Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Published byLambert Mills Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena."— Presentation transcript:

1 Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena

2 Course Administration HW1 due tomorrow at 11am HW1 solution will be posted very soon We will starting to grade it very soon No class next Tues (Feb 12) – I am at this conference, off campus: http://thecenter.uab.edu/save-the-date/ http://thecenter.uab.edu/save-the-date/ – Please utilize this time to prepare for HW2 Lecture 3.4: Public Key Cryptography IV

3 Outline of Today’s Lecture Discrete Logarithm System El Gamal Encryption Digital Signatures Lecture 3.4: Public Key Cryptography IV

4 Discrete Logarithm Assumption Work with a cyclic group G with generator g Let |G| = m G = {g 0, g 1, g 2,…,g m-1 } Given any y = g x in G (where x belongs to Z m ), g and and m, it is not possible to compute x This is known as the DL assumption Of course, x should be fairly large – at least 160-bits in length This suggests that one can possibly use x as the secret key, and y (and other parameters) as the public key

5 El Gamal Encryption -- KeyGen p, q primes such that q|p-1 g is an element of order q and generates a group G q of order q – g = g ’(p-1)/q (were g’ is the generator of Z p *) x in Z q, y = g x mod p DL assumption -- given (p, q, g, y), it is computationally hard to compute x – No polynomial time algorithm known – p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key

6 ElGamal Encryption/Decryption Encryption (of m in G q ): – Choose random r in Z q – k = g r mod p – c = my r mod p – Output (k,c) Decryption of (k,c) – M = ck -x mod p Secure under (a variant of) the discrete logarithm assumption Lecture 3.4: Public Key Cryptography IV

7 ElGamal Example: dummy Let’s construct an example KeyGen: – p = 11, q = 2 or 5; let’s say q = 5 – g’ = 2 is a generator of Z 11 * – g = 2 2 = 4 – x = 2; y = 4 2 mod 11 = 5 Enc(3): – r = 4  k = 4 4 mod 11 = 3 – c = 3*5 4 mod 11 = 5 Dec(3,5): – m = 5*3 -2 mod 11 = 3 Lecture 3.4: Public Key Cryptography IV

8 El Gamal Security Secure against CPA attacks assuming that discrete logarithm is hard Not secure against CCA attacks; why? – It is possible to massage the ciphertext in a meaningful way – Given a ciphertext (k, c), compute k’ = kg r’ and c’ = cy r’ (r’ is picked by the adversary) – Query the decryption oracle on (k’,c’); it decrypts and returns the response -- m Lecture 3.4: Public Key Cryptography IV

9 CCA Security Like in the case of symmetric key encryption, we can derive CCA secure encryption using CPA secure encryption Just prevent any massaging of the ciphertext Integrity protection mechanism is needed – But, now a public-key based mechanism is needed Digital signatures -- next Lecture 3.4: Public Key Cryptography IV

10 Digital Signatures Message Integrity – Detect if message is tampered with while in the transit Source/Sender Authentication – No forgery possible Non-repudiation – If I sign something, I can not deny later – A trusted third party (court) can resolve dispute Many applications – signed email, e-contracts, e-transactions…

11 Public Key Signatures Signer has public key, private key pair Signer signs using its private key Verifier verifies using public key of the signer Lecture 3.4: Public Key Cryptography IV

12 Security Notion/Model for Signatures Existential Forgery under (adaptively) chosen message attack (CMA) – Adversary (adaptively) chooses messages m i of its choice – Obtains the signature s i on each m i – Outputs any message m (≠ mi) and a signature s on m Lecture 3.4: Public Key Cryptography IV

13 RSA Signatures Key Generation: same as in encryption Sign(m): s = m d mod N Verify(m,s): (s e == m mod N) The above text-book version is insecure; why? In practice, we use a randomized version of RSA (implemented in PKCS#1) – Hash the message and then sign the hash Lecture 3.4: Public Key Cryptography IV

14 Digital Signature Standard (DSS) Adopted as standard in 1994 Security based on hardness of the discrete logarithm problem Lecture 3.4: Public Key Cryptography IV

15 DSS – KeyGen; Signing; Verification KeyGen: the same way as El Gamal – p, q primes such that q|p-1 – g is an element of order q and generates a group G q of order q g = g ’(p-1)/q (were g’ is the generator of Z p *) – x in Z q, y = g x mod p Sign: – Pick random r from Z* q – k = (g r mod p) mod q; c = (m + xk)r -1 mod q – Output (k,c) and also the message m Verify: k c == g m.y k mod p Lecture 3.4: Public Key Cryptography IV

16 DSS Example Refer to 11.57 of HAC Lecture 3.4: Public Key Cryptography IV

17 Some Questions I encrypt m with Alice’s ElGamal PK, I get c – I encrypt m again, I get --? – What does this mean? Is RSA-OAEP CCA secure? Is El Gamal CCA secure? Lecture 3.4: Public Key Cryptography IV

18 Further Reading Stalling Chapter 10 HAC Chapter 8 and Chapter 11 Lecture 3.4: Public Key Cryptography IV

Download ppt "Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena."

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lecture 2.1: Private Key Cryptography -- I CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 2.1: Private Key Cryptography -- I CS 436/636/736 Spring 2013 Nitesh Saxena.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Similar presentations

Ads by Google