modern cryptographysindhu/cs46/s16/crypto.pdf · symmetric ciphers 8. public key cryptosystems rsa...
TRANSCRIPT
A whirlwind tour of Modern Cryptography!
1
Sharing Secrets
2
Steganography vs Cryptography
Scytale
3
Caesar Cipher
A B CD
EFGHI
JK
LM
ZYX
V
U
NOPQ
RST
AB C D E
FG
HIJKL
M
ZY
X
V
UN
OPQRST
4
5 tuple (𝒫, 𝒞, 𝒦, ℰ, 𝒟) 𝒫: Set of all plaintext strings 𝒞: Set of all ciphertext strings 𝒦: Set of all keys called keyspace ℰ: Set of all encryption functions; each indexed by a key Ek ∈ ℰ 𝒟: Set of all decryption functions; each indexed by a key Dk ∈ 𝒟
Cryptosystem
∀k ∈ 𝒦 ∀p ∈ 𝒫 Dk( Ek (p)) = p
5
Shift Ciphers
5 tuple (𝒫, 𝒞, 𝒦, ℰ, 𝒟) 𝒫 = 𝒞 = ℤ26 𝒦 = ℤ26 ℰ: Set of all encryption functions
Ek(p)= p + k mod 26 𝒟: Set of all decryption functions
Dk(c)= c - k mod 26
6
Affine Ciphers
5 tuple (𝒫, 𝒞, 𝒦, ℰ, 𝒟) 𝒫 = 𝒞 = ℤ26 𝒦 = ℤ*
26 x ℤ26 ℰ: Set of all encryption functions
Ea,k(p)= ap + k mod 26 𝒟: Set of all decryption functions
Da,k(c)= a-1 (c - k) mod 26
gcd(a, 26) = 17
shared key cryptosystems
State of the art: AES implemented in secure file transfer
protocols (HTTPS, SFTP)
Symmetric Ciphers
8
public key cryptosystems
RSA
Asymmetric Ciphers
Results from Number Theory9
Def: Divisibility
For any a, b ∈ ℤ We say a | b iff there is k ∈ ℤ such that b = ka
10
Warm up: Properties of Divisibility
For any a, b, c ∈ ℤ with a ≠ 0 • a | b and a | c ⇒ a | (b + c) • for all k ∈ ℤ a | b ⇒ a | bk • a | b and b | c ⇒ a | c
For all k1, k2 ∈ ℤ • a | b and a | c ⇒ a | (k1 b + k2 c)
11
Def: congruence, modulus
For any a, b ∈ ℤ and m ∈ ℤ+ We say
a = b (mod m) iff
m | (a - b)
12
Result
a = b (mod m)iff
∃ k st a = b + km
13
Bezout’s Lemma
For any a, b ∈ ℤ+
∃ s, t ∈ ℤ gcd(a, b) = sa + tb
14
Suppose a, m are relatively prime integers with m > 1. Then there exists a unique integer a-1 st
a-1 a = 1 (mod m)
Inverse
15
Suppose a, m are relatively prime integers with m > 1. Then there exists a unique integer a-1 st
a-1 a = 1 (mod m)
gcd(a, m) = 1 There exist s, t such that sa + tm = 1 Thus, sa = 1 mod m
Inverse
16
Suppose p is a prime integer and a is an integer such that gcd(a,p) = 1
Then ap-1 = 1 (mod p)
Fermat’s Little Theorem
17
Chinese Remainder TheoremFor any m1, m2, …, mn st
• mi ∈ ℤ+
• mi > 1
• gcd(mi, mj) = 1 (for i ≠ j)
and integers a1, a2, …, an
The following system of congruences has a unique solution mod (m1 m2 … mn)
x ≡ a1 mod m1 x ≡ a2 mod m2
… x ≡ an mod mn
18
Chinese Remainder TheoremDefine Mk = m1 m2 mk-1 mk+1 mn gcd(mk, Mk) = 1
Let Mk-1 = yk mod mk
The following system of congruences has the unique solution x = Σ ai yi Mi mod (m1 m2 … mn)
x ≡ a1 mod m1 x ≡ a2 mod m2
… x ≡ an mod mn
19
Chinese Remainder TheoremFor any m1, m2, …, mn st • mi ∈ ℤ+
• mi > 1
• gcd(mi, mj) = 1 (for i ≠ j)
and integers a1, a2, …, an
The system of congruences x ≡ ai mod mi
has a solution x with 0 ≤ x < m, and all other solutions are congruent (modulo m) to this solution.
20
RSA EncryptionGiven: Plaintext M Construct: Ciphertext C Public Key: (n, e)
• n = p q p, q are primes • gcd(e, (p-1)(q-1)) = 1
21
RSA EncryptionPublic Key: (n, e)
• n = p q p, q are primes • gcd(e, (p-1)(q-1)) = 1
m1 m2 … mk
M
c1 c2 … ck
ci = ( mi ) e mod n
C22
RSA DecryptionPrivate Key: d d e = 1 mod (p-1)(q-1)
m1 m2 … mk
M
c1 c2 … ck
mi = ( ci ) d mod n
C
23
RSA DecryptionClaim: m = cd mod n
• cd mod n = (me)d mod n • (me)d mod n = med mod n
d e = 1 mod (p-1)(q-1) • med mod n
= mk(p-1)(q-1)+1 mod n24
RSA Decryptionmk(p-1)(q-1)+1 mod n = (m mk(p-1)(q-1)) mod n FLT: mp-1 = 1 mod p if gcd(m,p) = 1 (m mk(p-1)(q-1)) mod p = m (mp-1) k(q-1) mod p = m mod p Similarly (m mk(p-1)(q-1)) mod q = m (mq-1) k(p-1) mod q = m mod q
25
Chinese Remainder TheoremFor any p1, p2, …, pn st • pi ∈ ℤ+
• pi > 1
• gcd(pi, pj) = 1 (for i ≠ j)
and integers a1, a2, …, an
The system of congruences x ≡ ai mod pi
has a solution x with 0 ≤ x < p1p2…pn, and all other solutions are congruent (modulo p1p2…pn) to this solution.
26
m = cd mod p m = cd mod q
RSA Decryptionm = cd mod p m = cd mod q
By CRT cd = m mod pq
27
RSA Decryptionmk(p-1)(q-1)+1 mod n = (m mk(p-1)(q-1)) mod n FLT: mp-1 = 1 mod p if gcd(m,p) = 1 (m mk(p-1)(q-1)) mod p = m (mp-1) k(q-1) mod p = m mod p Similarly (m mk(p-1)(q-1)) mod q = m (mq-1) k(p-1) mod q = m mod q
28
RSAc = me mod n m = cd mod n
relies on hardness of factoring large numbers
29
Digital Signature using RSAIdea: sender applies decryption function to each message block
recipient applies encryption function to every block received
30
Suppose p is a prime integer Then a is a primitive root mod p If every non-zero element of ℤp is a power of a ℤp = {0, a, a2,…, ap-1}
primitive root
31
Diffie-Hellman Key ExchangeAlice and Bob agree to use prime p and primitive root a Alice chooses secret k1 Bob chooses secret k2
A → B: ak1 mod p B → A: ak2 mod p
Alice computes key = (ak2)k1 mod p Bob computes key = (ak1)k2 mod p
relies on hardness of discrete log problem32