Lecture 10: Cryptography creditSagnik Credit: https://xkcd.com/177/ - - PowerPoint PPT Presentation

Lecture 10: Cryptography

Credit: https://xkcd.com/177/

creditSagnik

Basic Setup

Credit: https://flylib.com/books/en/1.581.1.188/1/ ELM

Elm sender

receiver

Recall: XOR

Recall the XOR operation: x y x y 1 1 1 1 1 1 Notice that for any bits x, b we have (x b) b = x

M

b

f

x b

b

O

O

I

l

E

One-Time Pad

Alice (the sender) wants to send a n-bit message m to Bob (the receiver). Setup: I Alice and Bob generate a random key k. Encryption: Decryption: Notice that D(E(m)) = (m k) k = m, i.e. Bob always receives the message Alice sent.

One-Time Pad

Alice (the sender) wants to send a n-bit message m to Bob (the receiver). Setup: I Alice and Bob generate a random key k. Encryption: I Alice encrypts c = E(m) := m k. Decryption: Notice that D(E(m)) = (m k) k = m, i.e. Bob always receives the message Alice sent.

One-Time Pad

Alice (the sender) wants to send a n-bit message m to Bob (the receiver). Setup: I Alice and Bob generate a random key k. Encryption: I Alice encrypts c = E(m) := m k. Decryption: I Bob decrypts D(c) := c k. Notice that D(E(m)) = (m k) k = m, i.e. Bob always receives the message Alice sent.

One-Time Pad: Disadvantages

One-Time Pad is the only existing mathematically unbreakable

• encryption. But if only one of the following is not met, it is no

longer unbreakable: I k is at least as long as m;

One-Time Pad: Disadvantages

One-Time Pad is the only existing mathematically unbreakable

• encryption. But if only one of the following is not met, it is no

longer unbreakable: I k is at least as long as m; I k truly random (not generated by a simple computer function);

One-Time Pad: Disadvantages

One-Time Pad is the only existing mathematically unbreakable

• encryption. But if only one of the following is not met, it is no

longer unbreakable: I k is at least as long as m; I k truly random (not generated by a simple computer function); I each key is used only once;

One-Time Pad: Disadvantages

One-Time Pad is the only existing mathematically unbreakable

• encryption. But if only one of the following is not met, it is no

longer unbreakable: I k is at least as long as m; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and

• ne for Bob.

One-Time Pad: Disadvantages

One-Time Pad is the only existing mathematically unbreakable

• encryption. But if only one of the following is not met, it is no

longer unbreakable: I k is at least as long as m; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and

• ne for Bob.

But what if I (Alice) want to send my credit card information to Amazon (Bob) to make a purchase? I Not practical; I would need to somehow communicate with Amazon to agree on a key for every single purchase.

One-Time Pad: Disadvantages

One-Time Pad is the only existing mathematically unbreakable

• encryption. But if only one of the following is not met, it is no

longer unbreakable: I k is at least as long as m; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and

• ne for Bob.

But what if I (Alice) want to send my credit card information to Amazon (Bob) to make a purchase? I Not practical; I would need to somehow communicate with Amazon to agree on a key for every single purchase. I And every single user would’ve had to do this.

One-Time Pad: Disadvantages

One-Time Pad is the only existing mathematically unbreakable

• encryption. But if only one of the following is not met, it is no

longer unbreakable: I k is at least as long as m; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and

• ne for Bob.

Solve these issues with public-key cryptography: use pairs of keys I public keys: everyone knows!

One-Time Pad: Disadvantages

One-Time Pad is the only existing mathematically unbreakable

• encryption. But if only one of the following is not met, it is no

longer unbreakable: I k is at least as long as m; I k truly random (not generated by a simple computer function); I each key is used only once; I there should only be two copies of the key; one for Alice and

• ne for Bob.

Solve these issues with public-key cryptography: use pairs of keys I public keys: everyone knows! I private keys: only Bob knows.

RSA Protocol

Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p, q. Encryption: Decryption:

RSA Protocol

Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p, q. I Bob chooses e such that gcd(e, (p 1)(q 1)) = 1. Encryption: Decryption:

RSA Protocol

Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p, q. I Bob chooses e such that gcd(e, (p 1)(q 1)) = 1. I the public key is (N, e), where N = pq. Encryption: Decryption:

RSA Protocol

Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p, q. I Bob chooses e such that gcd(e, (p 1)(q 1)) = 1. I the public key is (N, e), where N = pq. I Bob computes the private key d := e−1 mod (p 1)(q 1). Encryption: Decryption:

RSA Protocol

Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p, q. I Bob chooses e such that gcd(e, (p 1)(q 1)) = 1. I the public key is (N, e), where N = pq. I Bob computes the private key d := e−1 mod (p 1)(q 1). Encryption: I Alice encrypts c = E(m) := me mod N Decryption:

RSA Protocol

Everyone can send messages to Bob. For now, let’s say Alice wants to send a message m to Bob. Setup: I Bob chooses two large (2048-bit) distinct primes p, q. I Bob chooses e such that gcd(e, (p 1)(q 1)) = 1. I the public key is (N, e), where N = pq. I Bob computes the private key d := e−1 mod (p 1)(q 1). Encryption: I Alice encrypts c = E(m) := me mod N Decryption: I Bob decrypts D(c) := cd mod N

Cd

N

s

# TODO

We need to analyze: I Correctness: D(E(m)) = m?

# TODO

We need to analyze: I Correctness: D(E(m)) = m? I Efficiency: Can Alice and Bob perform their steps efficiently?

# TODO

We need to analyze: I Correctness: D(E(m)) = m? I Efficiency: Can Alice and Bob perform their steps efficiently? I Security: Can Eve break it?

Fermat’s Little Theorem

Theorem: Let p be a prime and a 6⌘ 0 (mod p). Then ap−1 ⌘ 1 (mod p).

Proof.

f

Goal

O

domain

codomain

h

woo

f

0,1 2 P t 30,1

P I

O

k

t

ax mod p

i

is

a bijection

Since flo

O.amodp

• modp O

t

Has

ftp

3V

xEl P l

f

Eaxcmodp

un Axmodp

p I

p l

M Tx

Ff

aIII x

mode

1

Kei

since p is a prime god

p

x modulopexists

III.sc Ftx

aP fIixTIIICmodp 71

aP lmodp

Goal

D Efm

m

Min are coprime

2

me

N

d

N

m

X

3

moan

q

X E3

mod m

Notice that

OED Elm LN 1

Find me a solution

i

i

avnb

se

Find meall solutions

Dk

cd N

cd

modal

3 1 ask.kz

DIET'D

Ehmd

mId medcmodN

at

CToal Med

m

modN

RSA correctness

Theorem: Let D, E be the RSA decryption and RSA encryption functions respectively. Then D(E(m)) = m, i.e. RSA protocol always decrypts correctly.

Proof.

FLT primeP and M

0 mod

mic

Let

med.fm

e

MlmodN

N pq

ioal

x

mCmodNXTE

Since

mod so FREI Ed I

k

pDcgD

Then

z

mltkCPDcgD

th

Ma

l

as If M 0Im

dpMP

modp

x m Mmk

LPDcaDEM modB

If m eocm.TT

pT

TsT

mcmodpsingyT aynes.ie

Thus

Sy

ddDg

byCRT the solutionis

uniquemodulo N pq

Noticethat

x

m is a solution

ie

x

m modN

RSA Efficiency

Setup I Bob chooses two large distinct primes p and q. how??? Encryption: Decryption:

e

si

gcdCe CpDog D

RSA Efficiency

Setup I Bob chooses two large distinct primes p and q. how??? I Bob chooses e such that gcd(e, (p 1)(q 1)) = 1. how??? (choose a prime, like 3) Encryption: Decryption:

e 1mod

pDcgD

RSA Efficiency

Setup I Bob chooses two large distinct primes p and q. how??? I Bob chooses e such that gcd(e, (p 1)(q 1)) = 1. how??? (choose a prime, like 3) I Bob computes d := e−1 mod (p 1)(q 1). how??? (extended Euclidean algorithm is fast!) Encryption: Decryption:

Elm

me

N

RSA Efficiency

Setup I Bob chooses two large distinct primes p and q. how??? I Bob chooses e such that gcd(e, (p 1)(q 1)) = 1. how??? (choose a prime, like 3) I Bob computes d := e−1 mod (p 1)(q 1). how??? (extended Euclidean algorithm is fast!) Encryption: I Alice encrypts c = E(m) := me mod N. how??? (repeated squaring is fast!) Decryption:

D c Cd

N

RSA Efficiency

Setup I Bob chooses two large distinct primes p and q. how??? I Bob chooses e such that gcd(e, (p 1)(q 1)) = 1. how??? (choose a prime, like 3) I Bob computes d := e−1 mod (p 1)(q 1). how??? (extended Euclidean algorithm is fast!) Encryption: I Alice encrypts c = E(m) := me mod N. how??? (repeated squaring is fast!) Decryption: I Bob decrypts D(c) := cd mod N. how??? (repeated squaring is fast!)

RSA Efficiency: Sampling Primes

We need two large (2048-bit) primes. I By the Prime Number Theorem, number of primes  N is at least

N ln(N).

RSA Efficiency: Sampling Primes

We need two large (2048-bit) primes. I By the Prime Number Theorem, number of primes  N is at least

N ln(N).

I We need to generate and check ⇡ ln N primes. This is linear in the number of bits of N.

we

RSA Efficiency: Sampling Primes

We need two large (2048-bit) primes. I By the Prime Number Theorem, number of primes  N is at least

N ln(N).

I We need to generate and check ⇡ ln N primes. This is linear in the number of bits of N. I ...but how to check primes?

RSA Efficiency: Sampling Primes

We need two large (2048-bit) primes. I By the Prime Number Theorem, number of primes  N is at least

N ln(N).

I We need to generate and check ⇡ ln N primes. This is linear in the number of bits of N. I ...but how to check primes? I there is an efficient algorithm that tests if N is prime (polynomial time in the number of bits of N).

RSA Security

Cryptograph relies on assumptions. RSA Assumption: Given N, e, and me mod N, there is no efficient algorithm for finding m. We believe Eve cannot break RSA. I Eve can break RSA by factoring N = pq to get (p 1)(q 1) to compute d.

RSA Security

Cryptograph relies on assumptions. RSA Assumption: Given N, e, and me mod N, there is no efficient algorithm for finding m. We believe Eve cannot break RSA. I Eve can break RSA by factoring N = pq to get (p 1)(q 1) to compute d. I But prime factorization is hard!

RSA Security

Cryptograph relies on assumptions. RSA Assumption: Given N, e, and me mod N, there is no efficient algorithm for finding m. We believe Eve cannot break RSA. I Eve can break RSA by factoring N = pq to get (p 1)(q 1) to compute d. I But prime factorization is hard! I For large N, no efficient, non-quantum algorithm is known.

Replay Attack

Does Eve really need to know d to attack? I Suppose my credit card number is m.

Replay Attack

Does Eve really need to know d to attack? I Suppose my credit card number is m. I I send Amazon E(m) to make a purchase.

Replay Attack

Does Eve really need to know d to attack? I Suppose my credit card number is m. I I send Amazon E(m) to make a purchase. I Eve can’t recover m from E(m).

Replay Attack

Does Eve really need to know d to attack? I Suppose my credit card number is m. I I send Amazon E(m) to make a purchase. I Eve can’t recover m from E(m). I But Eve was listening to our communication and now she knows E(m).

Replay Attack

Does Eve really need to know d to attack? I Suppose my credit card number is m. I I send Amazon E(m) to make a purchase. I Eve can’t recover m from E(m). I But Eve was listening to our communication and now she knows E(m). I Eve sends E(m) to Amazon.

Replay Attack

Does Eve really need to know d to attack? I Suppose my credit card number is m. I I send Amazon E(m) to make a purchase. I Eve can’t recover m from E(m). I But Eve was listening to our communication and now she knows E(m). I Eve sends E(m) to Amazon. I Now Eve can use my credit card.

Defense Against Replay Attacks

Even secure protocol can be vulnerable, need careful implementation. To defend against replay attacks, I before encrypt m, randomly generate a string s.

Defense Against Replay Attacks

Even secure protocol can be vulnerable, need careful implementation. To defend against replay attacks, I before encrypt m, randomly generate a string s. I Send E(concatenate(m, s)).

Defense Against Replay Attacks

Even secure protocol can be vulnerable, need careful implementation. To defend against replay attacks, I before encrypt m, randomly generate a string s. I Send E(concatenate(m, s)). I If Amazon gets same message twice, reject.

Flipping RSA: Digital Signature

RSA can be used as in proof of identity. I How does Alice know the receiver is Bob?

Flipping RSA: Digital Signature

RSA can be used as in proof of identity. I How does Alice know the receiver is Bob? I Bob could prove his identity by showing Alice d, but he doesn’t want to do that.

Flipping RSA: Digital Signature

RSA can be used as in proof of identity. I How does Alice know the receiver is Bob? I Bob could prove his identity by showing Alice d, but he doesn’t want to do that. I Alice chooses a message m and asks Bob to send her md mod N.

Flipping RSA: Digital Signature

RSA can be used as in proof of identity. I How does Alice know the receiver is Bob? I Bob could prove his identity by showing Alice d, but he doesn’t want to do that. I Alice chooses a message m and asks Bob to send her md mod N. I Alice can verify (md)e ⌘ m (mod N).

EMMA D Elms

m

Digital Signature Attack

Should Bob sign arbitrary messages? I Alice encrypts a top-secret message m and sends it to Bob.

Digital Signature Attack

Should Bob sign arbitrary messages? I Alice encrypts a top-secret message m and sends it to Bob. I Eve intercepts the cipher E(m).

Digital Signature Attack

Should Bob sign arbitrary messages? I Alice encrypts a top-secret message m and sends it to Bob. I Eve intercepts the cipher E(m). I Eve chooses a number r and asks Bob to sign reE(m).

Digital Signature Attack

Should Bob sign arbitrary messages? I Alice encrypts a top-secret message m and sends it to Bob. I Eve intercepts the cipher E(m). I Eve chooses a number r and asks Bob to sign reE(m). I Bob agrees and sends Eve (reE(m))d mod N.

e

Digital Signature Attack

Should Bob sign arbitrary messages? I Alice encrypts a top-secret message m and sends it to Bob. I Eve intercepts the cipher E(m). I Eve chooses a number r and asks Bob to sign reE(m). I Bob agrees and sends Eve (reE(m))d mod N. I Now Eve knows (reE(m))d ⌘ redmed ⌘ rm (mod N).

Ttm

Frmged

Digital Signature Attack

Should Bob sign arbitrary messages? I Alice encrypts a top-secret message m and sends it to Bob. I Eve intercepts the cipher E(m). I Eve chooses a number r and asks Bob to sign reE(m). I Bob agrees and sends Eve (reE(m))d mod N. I Now Eve knows (reE(m))d ⌘ redmed ⌘ rm (mod N). I Eve knows r; so Eve computes r−1 mod N to recover m.

THE END!

Thank you for coming!