Diffie-Hellman key-exchange protocol

Similar documents
The number theory behind cryptography

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

The Chinese Remainder Theorem

The Chinese Remainder Theorem

Introduction to Cryptography CS 355

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

CHAPTER 2. Modular Arithmetic

Primitive Roots. Chapter Orders and Primitive Roots

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Algorithmic Number Theory and Cryptography (CS 303)

Data security (Cryptography) exercise book

EE 418: Network Security and Cryptography

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Public Key Encryption

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Public-key Cryptography: Theory and Practice

ElGamal Public-Key Encryption and Signature

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

MA/CSSE 473 Day 9. The algorithm (modified) N 1

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Public Key Cryptography

Fermat s little theorem. RSA.

UNIVERSITY OF MANITOBA DATE: December 7, FINAL EXAMINATION TITLE PAGE TIME: 3 hours EXAMINER: M. Davidson

Discrete Square Root. Çetin Kaya Koç Winter / 11

Assignment 2. Due: Monday Oct. 15, :59pm

DUBLIN CITY UNIVERSITY

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

1 Introduction to Cryptology

Number Theory and Public Key Cryptography Kathryn Sommers

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

Solutions for the Practice Final

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

MA 111, Topic 2: Cryptography

TMA4155 Cryptography, Intro

Foundations of Cryptography

Introduction to Modular Arithmetic

Number Theory and Security in the Digital Age

Distribution of Primes

Application: Public Key Cryptography. Public Key Cryptography

NUMBER THEORY AMIN WITNO

Solutions to Problem Set 6 - Fall 2008 Due Tuesday, Oct. 21 at 1:00

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

SOLUTIONS TO PROBLEM SET 5. Section 9.1

Math 319 Problem Set #7 Solution 18 April 2002

L29&30 - RSA Cryptography

The congruence relation has many similarities to equality. The following theorem says that congruence, like equality, is an equivalence relation.

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

b) Find all positive integers smaller than 200 which leave remainder 1, 3, 4 upon division by 3, 5, 7 respectively.

Algorithmic Number Theory and Cryptography (CS 303)

Final exam. Question Points Score. Total: 150

1.6 Congruence Modulo m

DUBLIN CITY UNIVERSITY

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Related Ideas: DHM Key Mechanics

University of British Columbia. Math 312, Midterm, 6th of June 2017

Introduction. and Z r1 Z rn. This lecture aims to provide techniques. CRT during the decription process in RSA is explained.

Cryptography, Number Theory, and RSA

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

To be able to determine the quadratic character of an arbitrary number mod p (p an odd prime), we. The first (and most delicate) case concerns 2

An interesting class of problems of a computational nature ask for the standard residue of a power of a number, e.g.,

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 24 February 2012

Classical Cryptography

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 4 October 2013

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

CS70: Lecture 8. Outline.

Discrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions

MAT Modular arithmetic and number theory. Modular arithmetic

Number Theory/Cryptography (part 1 of CSC 282)

MAT199: Math Alive Cryptography Part 2

Security Enhancement and Speed Monitoring of RSA Algorithm

Degree project NUMBER OF PERIODIC POINTS OF CONGRUENTIAL MONOMIAL DYNAMICAL SYSTEMS

Collection of rules, techniques and theorems for solving polynomial congruences 11 April 2012 at 22:02

Sheet 1: Introduction to prime numbers.

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

Drill Time: Remainders from Long Division

RSA hybrid encryption schemes

CMath 55 PROFESSOR KENNETH A. RIBET. Final Examination May 11, :30AM 2:30PM, 100 Lewis Hall

The Chinese Remainder Theorem

Introduction to Cryptography

Math 255 Spring 2017 Solving x 2 a (mod n)

Applications of Fermat s Little Theorem and Congruences

Triple-DES Block of 96 Bits: An Application to. Colour Image Encryption

Cryptography Lecture 1: Remainders and Modular Arithmetic Spring 2014 Morgan Schreffler Office: POT 902

Discrete Math Class 4 ( )

Problem Set 6 Solutions Math 158, Fall 2016

RSA hybrid encryption schemes

Secure Distributed Computation on Private Inputs

LECTURE 7: POLYNOMIAL CONGRUENCES TO PRIME POWER MODULI

Yale University Department of Computer Science

Implementation / Programming: Random Number Generation

Lecture 18 - Counting

Math 127: Equivalence Relations

CRYPTANALYSIS OF THE PERMUTATION CIPHER OVER COMPOSITION MAPPINGS OF BLOCK CIPHER

Grade 7 & 8 Math Circles October 12, 2011 Modular Arithmetic

Modular Arithmetic. Kieran Cooney - February 18, 2016

Cryptography Made Easy. Stuart Reges Principal Lecturer University of Washington

MODULAR ARITHMETIC II: CONGRUENCES AND DIVISION

Distributed Settlers of Catan

Transcription:

Diffie-Hellman key-exchange protocol This protocol allows two users to choose a common secret key, for DES or AES, say, while communicating over an insecure channel (with eavesdroppers). The two users agree on a common large prime p and a constant value a, which may be publicly known and available to everyone. It is best if the smallest exponent e > 0 for which a e 1 (mod p) is e = p 1, but the protocol will work if e < p 1 provided e is still large. When e = p 1, a is called a primitive root modulo p. In that case the numbers a 1 mod p, a 2 mod p, a 3 mod p,..., a p 1 1 mod p are all different and form an RSR modulo p. 1

Alice secretly chooses a random x A in 0 < x A < p 1 and computes y A = a x A mod p. Bob secretly chooses a random x B in 0 < x B < p 1 and computes y B = a x B mod p. Alice sends y A to Bob. Bob sends y B to Alice. An eavesdropper, knowing p and a, and seeing y A and y B, cannot compute x A or x B from this data unless he can solve the Discrete Logarithm Problem quickly. Alice computes K A = y x A B mod p. Bob computes K B = y x B A mod p. Then K A a x A x B K B (mod p) and 0 < K A,K B < p, so K A = K B. 2

Alice and Bob choose certain agreed-upon bits from K A to use as their key for a single-key cipher like DES or AES. Although this protocol provides secure communication between Alice and whoever is at the other end of the communication line, it does not prove that Bob is the other party. To guarantee that Bob is at the other end, they would have to use a signature system like RSA. 3

Discrete Logarithms The Diffie-Hellman key exchange and several other crypto algorithms could all be broken if we could compute discrete logarithms quickly, that is, if we could easily solve the exponential congruence a x b mod p. By analogy to ordinary logarithms, we may write x = log a b when p is understood from the context. These discrete logarithms enjoy many properties of ordinary logarithms, such as log a bc = log a b + log a c, except that the arithmetic with logarithms must be done modulo p 1 because a p 1 1 mod p. Neglecting powers of log p, the congruence may be solved in O(p) time and O(1) space by raising a to successive powers modulo p and comparing each with b. It may also be solved in O(1) time and O(p) space by looking up x in a precomputed table of pairs (x,a x mod p) sorted by the second coordinate. 4

The RSA public-key cipher Rivest-Shamir-Adleman. Let n = pq be the product of two large primes. Then φ(n) = φ(pq) = (p 1)(q 1), so ed 1 (mod (p 1)(q 1)). Encode plaintext as (blocks) 0 M < n. Encipher M as C = E(M) = M e mod n. Decipher C as M = D(C) = C d mod n. This works, that is, D(E(M)) = M for all M in 0 M < n, provided that ed 1 (mod φ(n)) since M φ(n) 1 (mod n) by Euler s Theorem. This is true since φ(n) = (p 1)(q 1) and ed 1 (mod (p 1)(q 1)). This implies that e and d must each be relatively prime to φ(n). 5

Each user of RSA has her own set of keys: Make n and e public, but keep d secret. The factors p and q are not needed after e and d are computed, but in any case should not be revealed. If many users wish to communicate securely in pairs, then RSA requires fewer total keys to be stored than Pohlig-Hellman. Cryptanalysis: Since n is public and one can easily compute d from e and the factors of n, a direct approach to breaking RSA is to factor n. Using the best currently-known methods, this is about as hard as solving the Discrete Logarithm Problem with the same sized modulus. For a modulus n of 400 decimal digits, this is too hard for current algorithms and computers. 6

Exponentiation ciphers RSA is an example of an exponentiation cipher, that is, a cipher in which encryption and decryption are done by raising the plain or cipher text to a secret power modulo a large integer. Suppose the modulus is a large integer n. Encode plaintext as (blocks) 0 M < n. Encipher M as C = E(M) = M e mod n. Decipher C as M = D(C) = C d mod n. This works, that is, D(E(M)) = M for all M in 0 M < n, provided that ed 1 (mod φ(n)) since M φ(n) 1 (mod n) by Euler s Theorem. Proof: Write ed = tφ(n) + 1 for some integer t. This implies that e is relatively prime to φ(n). In the case of RSA, n is the product of two primes so large that n cannot be factored in a reasonable time. 7

Pohlig-Hellman cipher This is another exponentiation cipher. This is NOT a public-key cipher. Let n = p = prime. Then φ(p) = p 1 and ed 1 (mod p 1). Method 1: Keep all of p,e,d secret. All three are the key. There is just one user or one pair of users. 8

Method 2: Let p be public and keep e and d secret. The key is the pair (e,d). Each user has a secret pair to safeguard her personal secrets. Each pair of users who wish to communicate choose a key pair. Since it may take a while to generate a large prime, Method 2 is more common than Method 1. Furthermore, Method 2 has interesting mathematical properties which foster its use in special ways discussed later (Massey-Omura, mental poker). Cryptanalysis: For a known-plaintext attack on Method 2, one is given a prime p, C and M, and must find an exponent e so that C M e (mod p) or (equivalently) d so that M C d (mod p), that is, the attacker must solve a Discrete Logarithm Problem. Although there are some easy cases, such as m = p = prime where p 1 has only small prime factors, the general case is about as difficult to solve as it is to factor a general number as large as m. 9

An important property of the Pohlig-Hellman cipher Let p be a large prime. Suppose users A and B have encryption algorithms E A and E B and decryption algorithms D A and D B. (So E A (M) = M e A mod p, D A (C) = C d A mod p, where e A d A 1 (mod p 1), etc.) Since the encryption and decryption algorithms are all exponentiation modulo a fixed modulus, they all commute, that is, they may be done in any order and give the same result. For example, E A (D B (x)) = D B (E A (x)) for every x because both are just x e Ad B x d Be A mod p. 10

RSA Signatures RSA has no direct authentication: Anyone can send any message to you and claim it came from anyone. However, one can sign RSA messages as follows: Use the same notation for enciphering and deciphering algorithms as we did for Pohlig-Hellman: E A, D B, etc. Alice can sign (and encipher) a message M to Bob by sending C = E B (D A (M)) to Bob. Bob can decipher C by applying D B to it (to get D A (M)) and then check the signature by applying E A to the latter. Note that Bob s cipher algorithms do not commute with Alice s because the modulus is different. Thus the order in which Bob applies the operations to C matters: Bob must do D B first and then E A second. 11

There is another problem caused by the different moduli. D A and E A do arithmetic modulo Alice s modulus n A while E B and D B do arithmetic modulo Bob s modulus n B. This works fine if n A < n B but part of the message will be lost if n A > n B. There are three ways to solve this problem: 1. Re-block the message after D A is applied. 2. Enforce an arbitrary threshold T and let every RSA user A have two complete sets of RSA keys, one with n A1 < T and one with n A2 > T. The keys with the smaller modulus n A1 are used for signing messages from A and the keys with the larger modulus n A2 are used to encipher messages going to A. 12

3. A more elegant solution is for Alice to sign (and encipher) a message M to Bob by sending C = E B (D A (M)) to Bob when n A < n B, and by sending C = D A (E B (M)) to Bob when n A > n B. In either case, Bob undoes these operations in reverse order. What if Alice later denies sending M and Bob goes to an independent judge to prove that M bears Alice s signature? In the first case (n A < n B ), Bob gives the judge M and X = D B (C), the judge computes M = E A (X) and tests whether M = M. If so, the judge rules that Alice signed M. In the second case (n A > n B ), Bob gives the judge M and C, the judge computes X = E B (M) and X = E A (C) and tests whether X = X. If so, the judge rules that Alice signed M. 13

The El-Gamal public-key cipher The ElGamal public key cryptosystem is strictly not an exponentiation cipher, although exponentiation is done during enciphering and deciphering. Fix a large prime p and a primitive root g modulo p in 1 < g < p, both of which are public. Each user A who wishes to participate in this public-key cryptosystem chooses a secret a A in 0 < a A < p 1 and publishes b A = g a A mod p. When a user B wants to send a secret message M in 0 < M < p to A, she chooses a random k in 0 < k < p 1 and sends to A the pair C = (g k mod p,(mb k A ) mod p). 14

The plaintext M is enciphered by multiplying it by b k A in the second component of C. Note that b k A (ga A) k g aak (mod p). The first component of C provides a hint for deciphering M from the second component of C, but one which is useful only to A. Only A knows the secret key a A, so only A can compute (g k ) a A g aak (mod p). If the multiplicative inverse of this number is multiplied times the second component, one recovers M: ( g a A k ) 1 ( Mb k ) ( A g a A k ) 1 ( Mg a Ak ) M (mod p). 15

Cryptanalysis of the El-Gamal public-key cipher An eavesdropper who could solve the discrete logarithm problem modulo p could compute M from C and public data without knowing a A as follows. The first component of C is h = g k mod p. This number and T = (Mb k A ) mod p are observed by the eavesdropper. The eavesdropper knows p and g because these numbers are public. He can also obtain A s public key b A from A s directory, just as B did. He would solve the discrete logarithm problem g k h (mod p) for k and then compute T ( b k A) 1 ( Mb k A )( b k A ) 1 M (mod p). 16

The Massey-Omura public-key cipher One can change the Pohlig-Hellman privatekey cipher slightly to make a public-key cipher. This was done by Massey and Omura. Their system is not used much because it is inefficient. (But the elliptic curve version is used.) Consider a Pohlig-Hellman cipher with common prime p. This was called Method 2 earlier. Suppose users A and B have encryption algorithms E A and E B and decryption algorithms D A and D B. (So E A (M) = M e A mod p, D A (C) = C d A mod p, where e A d A 1 (mod p 1), etc.) Since the encryption and decryption algorithms are all exponentiation modulo a fixed modulus, they all commute, that is, they may be done in any order and give the same result. For example, E A (D B (x)) = D B (E A (x)) for every x because both are just x e Ad B x d Be A mod p. 17

How do A and B use this property as a publickey cipher? The public key is the common prime modulus p. The private keys are ALL of the exponents (unlike RSA). If Alice wants to send a message 0 < M < p to Bob, she first sends E A (M) to Bob. Bob replies by sending E B (E A (M)) to Alice. Then Alice sends D A (E B (E A (M))) = E B (D A (E A (M))) = E B (M) to Bob. Bob deciphers the message by applying D B to it. The security depends on the difficulty of the Discrete Logarithm Problem. The system is a protocol which requires a two-way exchange of three messages not impossible, but still less convenient than RSA or El-Gamal in which just one message is sent. 18

Mental poker Each player is dealt five of the 52 cards. Each player can see his hand and not any other player s hand. Players bet based on their hands. The best hand wins. In some variations, some cards are revealed and some cards may be replaced by cards not yet dealt. The e-mail or mental protocol for poker requires a fair deal: Players see their own hands, but not other hands. The hands are disjoint. All hands are equally likely. A player can draw (replace) selected cards. A player can reveal individual cards one at a time without revealing other cards. All players can check at the end of the game that there was no cheating. 19

We use a variation of Pohlig-Hellman to implement mental poker. Assume there are two players, Alice and Bob. (There are similar protocols for three or more players.) The players jointly choose a large prime p as modulus. Each secretly chooses e A, d A, e B, d B, as in Pohlig-Hellman. Define E A (M) = M e A mod p, etc. Recall that these functions commute: E A E B = E B E A, etc. Let M 1,...,M 52 be the encoded) deck (more if there is a joker). 20

1. Bob enciphers the cards as C i = E B (M i ) for i = 1,...,52. Bob sorts the C i and sends them to Alice. 2. Alice selects five cards C i at random and sends then to Bob, who decrypts them as his hand. 3. Alice selects five more random cards, say C 1,...,C 5 (her hand) and enciphers them as C i = E A(C i ). She sends them to Bob. 4. Bob deciphers the C i (they are still enciphered with E A after he applies D B to undo E B ) and sends them back to Alice. 5. Alice deciphers the five cards and uses them as her hand. They bet and play poker. 6. At the end of the hand, Alice and Bob exchange their keys e A, etc., and check everything that happened. 21

Quadratic residues Unfortunately, one can cheat in mental poker because E A, E B, etc., preserve quadratic residues. Definition. a is a quadratic residue modulo n if gcd(a,n) = 1 and there is an integer x such that x 2 a (mod n). Such an x called a square root of a modulo n. a is a quadratic nonresidue modulo n if gcd(a,n) = 1 and there is no integer x such that x 2 a (mod n). Theorem. Let 0 < a < n, gcd(a,n) = 1, and gcd(e,φ(n)) = 1. Then a is a QR mod n if and only if a e is a QR mod n. 22

Alice can use this theorem to cheat: Perhaps most high cards are QR and most low cards are QNR. It is like playing with a deck in which most high cards are marked. This attack can be foiled by (a) appending extra bits to each M i or (b) multiplying some M i by a fixed QNR in order to make all cards be QR or all cards be QNR. Note: When the modulus is prime, we have: QR QR = QR; QR QNR = QNR; QNR QNR = QR. In order for Alice to cheat and in order to foil the attack, one must be able to distinguish between QR and QNR mod p (at least for prime p) quickly. This has been known for 200 years. 23

Quadratic residues Theorem. For prime p > 2 and 0 < a < p, the congruence x 2 a (mod p) has exactly 2 solutions (in a CSR) if a is a QR mod p and no solution if a is a QNR mod p. Theorem. For prime p > 2, there are (p 1)/2 QR and (p 1)/2 QNR in a CSR (or RSR) mod p Theorem. For prime p > 2 and 0 < a < p, a (p 1)/2 ±1 (mod p). Theorem. (The Euler Criterion.) For prime p > 2 and 0 < a < p, a (p 1)/2 1 if a is a QR mod p and a (p 1)/2 1 if a is a QNR mod p. 24

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback