cryptography and security protocols - … · douglas r.stinson, cryptography : theory and practice,...
TRANSCRIPT
Cryptography and Security ProtocolsPaulo Mateus MMA–MEIC
ProgramSymmetric Cryptosystems• Basic concepts : Symmetric cryptosystem• Historical systems : Cesar, Viginère, Hill, One - time pad• Perfect cryptography : Shannon Theorem for perfect cryptography• Modern cryptosystem : S - box, Feistel Ciphers, Permutation - Substitution, AES• Cryptoanalysis : Linear and differential• Block and stream ciphers : Modes of encryption
Asymmetric Cryptosystems• Basic results from complexity theory: NP, NP-complete;• One-way functions: Diffie-Hellman Key Exchange;• RSA: Basic results on Algebra; Correctness of RSA; Attacks to RSA;• Setting up RSA: Key generation; primality testing;• Quantum computation: Shor’s algorithm;• Discrete log crypto: ElGammal over Galois Fields and Elliptic Curves;• Postquantum cryptography: McEliece and NTRU cryptosystems;
Other Security Protocols• Secret Sharing: Shamir threshold• Hash functions: Random oracle model, birthday attack, • Signature schemes: DSS, attack to DSS• Zero-knowledge: ZK for NP complete problems, undeniable signatures, Identity schemes, Fiat-Shamir scheme• Multiparty computation: Oblivious Transfer, Bit-commitment, Yao garbled circuits, verifiable SS• Key distribution and agreement: Quantum key expansion
BibliographyDouglas R.Stinson, Cryptography : Theory and Practice, 3rd Edition 2005, CRC
Lecture Notes. P. Mateus et, 2018.
Nielsen and Chuang, Quantum computation and Quantum Information, 2011, Cambridge University Press.
Douglas R.Stinson, Cryptography : Theory and Practice, 3rd Edition 2005, CRC
Lecture Notes. P. Mateus et, 2018.
Nielsen and Chuang, Quantum computation and Quantum Information, 2011, Cambridge University Press.
EvaluationExam: E - 10 val (up to 16 val)Project: P - 10 val (down to 4 val)• Development of some cryptosystem/security scheme or attack• Project proposal – end of March• Deliver 2 weeks before class ends• Groups of two, to be defendedOne exam delivered: B – extra pointFinal grade
if (E > P) return 1.6 E + 0.4 P + Belse return E + P + B
Basic concepts
Definition 1. Cryptosystem
Example 2 - Shift cipher
X =Y =K =ℤ26ek(x) = x + kmod 26dk(y) = y - kmod 26
Caesar (salad) cipher k=23Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW
Plaintext: THE FOX JUMPS Ciphertext: QEB CLU GRJMP
2 Lecture1.nb
Caesar (salad) cipher k=23Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW
Plaintext: THE FOX JUMPS Ciphertext: QEB CLU GRJMP
Exercise : Show that for any cryptosystem ek is injective and dk is surjective.
Resolution: Assume that ek is not injective. Then ∃x≠x' ek(x) = ek(x '), by definition of cryptosystem x = dk (ek(x)) = dk(ek(x ')) = x ' which contradicts x≠x’!
Assume that dk is not surjective. Then ∃x ∀y dk(y) ≠ x , but ek(x) = y’ and by definition of cryptosys-tem dk(y ') = x and contradicting ∀y dk(y) ≠ x !
Note: (ℤn, +, ⨯) forms an Abelian ring ! Mathematica handles well these rings with the command Mod. From this point on we will use always + and ⨯ in these rings.
Mod[-3, 7]
4
Mod[5 * 3, 7]
1
Exercise: If 0<a<n then gcd(a,n)=gcd (r, a) where r ≡ n mod a
Resolution: We show that if d | a and d | n then d | r. Note that r=n- aq for some q, moreover a=d⨯k and n=d⨯k', so r= dk'- d k q =d(k'-kq) and so d|r.
Now we show that if d|r and d| a then d|n, this is the case since n=aq+r and so n is multiple of d.
Thus, all divisors of a and n are precisely the divisors of a and r, which implies that gcd(a,n)=gcd(a,r).
Lemma 3: Let d=gcd(a,n) then d| (k a +l n) ∀k,l∈ℤ. Moreover, there exists an k and l such that d=(k a +l n) .
Resolution. The first part follows by noticing that (k a) and (l n) are also multiples of d, and so (k a + l n) is also a multiple of d. The second part is the correction of the Extended Euclides Algorithm, which we shall detail later on.
Note: Mathematica has inbuilt the EE with the command ExtendedGCD
ExtendedGCD[5, 7]
{1, {3, -2}}
ExtendedGCD[23 435, 723423]
{1, {77729, -2518}}
Proposition 4. Let a ∈ ℤn then a is invertible iff gcd(a,n)=1.
Proof: ⇒ If a is invertible it means that there exists x such that a x ≡1 mod nbut these can be restated as a x - 1 = 0 mod n which means that a x -1 is a multiple of n, that is a x -1 = k n, and so a x -k n=1, which by the Lemma 3 implies that gcd(a,n)|1 and so gcd(a,n)=1.
⇐ If gcd(a,n)=1, by Lemma 3, we have that there exists k and l such that1=a k + l n, and so, 1≡ a k mod n, which implies that k is the inverse of a in ℤn. QED
Lecture1.nb 3
Proposition 4. Let a ∈ ℤn then a is invertible iff gcd(a,n)=1.
Proof: ⇒ If a is invertible it means that there exists x such that a x ≡1 mod nbut these can be restated as a x - 1 = 0 mod n which means that a x -1 is a multiple of n, that is a x -1 = k n, and so a x -k n=1, which by the Lemma 3 implies that gcd(a,n)|1 and so gcd(a,n)=1.
⇐ If gcd(a,n)=1, by Lemma 3, we have that there exists k and l such that1=a k + l n, and so, 1≡ a k mod n, which implies that k is the inverse of a in ℤn. QED
ExtendedGCD[5, 7]
{1, {3, -2}}
Which is the inverse of 5 in ℤ7?
PowerMod[5, -1, 7]
3
4 Lecture1.nb