The number theory behind cryptography

Similar documents
Diffie-Hellman key-exchange protocol

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Data security (Cryptography) exercise book

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

ElGamal Public-Key Encryption and Signature

Public Key Encryption

Assignment 2. Due: Monday Oct. 15, :59pm

MA/CSSE 473 Day 9. The algorithm (modified) N 1

TMA4155 Cryptography, Intro

MA 111, Topic 2: Cryptography

Application: Public Key Cryptography. Public Key Cryptography

EE 418: Network Security and Cryptography

CHAPTER 2. Modular Arithmetic

Fermat s little theorem. RSA.

1 Introduction to Cryptology

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Algorithmic Number Theory and Cryptography (CS 303)

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Public-key Cryptography: Theory and Practice

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Related Ideas: DHM Key Mechanics

Number Theory and Public Key Cryptography Kathryn Sommers

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Public Key Cryptography

EE 418 Network Security and Cryptography Lecture #3

Classical Cryptography

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

Cryptography, Number Theory, and RSA

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Distribution of Primes

Number Theory and Security in the Digital Age

Number Theory/Cryptography (part 1 of CSC 282)

Overview. The Big Picture... CSC 580 Cryptography and Computer Security. January 25, Math Basics for Cryptography

Introduction to Cryptography CS 355

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

Applications of Fermat s Little Theorem and Congruences

Final exam. Question Points Score. Total: 150

Math 319 Problem Set #7 Solution 18 April 2002

Sheet 1: Introduction to prime numbers.

Drill Time: Remainders from Long Division

CS70: Lecture 8. Outline.

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Introduction to Modular Arithmetic

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

DUBLIN CITY UNIVERSITY

The Chinese Remainder Theorem

Block Ciphers Security of block ciphers. Symmetric Ciphers

Introduction to Cryptography

MAT199: Math Alive Cryptography Part 2

Cryptography Lecture 1: Remainders and Modular Arithmetic Spring 2014 Morgan Schreffler Office: POT 902

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

SOLUTIONS TO PROBLEM SET 5. Section 9.1

Number Theory - Divisibility Number Theory - Congruences. Number Theory. June 23, Number Theory

DUBLIN CITY UNIVERSITY

MAT Modular arithmetic and number theory. Modular arithmetic

The Chinese Remainder Theorem

Primitive Roots. Chapter Orders and Primitive Roots

Solutions for the Practice Questions

SOLUTIONS FOR PROBLEM SET 4

An interesting class of problems of a computational nature ask for the standard residue of a power of a number, e.g.,

MODULAR ARITHMETIC II: CONGRUENCES AND DIVISION

1 = 3 2 = 3 ( ) = = = 33( ) 98 = = =

Solutions for the Practice Final

Math 127: Equivalence Relations

The congruence relation has many similarities to equality. The following theorem says that congruence, like equality, is an equivalence relation.

Algorithmic Number Theory and Cryptography (CS 303)

Cryptography Made Easy. Stuart Reges Principal Lecturer University of Washington

Lecture Notes in Computer Science,

1.6 Congruence Modulo m

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

NUMBER THEORY AMIN WITNO

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

Successful Implementation of the Hill and Magic Square Ciphers: A New Direction

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

LECTURE NOTES ON SUBLIMINAL CHANNEL & COMMUNICATION SYSTEM

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

CPSC 467: Cryptography and Computer Security

V.Sorge/E.Ritter, Handout 2

Math 1111 Math Exam Study Guide

Modular arithmetic Math 2320

b) Find all positive integers smaller than 200 which leave remainder 1, 3, 4 upon division by 3, 5, 7 respectively.

Keeping secrets secret

Math 412: Number Theory Lecture 6: congruence system and

ALGEBRA: Chapter I: QUESTION BANK

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 24 February 2012

Security Enhancement and Speed Monitoring of RSA Algorithm

LECTURE 3: CONGRUENCES. 1. Basic properties of congruences We begin by introducing some definitions and elementary properties.

6.2 Modular Arithmetic

Cryptography s Application in Numbers Station

Synthesis and Analysis of 32-Bit RSA Algorithm Using VHDL

RSA hybrid encryption schemes

Math 255 Spring 2017 Solving x 2 a (mod n)

Differential Cryptanalysis of REDOC III

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

Implementation and Performance Testing of the SQUASH RFID Authentication Protocol

Carmen s Core Concepts (Math 135)

Transcription:

The University of Vermont May 16, 2017

What is cryptography? Cryptography is the practice and study of techniques for secure communication in the presence of adverse third parties.

What is cryptography? In other words, it is about constructing and analyzing ways to communicate that prevent third parties from reading private messages. Modern applications: all of the internet.

Organization of this talk 1 Vocabulary and history 2 Mathematical preliminaries 3 Discrete logarithm problem 4 Digital Signature Algorithm 5 Attacking DSA

1 Vocabulary and history Mathematical preliminaries Discrete logarithm problem Digital Signature Algorithm Attacking DSA

Some vocabulary Encryption refers to the process of changing ordinary text (plaintext) into unintelligible text (ciphertext). Decryption is the reverse.

Some vocabulary A cipher is the algorithm used to encrypt and decrypt. The operation of most good ciphers is controlled both by the algorithm and a parameter called a key.

Example: Caesar cipher The algorithm of the Caesar cipher is to replace each letter by the kth letter preceding it in the alphabet. The specific choice of k in a given instance of this cipher is the key.

Example: Caesar cipher For example, given the plaintext Hello world and the key k = 2, we replace H with the letter F, e with c, l with j, etc. to produce the ciphertext Fcjjm umpjb.

Example: Caesar cipher To decrypt, use the same key k, but choose the kth letter following a given letter in the alphabet.

Cryptography then: Secret key cryptography Main idea: Alice and Bob share privately the cipher and/or key they will use to communicate. Examples: Caesar cipher ( 100BC) Enigma machine (WWII)

Cryptography then: Secret key cryptography This is also often called symmetric key cryptography, since Alice and Bob use the same secret key to encrypt and decrypt the message. Drawback: Requires a secure exchange before setting up the secure exchange...

Cryptography now: Public key cryptography In June 1976, Diffie and Hellman proposed the notion of public key or asymmetric key cryptography. 1 In such a cryptosystem, Bob generates two sets of keys, one public and one private. 1 Actually this was discovered in 1970 by Ellis at Government Communications Headquarters, but it was classified until 1997.

Cryptography now: Public key cryptography Alice uses Bob s public key to encrypt a message to Bob, and then Bob uses his private key to decrypt the message.

Main idea Public or asymmetric key cryptography relies on one thing: There are some things in mathematics that are easy to do, but difficult to undo.

An example of a suitable problem Which problem would you rather see appear on an exam: 1 Perform the multiplication 1489 701; or 2 Factor the number 1, 043, 789.

Rough idea Bob has the two primes 1489 and 701 as his private key, and the product 1, 043, 789 as his public key. He can publish his public key for everyone to see without fear that they can recover his private key, since factoring is difficult. 2 2 At least we think it is.

One-slide detour: the RSA algorithm In 1978, Rivest, Shamir and Adleman published the first public key cryptography system, which is now called the RSA algorithm. 3 RSA s security relies on the fact that it is easy to multiply but hard to factor. 3 Actually an equivalent system was developed by Cocks at GCHQ in 1973.

Our focus In this talk I will focus on cryptosystems relying on a different difficult problem: the discrete logarithm problem.

Vocabulary and history 2 Mathematical preliminaries Discrete logarithm problem Digital Signature Algorithm Attacking DSA

The division algorithm Theorem Let a and n be two positive integers. Then there exist unique q and r, with 0 r < n with a = qn + r. We call r the remainder of the division of a by n.

The division algorithm Example Let a = 101 and n = 13 then 101 = 7 13 + 10, so the remainder is r = 10. Example Let a = 67 and n = 13 then 67 = 5 13 + 2, so the remainder is r = 2.

Remainders are interesting! Question Now let a = 101 + 67 = 168. What is the remainder when we divide by n = 13? It is 10 + 2 = 12 (!). Indeed 168 = 12 13 + 12.

Remainders are interesting! Question Now let a = 101 67 = 6767. What is the remainder when we divide by n = 13? It cannot be 10 2 = 20, because that is too big. But 6767 has the same remainder as 20 (!). Indeed 20 = 13 + 7 and 6767 = 520 13 + 7.

How can that be? Actually, this follows from facts you know: 101 + 67 = (7 13 + 10) + (5 13 + 2) = 7 13 + 5 13 + 10 + 2 = (7 + 5) 13 + 12 101 67 = (7 13 + 10) (5 13 + 2) = 7 5 13 13 + 10 5 13 + 7 2 13 + 10 2 = (7 5 13 + 10 5 + 7 2) 13 + 20 = (7 5 13 + 10 5 + 7 2 + 1) 13 + 7

Congruence modulo n Definition Let 0 r < n. We say that a r (mod n) if r is the remainder of a when we divide by n.

What we did always works! It turns out that we can add and multiply remainders much like we can add and multiply integers. Furthermore, the addition and multiplication for remainders satisfies the same properties as addition and multiplication for integers.

A familiar example: clocks Question It is 7pm now. What time will it be in 3 hours? In 10 hours? In 50 hours? The first one is easy: It will be 10pm. The second one we can think of this way: In 5 hours it will be midnight, then in 5 more hours it will be 5am. Another way to this about this is like this 7 + 10 = 17 and 17 has remainder 5 when we divide by 12.

A familiar example: clocks Question It is 7pm now. What time will it be in 3 hours? In 10 hours? In 50 hours? The third one we can think of this way: 50 = 4 12 + 2. So in 48 hours it will be 7 again. Then two hours later it will be 9. Another way to think about it is this: 7 + 50 = 57 and 57 has remainder 9 when divided by 12.

Our clocks For our purposes, we always like n to be a prime number. So for example, we might do our arithmetic with n = 13, as we did before. There we have 1 + 5 6 (mod 13) 4 + 7 11 (mod 13) 7 + 7 1 (mod 13) 10 + 8 5 (mod 13)

An important fact When n is prime, for any a 0, there is b with ab 1 (mod n). We call b the multiplicative inverse of a and denote it a 1. Multiplying by b plays the role of dividing by a. Indeed, if ax c (mod n) then or bax bc (mod n) x bc (mod n).

Example For example let n = 13 and a = 3. Then 3 9 1 (mod 13). This is because and 3 9 = 27 27 = 2 13 + 1. Therefore 3 9 = 27 1 (mod 13).

All of this is easy It turns out that everything we have seen so far is easy for a computer to do: Addition and multiplication modulo n is just normal addition and multiplication plus finding the remainder Exponentiation (for example computing 2 10 modulo 13) is easy because it is just repeated multiplication. Although we will not get into it, finding a 1 modulo n is also easy using Euclid s Algorithm

Our difficult problem: discrete log problem Suppose that I give you a = 2, b = 5, and n = 13 and ask you to find k such that 2 k 5 (mod 13). What would you do?

Our difficult problem: discrete log problem In general, given a and b such that a k b (mod n), computing k = log a b is difficult.

Important note about difficult We do not mean here that computing the logarithm is difficult to do by hand! If someone asked me what log 2 5 was, we can use a calculator. (It is 2.32192809488736.) What we mean is that there is no way for a calculator to compute log 2 5 modulo 13. (!)

Taxonomy of problems We have some easy problems: multiplication and addition exponentiation computing a 1 modulo n And a hard problem: computing the discrete logarithm

Vocabulary and history Mathematical preliminaries 3 Discrete logarithm problem Digital Signature Algorithm Attacking DSA

How to use the DLP as a cryptoscheme So that Bob can receive secret messages, he needs to make the following preparations: 1 Bob chooses a prime p and an integer a relatively prime to p 2 Bob chooses an integer k 3 Bob computes b a k (mod p) 4 Bob publishes a, b and p, but keeps k private

How to use this as a cryptoscheme To send the secret number m to Bob, Alice now follows these steps: 1 Alice chooses a random number y and computes c 1 a y (mod p) and c 2 mb y (mod p) 2 Alice sends c 1 and c 2 to Bob publicly, and keeps y private

How to use this as a cryptoscheme To decrypt the message m, Bob simply computes (c 2 )(c k 1 ) 1 because (c 2 )(c1 k ) 1 (mb y )((a y ) k ) 1 (mod p) mb y ((a k ) y ) 1 (mod p) mb y (b y ) 1 (mod p) m (mod p).

The idea If either k or y became known, the secret message m could be recovered. Alice uses b y to hide her message m (c 2 = mb y ). Alice hides her y inside a y for Bob to find. Bob uses his knowledge of k to cancel the y s: Since a k = b, b y = (a k ) y = (a y ) k.

The point Both Bob and Alice only perform easy operations. As long as k and y remain secret, no one but Bob or Alice can read the message, even if they know a p b a k (mod p) c 1 a y (mod p) c 2 mb y (mod p). To get the message, they must compute either k = log a b or y = log a c 1.

Crypto using DLP: Example Suppose that Bob publishes p = 13, a = 2, b = 5. (Bob knows that 2 9 5 (mod 13) but no one else can know.) Alice wants to send the message m = 4 to Bob. She first chooses y = 7 randomly. She sends c 1 = 11 2 7 (mod 13), c 2 = 6 4 5 7 (mod 13). Then Bob computes 6 (11 9 ) 1 4 (mod 13).

Vocabulary and history Mathematical preliminaries Discrete logarithm problem 4 Digital Signature Algorithm Attacking DSA

Digital signatures A digital signature is a process by which an entity proves that it is who it claims to be. One way to do this is for the entity to prove knowledge of its secret key (without disclosing it).

Digital signatures For example if Alice is writing a message to Bob, Bob might want Alice to prove that she is the person she claims to be.

How is that even possible? DSA To prove her identity, Alice would need to first prepare her own DLP. Therefore we assume that Alice has published her own a A, b A ( a k A A (mod p A )) and p A. Also, Alice has sent the message m encrypted with Bob s public key

How is that even possible? DSA To prove that Alice is really Alice, she proves that she has access to k A : 1 She generates a random integer 0 < l < p A 1 2 She computes r a l A (mod p A) 3 She also computes s l 1 (m + k A r) (mod p A 1) Her signature is (r, s), which she publishes. Note that l and k A remain secret. (And only Bob knows m.)

How is that even possible? DSA To check that Alice knows k A, Bob computes aa ms 1 ba rs 1 and checks that this is equal to r. Indeed, aa ms 1 ba rs 1 aa ms 1 (a k A A )rs 1 (mod p A ) a s 1 (m+k A r) A (mod p A ) aa l (mod p A ) r. Note that all that Bob needs is access to m, and this only works if Alice has used k A.

DSA: Example Alice sent the message m = 4 to Bob. He decrypted it as we did above. To sign her message, Alice needs her own a, b and p. She chooses a = 3, b = 4, p = 17. She signs her message (5, 6). Bob verifies that the message 4 is indeed from her because 3 4 4 1 4 5 6 1 3 4 16 (mod 17) 5 (mod 17)

Vocabulary and history Mathematical preliminaries Discrete logarithm problem Digital Signature Algorithm 5 Attacking DSA

One use of DSA Modern game consoles are prevented from installing software that does not come from their manufacturer. This is done by telling the console to accept software updates only from sources that give the correct signature. In other words, the console only accepts software from sources that know the correct value of k.

2012 attack on PS3 In 2012, the Three Musketeers revealed that they obtained access to the Sony k value. The public key (a, b, p) for this value was embedded in the hardware of every PS3 produced to date. Sony used it to sign the code which further controlled the security of the whole PS3. With this key PS3 could be jailbroken and made to run pirated games or any other software. Because this affected the lowest level of security of the PS3, this could not be patched.

How could this happen?! To certify the authenticity of its code, Sony used the same value of l repeatedly. This is easy to notice: the first parameter of the signature is r a l (mod p); two signatures with the same r have used the same l.

Just solve for l Once they received two signatures (r, s 1 ), (r, s 2 ), recall that s i l 1 (m i + kr) (mod p 1) Solving for m i we get m i s i l kr (mod p 1). So m 1 m 2 (s 1 l kr) (s 2 l kr) (s 1 s 2 )l (mod p 1).

And now solve for k It is now trivial to recover k: k r 1 (sl m) (mod p 1).

To learn more/resources A series of crypto challenge problems: http://cryptopals.com Matthew Green s blog: http://blog.cryptographyengineering.com/ Wikipedia

Thank you!

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback