Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Non-secret Key Cryptosystems.

Published byDorothy Blankenship Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Non-secret Key Cryptosystems."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Non-secret Key Cryptosystems (How Euclid, Fermat and Euler Created E-Commerce) Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by the theory of numbers. G. H. Hardy, The Mathematician’s Apology, 1940.

2 CS588 Spring 20052 Applications of RSA Privacy: –Bob encrypts message to Alice using E A –Only Alice knows D A Signatures: –Alice encrypts a message to Alice using D A –Bob decrypts using E A –Knows it was from Alice, since only Alice knows D A Things you use every day: ssh, SSL, DNS,...

3 CS588 Spring 20053 Public-Key Applications: Privacy Alice encrypts message to Bob using Bob’s Private Key Only Bob knows Bob’s Private Key  only Bob can decrypt message Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob Bob’s Public Key Bob’s Private Key

4 CS588 Spring 20054 Signatures Bob knows it was from Alice, since only Alice knows Alice’s Private Key Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!) Integrity: Bob can’t change message (doesn’t know Alice’s Private Key) Encrypt Decrypt Plaintext Signed Message Plaintext Alice Bob Alice’s Private Key Alice’s Public Key

5 CS588 Spring 20055 Public-Key Cryptography Private procedure: E Public procedure: D Identity: E (D (m)) = D (E (m)) = m Secure: cannot determine E from D But didn’t know how to find suitable E and D

6 CS588 Spring 20056 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M

7 CS588 Spring 20057 RSA E(M) = M e mod n d D(C) = C d mod n pqpq n = pqp, q are prime d d is relatively prime to (p – 1)(q – 1) d ed  1 (mod (p – 1)(q – 1)) red (red things are secret)

8 CS588 Spring 20058 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M

9 CS588 Spring 20059 Property 1: D (E (M)) = M E(M) = M e mod n D(E(M)) = (M e mod n) d mod n = M ed mod n (as in D-H proof) Can we choose e, d and n with this property: M  M ed mod n equivalently: 1  M ed-1 mod n

10 CS588 Spring 200510 Finding e, d and n We are looking for e, d and n such that: M ed-1  1 mod n Euler’s Theorem: for a and n relatively prime: a  (n)  1 mod n Next: –What is  (n) –Proof of Euler’s Theorem –How it works for arbitrary M –Given  (n) how do we find e and d

11 CS588 Spring 200511 Euler’s Totient Function  (n) = number of positive integers less than n that are relatively prime to n If n is prime,  (n) = n – 1 –Proof by contradiction What if n = pq where p and q are prime?

12 CS588 Spring 200512 Totient Products For primes, p and q : n = pq  (n) = numbers < n not relatively prime to pq = pq – 1 ; numbers less than pq – (q – 1) ; size of p, 2p, …, (q – 1)p – (p – 1) ; size of q, 2q, …, (p – 1)q = pq – 1 – (q – 1) – (p – 1) = pq – (p + q) + 1 = (p – 1) (q – 1) =  (p)  (q)

13 CS588 Spring 200513 Fermat’s Little Theorem If n is prime and a is not divisible by n a n-1  1 mod n

14 CS588 Spring 200514 Fermat’s Little Theorem Proof If n is prime and a is not divisible by n : {a mod n, 2a mod n, …, (n-1)a mod n} = {1, 2, …, (n – 1) } Product of all elements in sets: a  2a  …  (n – 1) a  (n – 1)! mod n (n – 1)!a n-1  (n – 1)! mod n a n-1  1 mod n QED.

15 CS588 Spring 200515 Euler’s Theorem For a and n relatively prime: a  (n)  1 mod n Partial Proof: If n is prime,  (n) = n – 1 and a n - 1  1 mod n by Fermat’s Little Theorem What if n is not prime?

16 CS588 Spring 200516 Euler’s Theorem, cont. For a and n relatively prime: a  (n)  1 mod n  (n) = number of numbers < n not relatively prime to n We can write those numbers as: R = { x 1, x 2, …, x  (n) }

17 CS588 Spring 200517 Proving Euler’s Theorem R = { x 1, x 2, …, x  (n) } multiply by a mod n : S = { ax 1 mod n, ax 2 mod n, …, ax  (n) mod n} S is a permutation of R : a is relatively prime to n a is relatively prime to all x i ax i is relatively prime to n –Hence all elements of S are in R. –There are no duplicates in S. If ax i mod n = ax j mod n then i = j. since a is relatively prime to n

18 CS588 Spring 200518 Proving Euler’s Theorem x 1  x 2 …  x  (n) = ax 1 mod n  ax 2 mod n …  ax  (n) mod n  (ax 1  ax 2 …  ax  (n) ) mod n  a  (n)  x 1  x 2 …  x  (n) mod n 1  a  (n) mod nQED.

19 CS588 Spring 200519 Recap We are looking for e, d and n such that: M ed-1  1 mod n Euler’s Theorem: 1  a  (n) mod n for a and n relatively prime If n is prime,  (n) = n – 1. For p and q prime,  (pq) =  (p)  (q) ed – 1 =  (n) = (p-1)(q-1) What if M is not relatively prime to n ? n = pq

20 CS588 Spring 200520 M and n Suppose M and n not relatively prime: gcd (M, n)  1 Since n = pq and p and q are prime: gcd (M, p)  1 OR gcd (M, q)  1 Case 1: M = cp gcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq). So, M  (q)  1 mod q (by Euler’s theorem, since M and q are relatively prime)

21 CS588 Spring 200521 M and n, cont Case 1: M = cp gcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq). So, M  (q)  1 mod q (by Euler’s theorem, since M and q are relatively prime) M  (q)  1 mod q (M  (q) )  (p)  1 mod q M  (q)  (p)  1 mod q M  (n)  1 mod q

22 CS588 Spring 200522 M and n M  (n)  1 mod q M  (n) = 1 + k q for some k M = cp recall gcd (M, p)  1 M  M  (n) = (1 + k q)cp M  (n) + 1 = cp + k qcp = M + k cn M  (n) + 1  M mod n

23 CS588 Spring 200523 Where’s ED? ed – 1 =  (n) = (p-1)(q-1) So, we need to choose e and d: ed =  (n) + 1 = n – (p + q) Pick random d, relatively prime to  (n) gcd (d,  (n)) = 1 Since d is relatively prime to  (n) it has a multiplicative inverse e : de  1 mod  (n)

24 CS588 Spring 200524 Identity de  1 mod  (n) So, d * e = (k *  (n)) + 1 for some k. Hence, M ed-1 mod n = M k *  (n) mod n

25 CS588 Spring 200525 D (E (M)) = M M ed-1 mod n = M k *  (n) mod n Euler says 1  M  (n) mod n. So 1  M k *  (n) mod n 1  M ed-1 mod n M  M ed mod n QED.

26 CS588 Spring 200526 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M 

27 Movie Break Adam Glaser and Portman Wills CS588 Fall 2001 PS4

28 CS588 Spring 200528 Questionable Statements in RSA Paper: Finalists 1) "The reader is urged to find a way to "break" the system. Once the method has withstood all attacks for a sufficient length of time it may be used with a reasonable amount of confidence." The authors appear to advocating the same method of validation that they called "fruitless" earlier in the paper (referring to the NBS certification). 2) RSA seems to gloss over the whole PKI issue. They suggest either a single authority to hold all the keys or publishing a book to all the users. I'd also like to point out that RSA like to "excessively" to quotation marks for no apparent "purpose." 1. The problem is mentioned on page 4 and 6 of the paper: The trusted distribution of the public portion of the key. If one were to modify the public keys in transport or to attack a central repository, then it would be impossible to be sure of the authenticity of the keys. (The suggestion of having a telephone book is not even possibly applicable due to the need to securely deliver it to all users from trusted central source). This can be seen as present problem with the loss of keys by Microsoft (resulting in forced revocation) and the limited trust one can put in Verisign due to limited checks done. 2. The assumption in conclusion that a protocol is secure due to lack of success in attacks for some period of time. The recent attacks upon SHA/MD5 show that even 10 years could be insufficient time to prove security.

29 CS588 Spring 200529 Only Two Submissions This is pathetic! There will be a Short Quiz in class Tuesday –Closed book, closed notes –Covers material in RSA paper and new paper handed out today –Andrew and Aleks are exempt

30 CS588 Spring 200530 Two “Questionable” Statements in RSA Paper 1.“The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.” (p. 6)

31 CS588 Spring 200531 Two “Questionable” Statements in RSA Paper 2.“(The NBS scheme (DES) is probably somewhat faster if special-purposed hardware encryption devices are used; our scheme may be faster on a general-purpose computer since multiprecision arithmetic operations are simpler to implement than complicated bit manipulations.)” (p. 4)

32 CS588 Spring 200532 Who really invented RSA? General Communications Headquarters, Cheltenham (formed from Bletchley Park after WWII) 1969 – James Ellis asked to work on key distribution problem Secure telephone conversations by adding “noise” to line Late 1969 – idea for PK, but function

33 CS588 Spring 200533 RSA & Diffie-Hellman Asks Clifford Cocks, Cambridge mathematics graduate, for help He discovers RSA (four years early) Then (with Malcolm Williamson) discovered Diffie-Hellman Kept secret until 1997! NSA claims they had it even earlier

34 CS588 Spring 200534 Charge Reread the parts of RSA paper you didn’t understand the first time Work on your project! Short Quiz on RSA material and Encrypted Searches paper in class Tuesday –Closed-book, closed-notes, open-T-shirt Next time: RSA Properties 2, 3 and 4

Download ppt "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Non-secret Key Cryptosystems."

Similar presentations

RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.

RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
Cryptography & Number Theory

Cryptography & Number Theory
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Similar presentations

Ads by Google