Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Aspects of Modern Cryptography

Published byEsa Auvinen Modified over 5 years ago

Similar presentations

Presentation on theme: "Practical Aspects of Modern Cryptography"— Presentation transcript:

1 Practical Aspects of Modern Cryptography
Josh Benaloh & Brian LaMacchia

2 Lecture 8: EKE, DSA, Elliptic Curves, and Primality Testing

3 Encrypted Key Exchange
We know how Alice and Bob can communicate securely if they share a strong (128-bit) private key or if one has a public key known to the other. Suppose that Alice and Bob share only a short (potentially searchable) password. Rather than using just this weak password, Alice and Bob can use this weak password to bootstrap a strong key. Practical Aspects of Modern Cryptography February 26, 2002

4 Encrypted Key Exchange
Alice and Bob share weak password P. Let C be a symmetric cipher agreed upon by Alice and Bob. Alice begins by generating a public/private key pair (E,D). Alice sends Bob CP(E). Bob generates a random symmetric key K and sends Alice CP(E(K)). Practical Aspects of Modern Cryptography February 26, 2002

5 Encrypted Key Exchange
Alice and Bob can then demonstrate to each other their knowledge of K as an authentication step. Alice generates a random nonce A and sends CK(A) to Bob. Bob generates a random nonce B and sends CK(A,B) to Alice. Alice sends CK(B) to Bob. Practical Aspects of Modern Cryptography February 26, 2002

6 The Digital Signature Algorithm
In 1991, the National Institute of Standards and Technology published a Digital Signature Standard that was intended as an option free of intellectual property constraints. Practical Aspects of Modern Cryptography February 26, 2002

7 The Digital Signature Algorithm
DSA uses the following parameters Prime p – anywhere from 512 to 1024 bits Prime q – 160 bits such that q divides p-1 Integer h in the range 1 < h < p-1 Integer g = h(p-1)/q mod p Secret integer x in the range 1 < x < q Integer y = gx mod p Practical Aspects of Modern Cryptography February 26, 2002

8 The Digital Signature Algorithm
To sign a 160-bit message M, Generate a random integer k with 0 < k < q, Compute r = (gk mod p) mod q, Compute s = ((M+xr)/k) mod q. The pair (r,s) is the signature on M. Practical Aspects of Modern Cryptography February 26, 2002

9 The Digital Signature Algorithm
A signature (r,s) on M is verified as follows: Compute w = 1/s mod q, Compute a = wM mod q, Compute b = wr mod q, Compute v = (gayb mod p) mod q. Accept the signature only if v = r. Practical Aspects of Modern Cryptography February 26, 2002

10 Elliptic Curve Cryptosystems
An elliptic curve y2 = x3 + Ax + B Practical Aspects of Modern Cryptography February 26, 2002

11 y2 = x3 + Ax + B Elliptic Curves
Practical Aspects of Modern Cryptography February 26, 2002

12 y = x3 + Ax + B Elliptic Curves
Practical Aspects of Modern Cryptography February 26, 2002

13 y = x3 + Ax + B Elliptic Curves y x
Practical Aspects of Modern Cryptography February 26, 2002

14 y2 = x3 + Ax + B Elliptic Curves y x
Practical Aspects of Modern Cryptography February 26, 2002

15 y2 = x3 + Ax + B Elliptic Curves y x
Practical Aspects of Modern Cryptography February 26, 2002

16 y2 = x3 + Ax + B Elliptic Curves y x
Practical Aspects of Modern Cryptography February 26, 2002

17 y2 = x3 + Ax + B Elliptic Curves y x
Practical Aspects of Modern Cryptography February 26, 2002

18 y2 = x3 + Ax + B Elliptic Curves y x
Practical Aspects of Modern Cryptography February 26, 2002

19 y2 = x3 + Ax + B Elliptic Curves y x
Practical Aspects of Modern Cryptography February 26, 2002

20 y2 = x3 + Ax + B Elliptic Curves y x
Practical Aspects of Modern Cryptography February 26, 2002

21 y2 = x3 + Ax + B Elliptic Curves y x
Practical Aspects of Modern Cryptography February 26, 2002

22 Elliptic Curves Intersecting Lines
y2 = x3 + Ax + B y x y = ax + b Practical Aspects of Modern Cryptography February 26, 2002

23 Elliptic Curves Intersecting Lines
Non-vertical Lines y2 = x3 + Ax + B y = ax + b (ax + b)2 = x3 + Ax + B x3 + Ax2 + Bx + C = 0 Practical Aspects of Modern Cryptography February 26, 2002

24 Elliptic Curves Intersecting Lines
x3 + Ax2 + Bx + C = 0 y x Practical Aspects of Modern Cryptography February 26, 2002

25 Elliptic Curves Intersecting Lines
Non-vertical Lines 1 intersection point (typical case) 2 intersection points (tangent case) 3 intersection points (typical case) Practical Aspects of Modern Cryptography February 26, 2002

26 Elliptic Curves Intersecting Lines
Vertical Lines y2 = x3 + Ax + B x = c y2 = c3 + Ac + B y2 = C Practical Aspects of Modern Cryptography February 26, 2002

27 Elliptic Curves Intersecting Lines
Vertical Lines 0 intersection point (typical case) 1 intersection points (tangent case) 2 intersection points (typical case) Practical Aspects of Modern Cryptography February 26, 2002

28 y2 = x3 + Ax + B Elliptic Groups y = ax + b y x
Practical Aspects of Modern Cryptography February 26, 2002

29 y2 = x3 + Ax + B Elliptic Groups y = ax + b y x
Practical Aspects of Modern Cryptography February 26, 2002

30 y2 = x3 + Ax + B Elliptic Groups y = ax + b y x
Practical Aspects of Modern Cryptography February 26, 2002

31 y2 = x3 + Ax + B Elliptic Groups x = c y x
Practical Aspects of Modern Cryptography February 26, 2002

32 Elliptic Groups Add an “artificial” point I to handle the vertical line case. This point I also serves as the group identity value. Practical Aspects of Modern Cryptography February 26, 2002

33 y2 = x3 + Ax + B Elliptic Groups x = c y x
Practical Aspects of Modern Cryptography February 26, 2002

34 Elliptic Groups (x1,y1)  (x2,y2) = (x3,y3)
x3 = ((y2-y1)/(x2-x1))2 - x1 - x2 y3 = -y1 + ((y2-y1)/(x2-x1)) (x1 - x3) when x1  x2 Practical Aspects of Modern Cryptography February 26, 2002

35 Elliptic Groups (x1,y1)  (x2,y2) = (x3,y3)
x3 = ((3x12+A)/(2y1))2 - 2x1 y3 = -y1 + ((3x12+A)/(2y1)) (x1 - x3) when x1 = x2 and y1 = y2  0 Practical Aspects of Modern Cryptography February 26, 2002

36 Elliptic Groups (x1,y1)  (x2,y2) = I
when x1= x2 but y1 y2 or y1= y2= 0 (x1,y1)  I = (x1,y1) = I  (x1,y1) I  I = I Practical Aspects of Modern Cryptography February 26, 2002

37 The Fundamental Equation
Z=YX mod N Practical Aspects of Modern Cryptography February 26, 2002

38 The Fundamental Equation
Z=YX in Ep(A,B) Practical Aspects of Modern Cryptography February 26, 2002

39 The Fundamental Equation
Z=YX in Ep(A,B) When Z is unknown, it can be efficiently computed by repeated squaring. Practical Aspects of Modern Cryptography February 26, 2002

40 The Fundamental Equation
Z=YX in Ep(A,B) When X is unknown, this version of the discrete logarithm is believed to be quite hard to solve. Practical Aspects of Modern Cryptography February 26, 2002

41 The Fundamental Equation
Z=YX in Ep(A,B) When Y is unknown, it can be efficiently computed by “sophisticated” means. Practical Aspects of Modern Cryptography February 26, 2002

42 Diffie-Hellman Key Exchange
Alice Randomly select a large integer a and send A = Ya mod N. Compute the key K = Ba mod N. Bob Randomly select a large integer b and send B = Yb mod N. Compute the key K = Ab mod N. Ba = Yba = Yab = Ab Practical Aspects of Modern Cryptography February 26, 2002

43 Diffie-Hellman Key Exchange
Alice Randomly select a large integer a and send A = Ya in Ep. Compute the key K = Ba in Ep. Bob Randomly select a large integer b and send B = Yb in Ep. Compute the key K = Ab in Ep. Ba = Yba = Yab = Ab Practical Aspects of Modern Cryptography February 26, 2002

44 DSA on Elliptic Curves Almost identical to DSA over the integers.
Replace operations mod p and q with operations in Ep and Eq. Practical Aspects of Modern Cryptography February 26, 2002

45 Why use Elliptic Curves?
The best currently known algorithm for EC discrete logarithms would take about as long to find a 160-bit EC discrete log as the best currently known algorithm for integer discrete logarithms would take to find a 1024-bit discrete log. 160-bit EC algorithms are somewhat faster and use shorter keys than 1024-bit “traditional” algorithms. Practical Aspects of Modern Cryptography February 26, 2002

46 Why not use Elliptic Curves?
EC discrete logarithms have been studied far less than integer discrete logarithms. Results have shown that a fundamental break in integer discrete logs would also yield a fundamental break in EC discrete logs, although the reverse may not be true. Basic EC operations are more cumbersome than integer operations, so EC is only faster if the keys are much smaller. Practical Aspects of Modern Cryptography February 26, 2002

47 Finding Primes Euclid’s proof of the infinity of primes
Suppose that the set of all primes were finite. Let N be the product of all of the primes. Consider N+1. The prime factors of N+1 are not among the finite set of primes multiplied to form N. This contradicts the assumption that the set of all primes is finite. Practical Aspects of Modern Cryptography February 26, 2002

48 The Prime Number Theorem
The number of primes less than N is approximately N/(ln N). Thus, approximately 1 out of every n randomly selected n-bit integers will be prime. Practical Aspects of Modern Cryptography February 26, 2002

49 Testing Primality Recall Fermat’s Little Theorem
If p is prime, then a(p-1) mod p = 1 for all a in the range 0 < a < p. Practical Aspects of Modern Cryptography February 26, 2002

50 The Miller-Rabin Primality Test
To test an integer N for primality, write N-1 as N-1 = m2k where m is odd. Repeat several (many) times Select a random a in 1 < a < N-1 Compute am, a2m, a4m, …, a(N-1)/2 all mod N. If am = ±1 or if some a2im = -1, then N is probably prime – continue. Otherwise, N is composite – stop. Practical Aspects of Modern Cryptography February 26, 2002

51 Sieving for Primes Pick a random starting point N.
Sieving out multiples of 5 3 2 Only a few “good” candidate primes will survive. Practical Aspects of Modern Cryptography February 26, 2002

Download ppt "Practical Aspects of Modern Cryptography"

Similar presentations

RSA.

RSA.
Public Key Cryptosystem

Public Key Cryptosystem
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.

Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.

CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:

CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from Foundations of Security: What Every Programmer Needs To Know by Neil Daswani, Christoph Kern,

C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.

The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.
CSE 321 Discrete Structures Winter 2008 Lecture 10 Number Theory: Primality.

CSE 321 Discrete Structures Winter 2008 Lecture 10 Number Theory: Primality.

Similar presentations

Ads by Google