Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University of Washington

Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone

What Is a Cryptosystem? A Sender B Receiver Cryptanalyst (bad guy) C = E AB (M)M = D AB (C)M M C K AB MessageEncryptionKey PlaintextCyphertext Cleartext K AB

What Is a Public Key Cryptosystem? A Sender B Receiver Cryptanalyst (bad guy) C = E AB (M)M = D AB (C)M M C K B E B MessageEncryption Private Key Public Key PlaintextCyphertext Cleartext K AB

The RSA Public Key Cryptosystem v Invented by Rivest, Shamir, and Adleman in v Has proven resistant to cryptanalytic attacks.

Receiver’s Set-Up v Choose 500-digit primes p and q, with p  2 (mod 3) and q  2 (mod 3) p = 5, q = 11 v Let n = pq. n = 55 v Let s = (1/3) (2(p - 1)(q - 1) + 1). s = (1/3) (2  4  ) = 27 v Publish n. Keep p, q, and s secret.

Note on the Version Presented Here v I have simplified RSA to make it clearer. v The version presented here is not considered secure, because of the small exponent 3 used in encryption. See survey.pdf, Section 4.2, first two paragraphs for an explanation of the vulnerability of small exponents. survey.pdf v See Rosen’s textbook for the secure version of RSA. v Thanks to Dimitrios Gklezakos for pointing out this vulnerability to me.

Encrypting a Message v Break the message into chunks. H I C H R I S … v Translate each chunk into an integer M (0 < M < n) by any convenient method … v Let E(M) = M 3 mod n. M = 8, n = = 512 = 9× E(8) = 17

Decrypting a Cyphertext C v Let D(C) = C s mod n. C = 17, n = 55, s = = 1,667,711,322,168,688,287,513,535,727,415,473 = 30,322,024,039,430,696,136,609,740,498,463 × D(17) = 8 v Translate D(C) into letters. H

Decrypting a Cyphertext C Efficiently v C = 17, n = 55, s =  289  14 (mod 55) 17 4  17 2  17 2  14  14  196  31 (mod 55) 17 8  17 4  17 4  31  31  961  26 (mod 55)  17 8  17 8  26  26  676  16 (mod 55)   17 8  17 2  17 1  16  26  14  17  416  14  17  31  14  17  434  17  (-6)  17  -102  8 (mod 55) D(17) = 8

Why Does It Work? Euler’s Theorem (1736): Suppose v p and q are distinct primes, v n = pq, v 0 < M < n, and v k > 0. Then M k(p-1)(q-1)+1 mod n = M. (M 3 ) s = (M 3 ) (1/3)(2(p-1)(q-1)+1) = M 2(p-1)(q-1)+1  M (mod n)

Leonhard Euler

Why Is It Secure? v To find M = D(C), you seem to need s. v To find s, you seem to need p and q. v All the cryptanalyst has is n = pq. v How hard is it to factor a 1000-digit number n? With the grade school method, doing 1,000,000,000,000 steps per second it would take … years.

State of the Art in Factoring v 1977: Inventors encrypt a challenge using “RSA129,” a 129-digit number n = pq. v 1981: Pomerance invents Quadratic Sieve factoring method. v 1994: Using Quadratic Sieve, RSA129 is factored over 8 months using 1000 computers on the Internet around the world. v 1999: Using Number Field Sieve, RSA140 is factored over one month using 200 computers, about 8.9 CPU-years. v 2009: Using Number Field Sieve, RSA-768, a 232- digit number, is factored over two years using hundreds of machines, about 1500 CPU-years.

Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone

Signed Messages v How A sends a secret message to B A B C = E B (M) M = D B (C) v How A sends a signed message to B A B C = D A (M) M = E A (C) C C

Signed and Secret Messages v How A sends a secret message to B... A B C = E B (M) M = D B (C) v How A sends a signed secret message to B... A B C = E B (D A (M)) M = E A (D B (C)) C C

Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone

Flipping a Coin Over the Phone y “even” “odd” x