Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Similar documents
Introduction to Cryptography CS 355

Diffie-Hellman key-exchange protocol

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

The Chinese Remainder Theorem

The Chinese Remainder Theorem

Data security (Cryptography) exercise book

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

DUBLIN CITY UNIVERSITY

Public-key Cryptography: Theory and Practice

The number theory behind cryptography

Discrete Square Root. Çetin Kaya Koç Winter / 11

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Cryptography, Number Theory, and RSA

ElGamal Public-Key Encryption and Signature

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

EE 418: Network Security and Cryptography

MA/CSSE 473 Day 9. The algorithm (modified) N 1

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Algorithmic Number Theory and Cryptography (CS 303)

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Secure Distributed Computation on Private Inputs

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

Secure Function Evaluation

Math 319 Problem Set #7 Solution 18 April 2002

To be able to determine the quadratic character of an arbitrary number mod p (p an odd prime), we. The first (and most delicate) case concerns 2

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

TMA4155 Cryptography, Intro

Number Theory and Public Key Cryptography Kathryn Sommers

Solutions for the Practice Final

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

UNIVERSITY OF MANITOBA DATE: December 7, FINAL EXAMINATION TITLE PAGE TIME: 3 hours EXAMINER: M. Davidson

RSA hybrid encryption schemes

Classical Cryptography

Assignment 2. Due: Monday Oct. 15, :59pm

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Simple And Efficient Shuffling With Provable Correctness and ZK Privacy

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

RSA hybrid encryption schemes

Block Ciphers Security of block ciphers. Symmetric Ciphers

Distribution of Primes

DUBLIN CITY UNIVERSITY

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

1 Introduction to Cryptology

Public Key Encryption

The congruence relation has many similarities to equality. The following theorem says that congruence, like equality, is an equivalence relation.

Contributions to Mental Poker

LECTURE 7: POLYNOMIAL CONGRUENCES TO PRIME POWER MODULI

Fermat s little theorem. RSA.

CS70: Lecture 8. Outline.

Distributed Settlers of Catan

EE 418 Network Security and Cryptography Lecture #3

Andrei Sabelfeld. Joint work with Per Hallgren and Martin Ochoa

Public Key Cryptography

Primitive Roots. Chapter Orders and Primitive Roots

V.Sorge/E.Ritter, Handout 2

SOLUTIONS TO PROBLEM SET 5. Section 9.1

MTH 3527 Number Theory Quiz 10 (Some problems that might be on the quiz and some solutions.) 1. Euler φ-function. Desribe all integers n such that:

L29&30 - RSA Cryptography

Collection of rules, techniques and theorems for solving polynomial congruences 11 April 2012 at 22:02

Pseudorandom Number Generation and Stream Ciphers

Successful Implementation of the Hill and Magic Square Ciphers: A New Direction

PT. Primarity Tests Given an natural number n, we want to determine if n is a prime number.

Application: Public Key Cryptography. Public Key Cryptography

MA 111, Topic 2: Cryptography

NUMBER THEORY AMIN WITNO

Problem Set 6 Solutions Math 158, Fall 2016

Bivariate Polynomials Modulo Composites and Their Applications

DTTF/NB479: Dszquphsbqiz Day 30

Note Computations with a deck of cards

Introduction. and Z r1 Z rn. This lecture aims to provide techniques. CRT during the decription process in RSA is explained.

Random Bit Generation and Stream Ciphers

Introduction to Number Theory 2. c Eli Biham - November 5, Introduction to Number Theory 2 (12)

Proceedings of Meetings on Acoustics

Number Theory and Security in the Digital Age

Degree project NUMBER OF PERIODIC POINTS OF CONGRUENTIAL MONOMIAL DYNAMICAL SYSTEMS

CHAPTER 2. Modular Arithmetic

Generic Attacks on Feistel Schemes

Implementation and Performance Testing of the SQUASH RFID Authentication Protocol

Solutions to Problem Set 6 - Fall 2008 Due Tuesday, Oct. 21 at 1:00

CS 261 Notes: Zerocash

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

Sequential Aggregate Signatures from Trapdoor Permutations

Related Ideas: DHM Key Mechanics

Chapter 4 The Data Encryption Standard

Classification of Ciphers

Self-Scrambling Anonymizer. Overview

A Cryptosystem Based on the Composition of Reversible Cellular Automata

Foundations of Cryptography

Final exam. Question Points Score. Total: 150

CMath 55 PROFESSOR KENNETH A. RIBET. Final Examination May 11, :30AM 2:30PM, 100 Lewis Hall

Introduction to Modular Arithmetic

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 24 February 2012

Yale University Department of Computer Science

Generic Attacks on Feistel Schemes

Transcription:

Cryptography CS 555 Topic 20: Other Public Key Encryption Schemes Topic 20 1

Outline and Readings Outline Quadratic Residue Rabin encryption Goldwasser-Micali Commutative encryption Homomorphic encryption Readings: Katz and Lindell: Chapter 11 Topic 20 2

Review: Quadratic Residues Modulo A Prime Definition: a is a quadratic residue modulo p if it has a square root, i.e., b Z p * such that b 2 a mod p, We write this as a QR p Exactly half of elements in Z p * are in QR p let g be generator, a=g j is a quadratic residue iff. j is even. Each QR modulo p has two square roots in Z p * Legendre symbol indicates QR a p 0, if p a 1, if a QR 1, if a QR p p a p Topic 20 3 a p1 2 mod p

Quadratic Residues Modulo a Composite n Definition: a is a quadratic residue modulo n (aqr n ) if b Z n * such that b 2 a mod n, otherwise when a0, a is a quadratic nonresidue Fact: aqr n, where n=pq, iff. aqr p and aqr q The only if direction: b 2 a mod n, then b 2 a mod p and b 2 a mod q The if direction: If b 2 a mod p and c 2 a mod q, then the four solutions to the four equation sets 1. x b mod p and x c mod q 2. x b mod p and x -c mod q 3. x -b mod p and x c mod q 4. x -b mod p and x -c mod q satisfies x 2 a mod n Topic 20 4

For example Fact: if n=pq, then x 2 1 (mod n) has four solutions that are <n. x 2 1 (mod n) if and only if both x 2 1 (mod p) and x 2 1 (mod q) Two trivial solutions: 1 and n-1 1 is solution to x 1 (mod p) and x 1 (mod q) n-1 is solution to x -1 (mod p) and x -1 (mod q) Two other solutions solution to x 1 (mod p) and x -1 (mod q) solution to x -1 (mod p) and x 1 (mod q) E.g., n=3 5=15, then x 2 1 (mod 15) has the following solutions: 1, 4, 11, 14 Topic 20 5

Quadratic Residues Modulo a Composite QR n = QR p QR q = (p-1)(q-1)/4 QR n = 3(p-1)(q-1)/4 Jacobi symbol does not tell whether a number a is a QR a a a n p q when it is -1, then either aq p aq q or aq p aq q, then a is not QR when it is 1, then either aq p aq q or aq p aq q A is QR for the former case, but not the latter case it is widely believed that determining QR modulo n is equivalent to factoring n, no proof is known without factoring, one can guess correctly with prob. ½ for those with Jacobi symbol 1 Topic 20 6

Integers in Z n * QR modulo n x Q p x Q q x Q p x Q q x Q p x Q q x Q p x Q q Jacobi symbol is 1 Jacobi symbol is -1 Topic 20 7

The Rabin Encryption Scheme Motivation: The security of RSA encryption depends on the difficulty of computing the e th root modulo n, i.e., given C, it is difficult to find M s.t. M e =C mod n. It is not known that RSA encryption is as difficult as factoring. The Rabin encryption scheme is provably secure if factoring is hard Idea: rather than using an odd prime as e, uses 2 f(x)=x 2 mod n this is not a special case of RSA as this function is not 1-to-1. Topic 20 8

The Rabin Encryption Scheme Public key: n Privacy key: p, q s.t. n=pq Encryption: compute c=m 2 mod n Decryption: compute the square roots of c. how many are there? Fact: when pq3 (mod 4), deterministic algorithms exist to compute the square roots When p3 (mod 4), a (p+1)/4 is square root of a because (a (p+1)/4 ) 2 = a (p+1)/2 = a (p-1)/2 a = a otherwise, efficient randomized algorithms exist to compute the square roots Topic 20 9

Computing Square Roots is as hard as Factoring Given an algorithm A that can compute one square root of a number a modulo n, One can use A to factor n as follows randomly pick x, compute z = x 2 mod n ask A to compute the square root of z, A returns y if y=x or y=n x, then try again, otherwise, compute gcd(x+y,n) gives us a prime factor of n as A has no way to tell which x we ve picked, with prob. ½, A returns a square root that allows us to factor n Topic 20 10

Pragmatic Considerations for the Rabin Encryption Scheme Normally, one picks pq3 (mod 4) Textbook Rabin insecure, because it is deterministic Redundency is used to ensure that only one square root is a legitimate message Encryption very fast, only one exponentiation Decryption comparable to RSA decryption Topic 20 11

The Goldwasser-Micali Probablistic Encryption Scheme First provably semantically secure public key encryption scheme, security based on the hardness of determining whether a number x is a QR modulo n, when the x factoring of n is unknown and the Jacobi symbol is 1 Encryption is bit by bit n For each bit in the plaintext, the ciphertext is one number in Z n *, expansion factor is 1024 when using 1024 moduli Topic 20 12

The Goldwasser-Micali Probablistic Encryption Scheme Key generation randomly choose two large equal-size prime number p and q, pick a random integer y such that public key is (n=pq, y) private key is (p,q) Property of y: y is not QR, but has Jacobi symbol 1 Encryption y p 1 to encrypt one bit b, pick a random x in Z n *, and let C=x 2 y b that is, C=x 2 when b=0, and C=x 2 y when b=1 y q Topic 20 13

Topic 20 14 The Goldwasser-Micali Probablistic Encryption Scheme Consider the Jacobi symbol of the ciphertext C Consider whether the ciphertext C is QR modulo n C is QR iff. the plaintext bit b is 0 Decryption: knowing p and q s.t. n=pq, one can determine whether x is QR modulo n and thus retrieves the plaintext (how?) 1 1 1 2 2 2 q x p x n x 1 1 1 2 2 2 q yx p yx n yx

Cost of Semantic Security in Public Key Encryption In order to have semantic security, some expansion is necessary i.e., the ciphertext must be larger than its corresponding plaintext (why?) the Goldwasser-Micali encryption scheme generate ciphertexts of size 1024m suppose that all plaintexts have size m, what is the minimal size of ciphertexts to have an adequate level of security (e.g., takes 2 t to break the semantic security)? Topic 20 15

Commutative Encryption Definition: an encryption scheme is commutative if E K1 [E K2 [M]] = E K2 [E K1 [M]] Given an encryption scheme that is commutative, then D K1 [D K2 [E K1 [E K2 [M]] = M That is, if message is encrypted twice, the order does not matter. Most symmetric encryption scheme (such as DES and AES) are not commutative Topic 20 16

Examples of Commutative Encryption Schemes Private key: Pohlig-Hellman Exponentiation Cipher with the same modulus p encryption key is e, decryption key is d, where ed1 (mod (p-1)) E e1 [M] = M e1 mod p and D d1 [C]= C d1 mod p E e1 [E e2 [M]] = M e1e2 = E e1 [E e2 [M]] (mod p) Topic 20 17

The SRA Mental Poker Protocol How do two parties play poker without a trusted third party? Need to deal each one a hand of card, and after placing bet, be able to show hand. Setup: Alice and Bob agree on using M 1, M 2,, M 52 to denote the 52 cards. Any ideas? Topic 20 18

The SRA Mental Poker Protocol Alice encrypts M 1, M 2,, M 52 using her key, then randomly permute them and send the ciphertexts to Bob Bob picks 5 ciphertexts as Alice s hand and sends them to Alice Alice decrypts them to get his hand Bob picks 5 other ciphertexts as his hand, encrypts them using his key, and sends them to Alice Alice decrypts the 5 ciphertexts and sends to Bob Bob decrypts what Alice sends and gets his hand Both Alice and Bob reveals their key pairs to the other party and verify that the other party was not cheating. (Why need this step?) Topic 20 19

Homomorphic Encryption Encryptions that allow computations on the ciphertexts E k [m 1 ] E k [m 2 ] = E k [m 1 m 2 ] Applications E-voting: everyone encrypts votes as 1 or 0, aggregate all ciphertexts before decrypting; no individual vote is revealed. Requires additive homomorphic encryption: is + Secure cloud computing. Requires full homomorphic encryption, i.e., homomorphic properties for both + and Topic 20 20

Homomorphic Properties of Some Encryption Schemes Multiplicative homomorphic encryption Unpadded RSA: m 1e m 2 e = (m 1 m 2 ) e El Gamal: Given public key (g, h=g a ), ciphertexts (g r1,h r1 m 1 ) and (g r2,h r2 m 2 ), multiple both components (g r1+r2,h r1+r2 m 1 m 2 ) Additive homomorphic encryption schemes Paillier cryptosystem (will explore in HW problem) Fully homomorphic encryption also exist Significantly slower than other PK encryption Topic 20 21

Coming Attractions Digital Signatures Reading: Katz & Lindell: Chapter 12.1 to 12.5 Topic 20 22

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback