑚 =±1 or if some 𝑎 2 𝑖 𝑚 =−1, then 𝑁 is probably prime – continue. October 11, 2016 Practical Aspects of Modern Cryptography

The Miller-Rabin Primality Test To test an integer 𝑁 for primality, write 𝑁–1 as 𝑁–1=𝑚2𝑘 where 𝑚 is odd. Repeat several (many) times Select a random 𝑎 in 1<𝑎<𝑁–1 Compute 𝑎 𝑚 , 𝑎 2𝑚 , 𝑎 4𝑚 , …, 𝑎 (𝑁−1) 2 all mod 𝑁. If 𝑎 𝑚 =±1 or if some 𝑎 2 𝑖 𝑚 =−1, then 𝑁 is probably prime – continue. Otherwise, 𝑁 is composite – stop. October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 2 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 2 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 2 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 2 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 2 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 2 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 2 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 2 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 2 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 2 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 2 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 2 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 2 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 2 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 3 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 3 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 3 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 3 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 3 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 3 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 3 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 3 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 3 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 3 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 5 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 5 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 5 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 5 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 5 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 5 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 5 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 5 October 11, 2016 Practical Aspects of Modern Cryptography

Sieving for Primes Sieving out multiples of 5 Pick a random starting point 𝑁. N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11 Sieving out multiples of 5 Only a few “good” candidate primes will survive. October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Set-Up October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Set-Up Use sieving to find large candidate primes. October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Set-Up Use sieving to find large candidate primes. Use Miller-Rabin on candidate primes to find two almost certainly prime integers 𝑃 and 𝑄. October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Set-Up Use sieving to find large candidate primes. Use Miller-Rabin on candidate primes to find two almost certainly prime integers 𝑃 and 𝑄. Form public modulus 𝑁=𝑃𝑄. October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Set-Up Use sieving to find large candidate primes. Use Miller-Rabin on candidate primes to find two almost certainly prime integers 𝑃 and 𝑄. Form public modulus 𝑁=𝑃𝑄. Select public exponent 𝑒 (usually 𝑒=65537). October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Set-Up Use sieving to find large candidate primes. Use Miller-Rabin on candidate primes to find two almost certainly prime integers 𝑃 and 𝑄. Form public modulus 𝑁=𝑃𝑄. Select public exponent 𝑒 (usually 𝑒=65537). Use extended Euclidean algorithm to compute private exponent 𝑑= 𝑒 −1 mod (𝑃−1)(𝑄−1). October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Set-Up Use sieving to find large candidate primes. Use Miller-Rabin on candidate primes to find two almost certainly prime integers 𝑃 and 𝑄. Form public modulus 𝑁=𝑃𝑄. Select public exponent 𝑒 (usually 𝑒=65537). Use extended Euclidean algorithm to compute private exponent 𝑑= 𝑒 −1 mod (𝑃−1)(𝑄−1). Publish public key 𝑁 (and 𝑒). October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Encryption October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Encryption Use public key to encrypt message 0≤𝑚<𝑁 as October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Encryption Use public key to encrypt message 0≤𝑚<𝑁 as 𝐸 𝑚 = 𝑚 𝑒 mod 𝑁. October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Encryption Use public key to encrypt message 0≤𝑚<𝑁 as 𝐸 𝑚 = 𝑚 𝑒 mod 𝑁. Use private decryption exponent 𝑑 to decrypt October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Encryption Use public key to encrypt message 0≤𝑚<𝑁 as 𝐸 𝑚 = 𝑚 𝑒 mod 𝑁. Use private decryption exponent 𝑑 to decrypt 𝐷 𝐸 𝑚 = (𝑚 𝑒 mod 𝑁 ) 𝑑 mod 𝑁 October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Encryption Use public key to encrypt message 0≤𝑚<𝑁 as 𝐸 𝑚 = 𝑚 𝑒 mod 𝑁. Use private decryption exponent 𝑑 to decrypt 𝐷 𝐸 𝑚 = (𝑚 𝑒 mod 𝑁 ) 𝑑 mod 𝑁 = 𝑚 𝑒𝑑 mod 𝑁 October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Encryption Use public key to encrypt message 0≤𝑚<𝑁 as 𝐸 𝑚 = 𝑚 𝑒 mod 𝑁. Use private decryption exponent 𝑑 to decrypt 𝐷 𝐸 𝑚 = (𝑚 𝑒 mod 𝑁 ) 𝑑 mod 𝑁 = 𝑚 𝑒𝑑 mod 𝑁 =𝑚 October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Signatures October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Signatures Use private decryption exponent 𝑑 to sign message 0≤𝑚<𝑁 as October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Signatures Use private decryption exponent 𝑑 to sign message 0≤𝑚<𝑁 as 𝐷 𝑚 = 𝑚 𝑑 mod 𝑁. October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Signatures Use private decryption exponent 𝑑 to sign message 0≤𝑚<𝑁 as 𝐷 𝑚 = 𝑚 𝑑 mod 𝑁. Verify signature by using public key to compute October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Signatures Use private decryption exponent 𝑑 to sign message 0≤𝑚<𝑁 as 𝐷 𝑚 = 𝑚 𝑑 mod 𝑁. Verify signature by using public key to compute 𝐸 𝐷 𝑚 = (𝑚 𝑑 mod 𝑁 ) 𝑒 mod 𝑁 October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Signatures Use private decryption exponent 𝑑 to sign message 0≤𝑚<𝑁 as 𝐷 𝑚 = 𝑚 𝑑 mod 𝑁. Verify signature by using public key to compute 𝐸 𝐷 𝑚 = (𝑚 𝑑 mod 𝑁 ) 𝑒 mod 𝑁 = 𝑚 𝑑𝑒 mod 𝑁 October 11, 2016 Practical Aspects of Modern Cryptography

Reprise of RSA Signatures Use private decryption exponent 𝑑 to sign message 0≤𝑚<𝑁 as 𝐷 𝑚 = 𝑚 𝑑 mod 𝑁. Verify signature by using public key to compute 𝐸 𝐷 𝑚 = (𝑚 𝑑 mod 𝑁 ) 𝑒 mod 𝑁 = 𝑚 𝑑𝑒 mod 𝑁 =𝑚 October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm In 1991, the National Institute of Standards and Technology published a Digital Signature Standard that was intended as an option free of intellectual property constraints. October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm DSA uses the following parameters Prime 𝑝 – anywhere from 512 to 1024 bits Prime 𝑞 – 160 bits such that 𝑞 divides 𝑝−1 Integer ℎ in the range 1<ℎ<𝑝−1 Integer 𝑔= ℎ (𝑝−1) 𝑞 mod 𝑝 Secret integer 𝑥 in the range 1<𝑥<𝑞 Integer 𝑦= 𝑔 𝑥 mod 𝑝 October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm To sign a 160-bit message 𝑀, October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm To sign a 160-bit message 𝑀, Generate a random integer 𝑘 with 0<𝑘<𝑞, October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm To sign a 160-bit message 𝑀, Generate a random integer 𝑘 with 0<𝑘<𝑞, Compute 𝑟 = ( 𝑔 𝑘 mod 𝑝) mod 𝑞, October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm To sign a 160-bit message 𝑀, Generate a random integer 𝑘 with 0<𝑘<𝑞, Compute 𝑟 = ( 𝑔 𝑘 mod 𝑝) mod 𝑞, Compute 𝑠 = ((𝑀+𝑥𝑟)/𝑘) mod 𝑞. October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm To sign a 160-bit message 𝑀, Generate a random integer 𝑘 with 0<𝑘<𝑞, Compute 𝑟 = ( 𝑔 𝑘 mod 𝑝) mod 𝑞, Compute 𝑠 = ((𝑀+𝑥𝑟)/𝑘) mod 𝑞. The pair (𝑟,𝑠) is the signature on 𝑀. October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm A signature (𝑟,𝑠) on 𝑀 is verified as follows: October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm A signature (𝑟,𝑠) on 𝑀 is verified as follows: Compute 𝑤 = 1/𝑠 𝑚𝑜𝑑 𝑞, October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm A signature (𝑟,𝑠) on 𝑀 is verified as follows: Compute 𝑤 = 1/𝑠 𝑚𝑜𝑑 𝑞, Compute 𝑎 = 𝑤𝑀 𝑚𝑜𝑑 𝑞, October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm A signature (𝑟,𝑠) on 𝑀 is verified as follows: Compute 𝑤 = 1/𝑠 𝑚𝑜𝑑 𝑞, Compute 𝑎 = 𝑤𝑀 𝑚𝑜𝑑 𝑞, Compute 𝑏 = 𝑤𝑟 𝑚𝑜𝑑 𝑞, October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm A signature (𝑟,𝑠) on 𝑀 is verified as follows: Compute 𝑤 = 1/𝑠 𝑚𝑜𝑑 𝑞, Compute 𝑎 = 𝑤𝑀 𝑚𝑜𝑑 𝑞, Compute 𝑏 = 𝑤𝑟 𝑚𝑜𝑑 𝑞, Compute 𝑣 = ( 𝑔 𝑎 𝑦 𝑏 mod 𝑝) mod 𝑞. October 11, 2016 Practical Aspects of Modern Cryptography

The Digital Signature Algorithm A signature (𝑟,𝑠) on 𝑀 is verified as follows: Compute 𝑤 = 1/𝑠 𝑚𝑜𝑑 𝑞, Compute 𝑎 = 𝑤𝑀 𝑚𝑜𝑑 𝑞, Compute 𝑏 = 𝑤𝑟 𝑚𝑜𝑑 𝑞, Compute 𝑣 = ( 𝑔 𝑎 𝑦 𝑏 mod 𝑝) mod 𝑞. Accept the signature only if 𝑣 = 𝑟. October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curve Cryptosystems October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curve Cryptosystems An elliptic curve October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curve Cryptosystems An elliptic curve 𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Curves y x October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines 𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 y x 𝑦=𝑎𝑥+𝑏 October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines Non-vertical Lines 𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 𝑦=𝑎𝑥+𝑏 𝑎𝑥+𝑏 2 = 𝑥 3 +𝐴𝑥+𝐵 𝑥 3 + 𝐴 ′ 𝑥 2 + 𝐵 ′ 𝑥+ 𝐶 ′ =0 October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines 𝑥 3 + 𝐴 ′ 𝑥 2 + 𝐵 ′ 𝑥+ 𝐶 ′ =0 y x October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines 𝑥 3 + 𝐴 ′ 𝑥 2 + 𝐵 ′ 𝑥+ 𝐶 ′ =0 y x 3 solutions October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines 𝑥 3 + 𝐴 ′ 𝑥 2 + 𝐵 ′ 𝑥+ 𝐶 ′ =0 y x 1 solution October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines 𝑥 3 + 𝐴 ′ 𝑥 2 + 𝐵 ′ 𝑥+ 𝐶 ′ =0 y x 1 solution October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines 𝑥 3 + 𝐴 ′ 𝑥 2 + 𝐵 ′ 𝑥+ 𝐶 ′ =0 y x 2 solutions October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines Non-vertical Lines 1 intersection point (typical case) 2 intersection points (tangent case) 3 intersection points (typical case) October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines Vertical Lines 𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 𝑥=𝑐 𝑦 2 = 𝑐 3 +𝐴𝑐+𝐵 𝑦 2 = 𝐶 ′ October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Curves Intersecting Lines Vertical Lines 0 intersection point (typical case) 1 intersection points (tangent case) 2 intersection points (typical case) October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups 𝑦=𝑎𝑥+𝑏 y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups 𝑦=𝑎𝑥+𝑏 y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups 𝑦=𝑎𝑥+𝑏 y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups 𝑦=𝑎𝑥+𝑏 y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups 𝑦=𝑎𝑥+𝑏 y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups 𝑦=𝑎𝑥+𝑏 y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups y x October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups 𝑥=𝑐 y x October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Groups Add an “artificial” point 𝐼 to handle the vertical line case. This point 𝐼 also serves as the group identity value. October 11, 2016 Practical Aspects of Modern Cryptography

𝑦 2 = 𝑥 3 +𝐴𝑥+𝐵 Elliptic Groups 𝑥=𝑐 y x October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Groups 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=( 𝑥 3 , 𝑦 3 ) 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=( 𝑥 3 , 𝑦 3 ) 𝑥 3 = 𝑦 2 – 𝑦 1 𝑥 2 – 𝑥 1 2 – 𝑥 1 – 𝑥 2 𝑦3= −𝑦 1 + 𝑦 2 – 𝑦 1 𝑥 2 – 𝑥 1 ( 𝑥 1 – 𝑥 3 ) when 𝑥 1 ≠ 𝑥 2 October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Groups 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=( 𝑥 3 , 𝑦 3 ) 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=( 𝑥 3 , 𝑦 3 ) 𝑥 3 = 3 𝑥 1 2 +𝐴 2𝑦1 2 –2 𝑥 1 𝑦3=− 𝑦 1 + 3 𝑥 1 2 +𝐴 2 𝑦 1 ( 𝑥 1 – 𝑥 3 ) when 𝑥 1 = 𝑥 2 and 𝑦 1 = 𝑦 2 ≠0 October 11, 2016 Practical Aspects of Modern Cryptography

Elliptic Groups 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=𝐼 when 𝑥 1 = 𝑥 2 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=𝐼 when 𝑥 1 = 𝑥 2 but 𝑦 1 ≠𝑦2 or 𝑦 1 = 𝑦 2 =0 𝑥 1 , 𝑦 1 ×𝐼= 𝑥 1 , 𝑦 1 =𝐼×( 𝑥 1 , 𝑦 1 ) 𝐼×𝐼=𝐼 October 11, 2016 Practical Aspects of Modern Cryptography

Finite Elliptic Groups October 11, 2016 Practical Aspects of Modern Cryptography

Finite Elliptic Groups The equations use basic arithmetic operations (addition, subtraction, multiplication, and division) on real values. October 11, 2016 Practical Aspects of Modern Cryptography

Finite Elliptic Groups The equations use basic arithmetic operations (addition, subtraction, multiplication, and division) on real values. But we know how to do modular operations, so we can do the same computations modulo a prime 𝑝. October 11, 2016 Practical Aspects of Modern Cryptography

The Elliptic Group 𝐸 𝑝 (𝐴,𝐵) 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=( 𝑥 3 , 𝑦 3 ) 𝑥 3 = 𝑦 2 – 𝑦 1 𝑥 2 – 𝑥 1 2 – 𝑥 1 – 𝑥 2 𝑦3= −𝑦 1 + 𝑦 2 – 𝑦 1 𝑥 2 – 𝑥 1 ( 𝑥 1 – 𝑥 3 ) when 𝑥 1 ≠ 𝑥 2 October 11, 2016 Practical Aspects of Modern Cryptography

The Elliptic Group 𝐸 𝑝 (𝐴,𝐵) 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=( 𝑥 3 , 𝑦 3 ) 𝑥 3 = 𝑦 2 – 𝑦 1 𝑥 2 – 𝑥 1 2 – 𝑥 1 – 𝑥 2 mod 𝑝 𝑦3= −𝑦 1 + 𝑦 2 – 𝑦 1 𝑥 2 – 𝑥 1 𝑥 1 – 𝑥 3 mod 𝑝 when 𝑥 1 ≠ 𝑥 2 October 11, 2016 Practical Aspects of Modern Cryptography

The Elliptic Group 𝐸 𝑝 (𝐴,𝐵) 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=( 𝑥 3 , 𝑦 3 ) 𝑥 3 = 3 𝑥 1 2 +𝐴 2𝑦1 2 –2 𝑥 1 𝑦3=− 𝑦 1 + 3 𝑥 1 2 +𝐴 2 𝑦 1 ( 𝑥 1 – 𝑥 3 ) when 𝑥 1 = 𝑥 2 and 𝑦 1 = 𝑦 2 ≠0 October 11, 2016 Practical Aspects of Modern Cryptography

The Elliptic Group 𝐸 𝑝 (𝐴,𝐵) 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=( 𝑥 3 , 𝑦 3 ) 𝑥 3 = 3 𝑥 1 2 +𝐴 2𝑦1 2 –2 𝑥 1 mod 𝑝 𝑦3=− 𝑦 1 + 3 𝑥 1 2 +𝐴 2 𝑦 1 𝑥 1 – 𝑥 3 mod 𝑝 when 𝑥 1 = 𝑥 2 and 𝑦 1 = 𝑦 2 ≠0 October 11, 2016 Practical Aspects of Modern Cryptography

The Elliptic Group 𝐸 𝑝 (𝐴,𝐵) 𝑥 1 , 𝑦 1 ×( 𝑥 2 , 𝑦 2 )=𝐼 when 𝑥 1 = 𝑥 2 but 𝑦 1 ≠𝑦2 or 𝑦 1 = 𝑦 2 =0 𝑥 1 , 𝑦 1 ×𝐼= 𝑥 1 , 𝑦 1 =𝐼×( 𝑥 1 , 𝑦 1 ) 𝐼×𝐼=𝐼 October 11, 2016 Practical Aspects of Modern Cryptography

The Fundamental Equation 𝑍= 𝑌 𝑋 mod 𝑁 𝑝 October 11, 2016 Practical Aspects of Modern Cryptography

The Fundamental Equation 𝑍= 𝑌 𝑋 in 𝐸 𝑝 (𝐴,𝐵) October 11, 2016 Practical Aspects of Modern Cryptography

The Fundamental Equation 𝑍= 𝑌 𝑋 in 𝐸 𝑝 (𝐴,𝐵) When 𝑍 is unknown, it can be efficiently computed by repeated squaring. October 11, 2016 Practical Aspects of Modern Cryptography

The Fundamental Equation 𝑍= 𝑌 𝑋 in 𝐸 𝑝 (𝐴,𝐵) When 𝑋 is unknown, this version of the discrete logarithm is believed to be quite hard to solve. October 11, 2016 Practical Aspects of Modern Cryptography

The Fundamental Equation 𝑍= 𝑌 𝑋 in 𝐸 𝑝 (𝐴,𝐵) When 𝑌 is unknown, it can be efficiently computed by “sophisticated” means. October 11, 2016 Practical Aspects of Modern Cryptography

Diffie-Hellman Key Exchange Alice Randomly select a large integer 𝑎. Send 𝐴= 𝑌 𝑎 mod 𝑁. Compute the key 𝐾= 𝐵 𝑎 mod 𝑁. Bob Randomly select a large integer 𝑏. Send 𝐵= 𝑌 𝑏 mod 𝑁. Compute the key 𝐾= 𝐴 𝑏 mod 𝑁. 𝐵 𝑎 = 𝑌 𝑏𝑎 = 𝑌 𝑎𝑏 = 𝐴 𝑏 October 11, 2016 Practical Aspects of Modern Cryptography

Diffie-Hellman Key Exchange Alice Randomly select a large integer 𝑎. Send 𝐴= 𝑌 𝑎 in 𝐸 𝑝 (𝐴,𝐵). Compute the key 𝐾= 𝐵 𝑎 in 𝐸 𝑝 (𝐴,𝐵). Bob Randomly select a large integer 𝑏. Send 𝐵= 𝑌 𝑏 in 𝐸 𝑝 (𝐴,𝐵). Compute the key 𝐾= 𝐴 𝑏 in 𝐸 𝑝 (𝐴,𝐵). 𝐵 𝑎 = 𝑌 𝑏𝑎 = 𝑌 𝑎𝑏 = 𝐴 𝑏 October 11, 2016 Practical Aspects of Modern Cryptography

DSA on Elliptic Curves October 11, 2016 Practical Aspects of Modern Cryptography

DSA on Elliptic Curves Almost identical to DSA over the integers. October 11, 2016 Practical Aspects of Modern Cryptography

DSA on Elliptic Curves Almost identical to DSA over the integers. Replace operations mod 𝑝 and 𝑞 with operations in 𝐸 𝑝 (𝐴,𝐵) and 𝐸 𝑞 (𝐴,𝐵). October 11, 2016 Practical Aspects of Modern Cryptography

Why use Elliptic Curves? October 11, 2016 Practical Aspects of Modern Cryptography

Why use Elliptic Curves? The best currently known algorithm for EC discrete logarithms would take about as long to find a 256-bit EC discrete log as the best currently known algorithm for integer discrete logarithms would take to find a 3072-bit discrete log. October 11, 2016 Practical Aspects of Modern Cryptography

Why use Elliptic Curves? The best currently known algorithm for EC discrete logarithms would take about as long to find a 256-bit EC discrete log as the best currently known algorithm for integer discrete logarithms would take to find a 3072-bit discrete log. 256-bit EC algorithms are somewhat faster and use shorter keys than 3072-bit “traditional” algorithms. October 11, 2016 Practical Aspects of Modern Cryptography

Why not use Elliptic Curves? October 11, 2016 Practical Aspects of Modern Cryptography

Why not use Elliptic Curves? EC discrete logarithms have been studied far less than integer discrete logarithms. October 11, 2016 Practical Aspects of Modern Cryptography

Why not use Elliptic Curves? EC discrete logarithms have been studied far less than integer discrete logarithms. It is likely that a fundamental break in integer discrete logs would also yield a fundamental break in EC discrete logs, although the reverse may not be true. October 11, 2016 Practical Aspects of Modern Cryptography

Why not use Elliptic Curves? EC discrete logarithms have been studied far less than integer discrete logarithms. It is likely that a fundamental break in integer discrete logs would also yield a fundamental break in EC discrete logs, although the reverse may not be true. Basic EC operations are more cumbersome than integer operations, so EC is only faster if the keys are much smaller. October 11, 2016 Practical Aspects of Modern Cryptography