impossible encryption

54
1 Thinking the Impossible “Modern Cryptography” Jeremy R. Johnson

Upload: khoi-tran

Post on 10-Apr-2016

29 views

Category:

Documents


0 download

DESCRIPTION

encryption techniques

TRANSCRIPT

Page 1: Impossible Encryption

1

Thinking the Impossible“Modern Cryptography”

Jeremy R. Johnson

Page 2: Impossible Encryption

2

Introduction

• Objective: To see how to securely communicate on the internet without giving up privacy. To understand what a public key cryptosystem is and how the RSA algorithm works. To do impossible things.

– Modern cryptography– Solutions to some “impossible problems”– Public Key Cryptosystems– Modular Arithmetic– RSA Algorithm

References: Rivest, Shamir, Adelman CS Unplugged

Page 3: Impossible Encryption

3

Importance of the Area

• Did you buy anything online recently? Use an ATM machine? If so, whether you know it or not, you used cryptography. Cryptography (in the guise of the SSL protocol) protects your credit card information as it whizzes across the Internet, and ensures that others can't withdraw money from your account.

• The ubiquitous use of tools such as SSL and SSH shows that cryptography, once an esoteric military concern, has now burst into the mainstream. Yet, this is only the beginning of a coming flood.

Page 4: Impossible Encryption

4

“Impossible” Problem One

How can you determine the outcome of a vote on the intenet without revealing individual votes?

Page 5: Impossible Encryption

5

Classical Cryptography

• Basic problem: Secure communication over an insecure channel

• Solution: private key encryption– m E(k,m) = c D(k,c) = m

• Shannon provided a rigorous theory of perfect secrecy based on information theory– Adversary has unlimited computational resources, but

key must be as long as message

Page 6: Impossible Encryption

6

Substitution Cypher

HELLOALL HAIL CEASAR

Page 7: Impossible Encryption

7

Substitution Cypher

KHOORDOO KDLO FHDVDU

Page 8: Impossible Encryption

8

Frequency Analysis

en.wikipedia.org/wiki/Frequency_analysis_(cryptanalysis)scottbryce.com/cryptograms

Page 9: Impossible Encryption

9

One Time Pad

• Pad = b1 bn {0,1}* chosen randomly• m = m1 mn

– E(Pad,m) = c = m Pad– D(Pad,c) = c Pad = (m Pad) Pad = m

m,c PrPad[E(Pad,m) = c] = 1/2n

– No information gained from seeing c– However, E(Pad,m) E(Pad,m’) = m m’

Page 10: Impossible Encryption

10

“Impossible” Problem Two

How can you send a secret over the internet without previously sending a courier to distribute the secret key?

Is your method secure?

The answer comes from modern cryptography and relies on public key cryptography

Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, Vol. IT-22, No. 6, Nov. 1976.

Page 11: Impossible Encryption

11

Public Key Cryptosystem

Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. •D(E(M)) = M•Both E() and D() are easy to compute•Publicly revealing E() does not make it easy to determine D()•E(D(M)) = M - needed for signatures

The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

Page 12: Impossible Encryption

Public Key Encryption Map (From CS Unplugged)

Page 13: Impossible Encryption

Public Key Encryption Map

The Map

What To Do

Come up with 10 numbers that add up to your ASCII value.

Label your vertices with the values.

Take each vertex and its neighbors, compute the sum, and replace the vertex value with that sum.

Erase the old values!!!

Page 14: Impossible Encryption

ASCII Table

Page 15: Impossible Encryption

Private Key Encryption Map

Page 16: Impossible Encryption

Private Key Encryption Map

The Private Key

What To Do

• Just add up the values of each bold vertex from the public map you were given.

Page 17: Impossible Encryption

17

Modern Cryptography

• Adversary’s resources are computationally bounded– Probabilistic polynomial time algorithm

• Impossibility of breaking the encryption system Infeasibility of breaking

• Rely on gap between efficient algorithms for encryption and computational infeasibility of decryption by adversary

Page 18: Impossible Encryption

18

Dominating Sets & NP Completeness

Page 19: Impossible Encryption

19

Dominating Sets & NP Completeness

Page 20: Impossible Encryption

20

“Impossible” Problem Three

How can you flip a coin over the phone?

The answer comes from modern cryptography and is the key to secure communication over the internet, provides privacy, authentication and digital signatures

Page 21: Impossible Encryption

21

Public Key Cryptosystem

Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. •D(E(M)) = M•Both E() and D() are easy to compute•Publicly revealing E() does not make it easy to determine D()•E(D(M)) = M - needed for signatures

The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

Page 22: Impossible Encryption

22

“Impossible” Problem Four

How can you prove you know something to an adversary without revealing your secret?

The answer comes from the area of zero knowledge proofs

Page 23: Impossible Encryption

Where’s Waldo

23

Page 24: Impossible Encryption

Open Sesame

24

Jean-Jacques Quisquater, Louis C. Guillou, Thomas A. Berson. How to Explain Zero-Knowledge Protocols to Your Children. Advances in Cryptology - CRYPTO '89:

Proceedings, v.435, p.628-631, 1990.

Page 25: Impossible Encryption

25

Zero Knowledge Proof

1. Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover.

2. Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.

3. Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some simulator that, given only the statement to be proven (and no access to the prover), can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier.

Page 26: Impossible Encryption

Secure Passwords

• Every users stores a statement of a theorem in a publicly readable directory

• Upon login, the user engages in a zero-knowledge proof of the correctness of the theorem

• If the proof is convincing access is granted• Guarantees that an adversary who overhears the

proof can not learn enough to gain access

26

Page 27: Impossible Encryption

27

RSA Public Key Cryptosystem

Page 28: Impossible Encryption

28

Public Key Cryptosystem

Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. •D(E(M)) = M•Both E() and D() are easy to compute•Publicly revealing E() does not make it easy to determine D()•E(D(M)) = M - needed for signatures

The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

Page 29: Impossible Encryption

29

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

7+6 = ?

Page 30: Impossible Encryption

30

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

7 + 1

Page 31: Impossible Encryption

31

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

7 + 2

Page 32: Impossible Encryption

32

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

7 + 3

Page 33: Impossible Encryption

33

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

7 + 4

Page 34: Impossible Encryption

34

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

7 + 5

Page 35: Impossible Encryption

35

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

7 + 6 = 1 (mod 12)

Page 36: Impossible Encryption

36

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

5 5 = ?

Page 37: Impossible Encryption

37

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

5 2

Page 38: Impossible Encryption

38

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

5 3

Page 39: Impossible Encryption

39

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

5 4

Page 40: Impossible Encryption

40

Clock Arithmetic1

2

3

4

56

7

8

9

10

110

5 5 = 1 (mod 12)

Page 41: Impossible Encryption

41

Multiplication Table mod 5

0 1 2 3 40 0 0 0 0 0

1 0 1 2 3 4

2 0 2 4 1 3

3 0 3 1 4 2

4 0 4 3 2 1

Page 42: Impossible Encryption

42

Multiplication Table mod 6

0 1 2 3 4 50 0 0 0 0 0 0

1 0 1 2 3 4 5

2 0 2 4 0 2 4

3 0 3 0 3 0 3

4 0 4 2 0 4 2

5 0 5 4 3 2 1

Page 43: Impossible Encryption

43

Modular Arithmetic (Zn)

Definition: a b (mod n) n | (b - a) Alternatively, a = qn + b

Properties (equivalence relation)– a a (mod n) [Reflexive]– a b (mod n) b a (mod n) [Symmetric]– a b (mod n) and b c (mod n) a c (mod n) [Transitive]

Definition: An equivalence class mod n

[a] = { x: x a (mod n)} = { a + qn | q }

Page 44: Impossible Encryption

44

Modular Arithmetic (Zn)It is possible to perform arithmetic with equivalence classes mod n.

– [a] + [b] = [a+b]– [a] * [b] = [a*b]

In order for this to make sense, you must get the same answer (equivalence) class independent of the choice of a and b. In other words, if you replace a and b by numbers equivalent to a or b mod n you end of with the sum/product being in the same equivalence class.

a1 a2 (mod n) and b1 b2 (mod n) a1+ b1 a2 + b2 (mod n) a1* b1 a2 * b2 (mod n)

(a + q1n) + (b + q2n) = a + b + (q1 + q2)n(a + q1n) * (b + q2n) = a * b + (b*q1 + a*q2 + q1* q2)n

Page 45: Impossible Encryption

45

Representation of Zn

The equivalence classes [a] mod n, are typically represented by the representatives a.

• Positive Representation: Choose the smallest positive integer in the class [a] then the representation is {0,1,…,n-1}.

• Symmetric Representation: Choose the integer with the smallest absolute value in the class [a]. The representation is {-(n-1)/2 ,…, n/2 }. When n is even, choose the positive representative with absolute value n/2.

• E.G. Z6 = {-2,-1,0,1,2,3}, Z5 = {-2,-1,0,1,2}

Page 46: Impossible Encryption

46

Greatest Common Divisor

Definition: g = gcd(a,b) g|a and g|b if e|a and e|b then e|g

Example: gcd(30,12) = 6 30 = 2 3 5 12 = 22 3

Inefficient!!!

Page 47: Impossible Encryption

47

Euclidean Algorithm

gcd(a,b) if b = 0 then return a else return gcd(b, a mod b)

Example: gcd(30,12) gcd(12,6) gcd(6,0) Efficient!!! O(log N), a, b N

Page 48: Impossible Encryption

48

Modular Inverses

Definition: x is the inverse of a mod n, if ax 1 (mod n)

The equation ax 1 (mod n) has a solution iff gcd(a,n) = 1.

Extended Euclidean Algorithm, there exist x and y such that ax + ny = gcd(a,n).

When gcd(a,n) = 1, ax + ny = 1 ax 1 (mod n)

Example

gcd(5,12) = 1, 5 5 + -2 12 = 1

Page 49: Impossible Encryption

49

Euler phi function

• Definition: phi(n) = #{a: 0 < a < n and gcd(a,n) = 1}• Properties:

(p) = p-1, for prime p. (p^e) = (p-1)*p^(e-1) (m*n) = (m)* (n) for gcd(m,n) = 1. (p*q) = (p-1)*(q-1)

• Examples:

(15) = (3)* (5) = 2*4 = 8. = #{1,2,4,7,8,11,13,14} (9) = (3-1)*3^(2-1) = 2*3 = 6 = #{1,2,4,5,7,8}

Page 50: Impossible Encryption

50

Euler’s Identity

• The number of elements in Zn that have multiplicative inverses is equal to phi(n).

• Theorem: Let (Zn)* be the elements of Zn with inverses (called units). If a (Zn)*, then a(n) 1 (mod n).

Proof. The same proof presented for Fermat’s theorem can be used to prove this theorem.

Page 51: Impossible Encryption

51

Chinese Remainder Theorem

Theorem: If gcd(m,n) = 1, then given a and b there exist an integer solution to the system:

x a (mod m) and x = b (mod n).

Proof: Consider the map x (x mod m, x mod n). This map is a 1-1 map from Zmn to Zm Zn, since if x and y map

to the same pair, then x y (mod m) and x y (mod n). Since gcd(m,n) = 1, this implies that x y (mod mn).

Since there are mn elements in both Zmn and Zm Zn, the map is also onto. This means that for every pair (a,b) we can find the desired x.

Page 52: Impossible Encryption

52

Public Key Cryptosystem

Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting.

• D(E(M)) = M• Both E() and D() are easy to compute• Publicly revealing E() does not make it easy to determine D()• E(D(M)) = M - needed for signatures

The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

Page 53: Impossible Encryption

53

RSA Public Key Cryptosystem

Based on the idea that it is hard to factor large numbers.

First encode M as an integer (e.g. use ASCII). Large messages will need to be blocked.

• Choose n = p*q, the product of two large prime numbers.• Choose e such that gcd(e,phi(n)) = 1. • Choose d such that de 1 (mod (n))

• E = (e,n) and E(M) = Me mod n• D = (d,n) and D(M) = Md mod n

Page 54: Impossible Encryption

54

Correctness of the RSA Algorithm

Theorem: D(E(M)) = E(D(M)) = M.

Proof. D(E(M)) = (Me)d (mod n) = Med (mod n).Since ed 1 (mod (n)), ed = k* (n) + 1, for some integer k.

Mk* (n)+1 (Mk* (n)+1 mod p, Mk* (n)+1 mod q)= (Mk* (n) * M mod p, Mk* (n) * M mod q) = (M(p-1)*(q-1)*k * M mod p, M(q-1)*(p-1)*k * M mod q) [since n = pq]= ((M(p-1))(q-1)*k * M mod p, (M(q-1))(p-1)*k * M mod q)= (M mod p, M mod q) [By Fermat’s theorem]

Therefore, by the CRT, Mk* (n)+1 M (mod n).