Reminder: Public Key Cryptosystem Invented in the late 1970's, with help from the development of complexity theory around that time. Based on a problem so difficult that it unrealistic computer time to solve Has two keys, a public key [(e,n) for RSA] and a private key [d or n=pq for RSA] Public key  encrypt messages: anyone/system knowing the public key could send them in privacy. decrypt  private key. owner of the private key would be the only one who could decrypt the messages Important idea  Application to generate key exchange in a two-party communication: common secret key for bulk encryption using a private/symmetric key cryptosystem Whitfield Diffie and Martin Hellman started the era of public key cryptosystems  ideas from number theory to construct a key exchange protocol Shortly after Ron Rivest, Adi Shamir and Leonard Adleman developed RSA: first real public key cryptosystem capable of encryption and digital signatures. Later several public cryptosystems followed using many different underlying ideas (e.g. knapsack problems, different groups on finite fields and lattices). Many of them were soon proven to be insecure. However, the Diffie-Hellman protocol and RSA appear to have remained two of the strongest up to now.

8.6 Cryptographic Protocols and Applications Protocols = Algorithms used between two or more parties to achieve a specific goal Cryptographic Protocol = performs a security-related function via a cryptosystem. Widely used for secure application-level data transport, ex. Key Exchange. Signature with RSA Digital cash, signature, credentials secure web (HTTP) connections, Online Poker, bid on auctions, Sharing secrets that could only be recovered by a LARGE group of people For more see [Meva Va97] “Menzes, Van Oorschot, Vanstone; Handbook of Applied Cryptography, CRC press, Boca Raton, Florida”

Advanced cryptographic protocols wide variety of cryptographic protocols go beyond the traditional goals of data confidentiality, integrity, and authentication to also secure a variety of other desired characteristics of computer-mediated collaboration. Blind signatures can be used for digital cash and digital credentials to prove that a person holds an attribute or right without revealing that person's identity or the identities of parties that person transacted with. Secure digital time-stamping can be used to prove that data (even if confidential) existed at a certain time. Secure multiparty computation can be used to compute answers (such as determining the highest bid in an auction) based on confidential data (such as private bids), so that when the protocol is complete the participants know only their own input and the answer. Undeniable signatures include interactive protocols that allow the signer to prove a forgery and limit who can verify the signature. Deniable encryption augments standard encryption by making it impossible for an attacker to mathematically prove the existence of a plaintext message. Digital mixes create hard-to-trace communications. (Wikipedia)Blind signaturesdigital cashdigital credentialsSecure digital time-stampingSecure multiparty computationUndeniable signaturesDeniable encryption Digital mixes

Diffie-Hellman Key Exchange (1976) Popular public-key technique for establishing secret keys over an insecure channel (to use for symmetric/private Cryptosystem). Example: exchange of keys between A & B over insecure communication links without previously shared information! Should not be discover by others in a feasible computer time. Public information: (p,r) p=large prime r=primitive root of p: {r k, k in N} ≡ {1,2,…,p-1} (mod p)

Private keys: A picks a private #k from {1,2,…,p-2}  private key k B picks a private #h from {1,2,…,p-2}  private key h Common Public Key K From A  B: y 1 ≡ r k (mod p) B  common key K ≡ y 1 h ≡ r kh (mod p) From B  A: y 2 ≡ r h (mod p) A  common key K ≡ y 2 k ≡ r hk (mod p)

Cryptanalysis Given the residues of r h & r k modulo p find the key K ≡ r hk (mod p) ? computationally difficult problem (see chapter 9) Example: r=2, p=53, k=7,h=8 2 7 ≡22 (mod 53), 2 8 ≡44 (mod 53), K=2 8*7 ≡16 (mod 53) However, if only 22 and 44 are given, how to find K? Increased complexity for a group of n individuals: K= r k1k2…kn (mod p)

8.6.2.Digital Signature Make sure that a msg came for the supposed sender? Only the supposed sender is the source of that msg! RSA (e, n=pq)  to send a “signed” msg Applications: , E-banking, E-transactions… A  public key (e 1,n 1 ) & private key (d 1,n 1 )  X≡X e1d1 (mod n 1 ) B  public key (e 2,n 2 ) & private key (d 2,n 2 )  X≡X e2d2 (mod n 2 ) P= Plaintext Signature S=Encrypted Signature by A that only B can decrypt without knowing private key d 1 of A.

Encryption by A P  S ≡ P d1 (mod n 1 )  C ≡ S e2 (mod n 2 ) C is sent to B by A. Decryption by B C  S ≡ C d2 (mod n 2 )  P ≡ S e1 (mod n 1 ) Intermediate step: If n 2 > n 1 direct Transformation S  C If n 2 ≤ n 1, split S into blocks of size < n 2 then the transformation S  C for each block.

Example: Romeo + Juliet A= Romeo: (e,n)=(5,1273)=(5, 19*67)  Φ(n) =18*66= 1188  d= ē Φ [Φ(n)]-1 (mod Φ(n))= = 713 B= Juliet: (e,n)=(3,781)=(3, 11*71)  Φ(n) =10*70= 700  d= ē Φ [Φ(n)]-1 (mod Φ(n))= = 107 P= goodbye sweet love = Form blocks of four, then for each block compute: S ≡ P d1 (mod n 1 ) = P 713 (mod 1273) = since n 2 ≤ n 1, split each block of S in two to get blocks of size < n 2 Transformation S  C for each new block: C ≡ S e2 (mod n 2 )= S 3 (mod 781) = Sent to Juliet. She decrypts: C  S ≡ C d2 (mod n 2 ) then  P ≡ S e1 (mod n 1 )

Electronic Poker A & B wish to play Poker Online p= large prime Jointly choosing A  secret exponents keys e a  d a = inverse (mod p) B  secret exponents keys e b  d b = inverse (mod p) Exponent Encryptions & decryptions: C=E (P)=P e & P=D(C)= C d  E(D(P))= P (mod p) E a, E b, D a, D b are commutative under compositions M 1,…,M 52  the deck of cards

B applies E b  E b (M 1 ),…, E b (M 52 ) B  shuffles (Permutation)  sends to A A  selects 5 cards E b (M)  sends to B = B’s hand B applies D b ( to see the hand M)  D b [ E b (M)]=M A  selects 5 cards C=E b (N) with N in M 1,…,M 52 A applies E a ( unable to see the hand N )  E a (C)  sends to B B applies D b ( unable to see the hand N )  D b [E a (C)]  sends to A D b [ E a (C)] = D b [ E a (E b (N))]= E a ( D b [E b (N)])= E a (N) A applies D a ( to see his hand N )  D a [ E a (N)]=N The same steps are followed for the rest of the game Test for No Cheating: The Keys are revealed so each player (or the system) can verify that the cards claimed by each.

8.6.4.Secret Sharing P rotect an extremely sensitive information from: loss  share its components with several individuals exposure  but no small group can retrieve the information Example: Master key K for access to the password file Solution: (s,r)- threshold Schemes r individuals Shadows k 1,…,k r = keys, each given to an individual K= master key To recover K  least s of any of these shadows! but not less that s shadows!

p = prime larger than K p & m 1 <…<m r pairwise relatively prime M= m 1 …m s > p m r-1 …m r-s+2 t integer with 0< t< M/p K 0 = K + t p with K 0 in {0,…,M-1} The shadows: k j = K 0 (mod m j ) Find K from any s individuals with shadows: k * 1, …, k * s ? M * = m * 1 …m * s Chinese remainder (theorem 4.12) for k * j = K 0 (mod m * j )  solves K 0 (mod M * ) where 0 ≤ K 0 < M ≤ M * Determine K 0 and then: K = K 0 – t p