Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Slides:



Advertisements
Similar presentations
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Advertisements

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Lecture 8 Public-Key Encryption I Stefan Dziembowski MIM UW ver 1.0.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.
Data encryption with big prime numbers
22C:19 Discrete Structures Integers and Modular Arithmetic
Public Key Encryption Algorithm
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-
Session 4 Asymmetric ciphers.
and Factoring Integers (I)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
and Factoring Integers
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.
The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
8. Data Integrity Techniques
The RSA Algorithm Rocky K. C. Chang, March
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Introduction to Modular Arithmetic and Public Key Cryptography.
10.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 10 Symmetric-Key Cryptography.
Cryptography Lecture 8 Stefan Dziembowski
RSA Ramki Thurimella.
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Cryptography Lecture 9 Stefan Dziembowski
By Yernar.  Background  Key generation  Encryption  Decryption  Preset Bits  Example.
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
Lectures so far: Today’s lecture: Discrete probability Proving things
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Tuesday’s lecture: Today’s lecture: One-way permutations (OWPs)
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
COM 5336 Lecture 8 Digital Signatures
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
RSA Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
RSA Cryptosystem Great Theoretical Ideas In Computer Science S. Rudich V. Adamchik CS Spring 2006 Lecture 8Feb. 09, 2006Carnegie Mellon University.
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Revision. Cryptography depends on some properties of prime numbers. One of these is that it is rather easy to generate large prime numbers, but much harder.
Assignment 4 is due! Assignment 5 is out and is due in two weeks!
Public Key Cryptography
Topic 26: Discrete LOG Applications
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
Cryptography Lecture 20.
Cryptography Lecture 26.
Presentation transcript:

Ryan Henry I 538 /B 609 : Introduction to Cryptography

Ryan Henry The goal of secure program obfuscation is to make a program ``unintelligible'' while preserving its functionality. For decades, program obfuscation for general programs has remained an art, with all public general-purpose obfuscation methods known to be broken. In this talk, we will describe new developments that for the first time provide a mathematical approach to the problem of general-purpose program obfuscation, where extracting secrets from the obfuscated program requires solving mathematical problems that currently take hundreds of years to solve on the world's fastest computing systems. We will also discuss the implications of these developments. Friday, November 13 at 3:00pm in LH 102: Amit Sahai, UCLA Software with Secrets

Ryan Henry Last Thursday’s lecture: Public key encryption IND-CPA / IND-CCA for public key schemes Trapdoor functions and permutations Today’s lecture: Public key encryption from TDPs The RSA cryptosystem 2

Ryan Henry Assignment 5 is TODAY! Assignment 6 has been posted! 3

Ryan Henry Recall: Trapdoor permutations (TDPs) 4 ▪ Intuitively, a trapdoor permutation family is an OWP family with the additional property that each OWP in the family is easy to invert when given some special information called the trapdoor

Ryan Henry Trapdoor permutation (TDP) families Def n : A trapdoor permutation (TDP) family is an infinite set {π k } k∈K e, in which each π k :D k →D k is a permutation, equipped with a quadruple of PPT algorithms (Gen,Samp,Eval,Inv) such that –E–Easy to sample from family: Gen:1 ℕ →K e ×K d is a randomized algorithm that, on input 1 s, outputs (k,t k ) where t k is the trapdoor for π k. –E–Easy to sample from domains: Samp:K e →⋃ D k is a randomized algorithm that, on input k∈K e, outputs x∊D k. –E–Easy to evaluate: Eval:K e ×⋃ D k is a deterministic algorithm that, on input k∈K e and x∈D k, outputs y=π k (x). –E–East to invert with trapdoor: Inv:K e ×K d ×⋃ D k is a deterministic algorithm that, on input any (k,t k )←Gen(1 s ) and y∈D k, outputs x∈D k such that y=π k (x). –H–Hard to invert without trapdoor: For every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Pr[x←A(k,y)|(k,t k )←Gen(1 s )∧x←Samp(k)∧y←Eval(k,x)]≤ε(s). 5

Ryan Henry Public-key bit encryption from TDPs ▪L▪Let {π k } k∈K e be a trapdoor permutation family with algorithms (Gen,Samp,Eval,Inv) such that each π k has a corresponding hard-core predicate h k. Q: Does such TDP family even exist? A: Probably!? Or, at least, hopefully! (Why should we think it does?) –G–Goldreich-Levin implies that if any TDP family exists, then there exists a TDP family in which each TDP has a hardcore predicate. 6

Ryan Henry Public-key bit encryption from TDPs ▪L▪Let {π k } k∈K e be a trapdoor permutation family with algorithms (Gen,Samp,Eval,Inv) such that each π k has a corresponding hard-core predicate h k. Define (Gen,Enc,Dec) as follows: –G–Gen:1 ℕ →K e ×K d is just the Gen algorithm for the TDP family –E–Enc:K e ×{0,1}→D k takes (k,m)∈K e ×{0,1} as input, chooses r←Samp(k) such that h k (r)=m, and outputs c≔Eval(k,r) –D–Dec:K e ×K d ×D k →{0,1} takes (k,t k ,c) as input and outputs h k ( Inv(k,t k ,c) ) 7 requires 2 samples on average

Ryan Henry Public-key bit encryption from TDPs ▪L▪Let {π k } k∈K e be a trapdoor permutation family with algorithms (Gen,Samp,Eval,Inv) such that each π k has a corresponding hard-core predicate h k. Thm: The tuple (Gen,Enc,Dec) just described is an IND- CCA2 secure public key encryption scheme with message space M={0,1}. 8

Ryan Henry Encryption for longer messages Q: How do we extend bit encryption to longer messages? A: Encrypt message bit-by-bit using the bit encryption scheme –B–But this is outrageously inefficient… Q: How do we extend bit encryption to longer messages efficiently? A: Very carefully… ▪A▪A candidate approach (with M=D k ): –G–Gen:1 ℕ →K e ×K d is the Gen algorithm for the TDP family –E–Enc:K e ×D k →D k maps (k,m) to c≔Eval(k,m) –D–Dec: K e ×K d ×D k →D k maps (k,t k ,c) to m≔Inv(k,t k ,c) 9 N o t o b t a i n e d f r o m S a m p ! Not randomized!

Ryan Henry Hybrid encryption from TDPs ▪ Let {π k } k∈K e be a trapdoor permutation family with algorithms (Gen,Samp,Eval,Inv); ▪ Let (Gen’,Enc’,Dec’) be an IND-CCA2 secure symmetric-key encryption scheme; and ▪ Let H:{0,1} * →{0,1} * be a cryptographic hash function 10 Define (Gen,Enc,Dec) as follows: –G–Gen:1 ℕ →K e ×K d is just the Gen algorithm for the TDP family; –E–Enc:K e ×{0,1} * →D k ×{0,1} * takes (k,m)∈K e ×{0,1} * as input, chooses r←Samp(k) and outputs c≔(y,C), where y≔Eval(k,r) and C≔Enc’ H(r) (m); –D–Dec:K e ×K d ×(D k ×{0,1} * )→{0,1} * takes ( k,t k ,(y,C) ) as input, computes r≔Inv(k,t k ,y), and outputs m≔Dec’ H(r) (C). (modeled as a random oracle)

Ryan Henry Hybrid encryption from TDPs 11 Define (Gen,Enc,Dec) as follows: – Gen:1 ℕ →K e ×K d is just the Gen algorithm for the TDP family; – Enc:K e ×{0,1} * →D k ×{0,1} * takes (k,m)∈K e ×{0,1} * as input, chooses r←Samp(k) and outputs c≔(y,C), where y≔Eval(k,r) and C≔Enc’ H(r) (m); – Dec:K e ×K d ×(D k ×{0,1} * )→{0,1} * takes ( k,t k ,(y,C) ) as input, computes r≔Inv(k,t k ,y), and outputs m≔Dec’ H(r) (C) y≔Eval(k,r) C≔Enc’ H(r) (m) c≔

Ryan Henry Hybrid encryption from TDPs 12 Define (Gen,Enc,Dec) as follows: – Gen:1 ℕ →K e ×K d is just the Gen algorithm for the TDP family; – Enc:K e ×{0,1} * →D k ×{0,1} * takes (k,m)∈K e ×{0,1} * as input, chooses r←Samp(k) and outputs c≔(y,C), where y≔Eval(k,r) and C≔Enc’ H(r) (m); – Dec:K e ×K d ×(D k ×{0,1} * )→{0,1} * takes ( k,t k ,(y,C) ) as input, computes r≔Inv(k,t k ,y), and outputs m≔Dec’ H(r) (C) Thm: The tuple (Gen,Enc,Dec) described below is an IND- CCA2 secure public key encryption scheme with message space M={0,1} * in the random oracle model.

Ryan Henry Recall: The e th root problem 13 Def n : The eth root problem (aka the RSA problem) is: Given (n,e,a) such that 1. n=pq for distinct s-bit primes p and q, 2. a∈℥ n, and 3. gcd(e,φ(n))=1, compute a 1/e mod n. One possible solution: compute d≔e -1 mod φ(n) and output a d mod n

Ryan Henry Recall: RSA instance generator Def n : An RSA instance generating algorithm G is a PPT algorithm that, on input a security parameter 1 s ∈1 ℕ, outputs a pair of distinct s-bit primes (p,q) and e∊℥ φ(pq). We write (p,q,e)← G(1 s ) to indicate that s-bit primes (p,q) and e∈℥ φ(pq) are sampled from the output of G. 14 We define hardness assumption for the e th root problem with respect to a particular fixed instance generator

Ryan Henry Recall: The e th root (RSA) assumption 15 Def n : Let G be a fixed RSA instance generating algorithm. The e th root (RSA) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ + such that Adv RSA,G (A)≤ε(s). Challenger (C) Attacker (A) (p,q,e)←G(1 s ) N≔p·q a∊℥ N b≔a e mod N a’ 1 s1 s (N,e,b) Let E be the event that a≡a’ mod N Define A’s advantage to be Adv RSA,G (A)≔Pr[E] 1 s1 s

Ryan Henry The Strong RSA assumption 16 Def n : Let G be a fixed RSA instance generating algorithm. The strong RSA ssumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε: ℕ→ℝ + such that Adv StrongRSA,G (A)≤ε(s). Challenger (C) Attacker (A) (p,q,e)←G(1 s ) (if gcd(e’,φ(n))≠1, choose again) N≔p·q a∊℥ N b≔a e’ mod N a’ 1 s1 s (N,b) Let E be the event that a≡a’ mod N Define A’s advantage to be Adv StrongRSA,G (A)≔Pr[E] 1 s1 s e' e'∈Primes[s]

Ryan Henry The RSA trapdoor permutation family 17 ▪T▪The RSA assumption is equivalent to the assumption that the e th root problem induces a trapdoor permutation family K e ≔{(pq,e)|p,q∈Primes[s] with p≠q and gcd(φ(pq),e)=1}; K d ≔ℕ; and D k ≔℥ pq ▪G▪Gen(1 s ) chooses distinct primes p,q∊Primes[s] and e∊ℤ φ(pq). It outputs k≔(pq,e) and t k ≔e -1 mod φ(pq) ▪S▪Samp(k) outputs x∊℥ pq ▪E▪Eval(k,x) outputs y≔x e mod pq ▪I▪Inv(k,t k ,y) outputs x≔y d mod pq

Ryan Henry “Textbook” (a.k.a. naïve) RSA 18 ▪M▪Many textbooks (and courses) describe RSA encryption as a direct application of the RSA trapdoor permutation to a “message” (usually a symmetric key) Q: Is this a secure public-key encryption scheme? A: NO! NO! NO! Don’t ever do this! (Seriously, don’t do it!) (If you do this and I find out, I will retroactive fail you in this course!) –M–Meet-in-the-middle attacks –S–Short message—small exponent attacks –C–CRT-based attacks –R–Related message attacks

Ryan Henry Meet-in-the-middle attack ▪ Suppose k∊{0,1} 128 is a random 128-bit symmetric key Q: Given (N,e) and c≔k e mod N, how hard is it to recover k? A: It is sometimes very easy! – If k≡k 1 ·k 2 mod N where lg k 1 ≈lg k 2 ≈2 64, then k 2 e ≡c·m 2 -e mod N Idea: Precompute a lookup table L≔{1 e ,2 e ,3 e ,…,(2 64 ) e } mod N For each a∈L, compute b≔c·a -1 mod N and check if b∈L; if so, then k≡a·b mod N! 19

Ryan Henry Meet-in-the-middle attack 20

Ryan Henry Meet-in-the-middle attack ▪ Toy example: N=282,943=523·541 and e=3 ▪ Message k is an 8-bit symmetric key ▪ Ciphertext is c=k e ≡206,824 mod N ,0001,3311,7282,1972,7443,3754, ,824 25,823 60, ,071 74,088 42,875 27, , ,853 9, , ,463 1,328 3,375 2, ,232 ⇒ k≡14·15=210 mod N (indeed, ≡206,824 mod N)

Ryan Henry Short message—small exponent attack ▪ Alice wishes to encrypt a short message, say m=100, under Bob’s public key k=(N,e) ▪ If N>m e, then no modular reduction occurs! ▪ In this case, given c≔m e mod n, it is easy to compute m=c 1/e in ℤ! 22

Ryan Henry Recall: Chinese Remainder Theorem (CRT) Chinese Remainder Theorem: Let n 1, n 2, …, n k be positive integers with gcd(n i, n j )=1 whenever i≠j, and let N=n 1 ·n 2 ⋯n k. Then the system of congruence relations x≡ c 1 mod n 1 ⋮ x≡ c k mod n k has a unique solution in ℤ N. For each i=1,…,k, set y i ≡ (N/n i ) -1 mod n i and z i ≡(N/n i )·y i mod N The unique solution is x≡∑z i ·c i mod N 23 z i ≡1 mod n i z i ≡0 mod n j when i≠j

Ryan Henry CRT-based attack ▪ Suppose Bob, Carol, and David have distinct public keys (N B ,3), (N C ,3), and (N D ,3) ▪ Alice wishes to encrypt the same message m for each of them – c B ≔m 3 mod N B – c C ≔m 3 mod N C – c D ≔m 3 mod N D ▪ If gcd(N B ,N C )=gcd(N B,N D )=gcd(N C,N D )=1, then by CRT there exists unique c∈ℤ N such that c≡c i mod N i for i∈{B,C,D} ▪ Solving for c, we get m=c 1/3 in ℤ (Why?) ▪ If N A ,N B ,N C aren’t pairwise relatively prime, attacker still learns m (How?) 24

Ryan Henry That’s all for today, folks! 25