Lecture 12 Nonsecret Key Cryptosystems How Euclid Fermat
- Slides: 34
Lecture 12: Non-secret Key Cryptosystems (How Euclid, Fermat and Euler Created E-Commerce) Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by theory of numbers. G. H. Hardy, The Mathematician’s Apology, 1940. CS 588: Security and Privacy David Evans University of Virginia CS 588 Spring 2005 http: //www. cs. virginia. edu/evans Computer Science
Applications of RSA • Privacy: – Bob encrypts message to Alice using EA – Only Alice knows DA • Signatures: – Alice encrypts a message to Alice using DA – Bob decrypts using EA – Knows it was from Alice, since only Alice knows DA • Things you use every day: ssh, SSL, DNS, . . . CS 588 Spring 2005 2
Public-Key Applications: Privacy Bob Alice Plaintext Encrypt Ciphertext Bob’s Public Key Decrypt Plaintext Bob’s Private Key • Alice encrypts message to Bob using Bob’s Private Key • Only Bob knows Bob’s Private Key only Bob can decrypt message CS 588 Spring 2005 3
Signatures Alice Plaintext Encrypt Signed Message Alice’s Private Key Decrypt Bob Plaintext Alice’s Public Key • Bob knows it was from Alice, since only Alice knows Alice’s Private Key • Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!) • Integrity: Bob can’t change message (doesn’t know Alice’s Private Key) CS 588 Spring 2005 4
Public-Key Cryptography • • • Private procedure: E Public procedure: D Identity: E (D (m)) = D (E (m)) = m Secure: cannot determine E from D But didn’t know how to find suitable E and D CS 588 Spring 2005 5
Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3. Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M CS 588 Spring 2005 6
RSA E(M) = Me mod n D(C) = Cd mod n n = pq p, q are prime d is relatively prime to (p – 1)(q – 1) ed 1 (mod (p – 1)(q – 1)) (red things are secret) red CS 588 Spring 2005 7
Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3. Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M CS 588 Spring 2005 8
Property 1: D (E (M)) = M E(M) = Me mod n D(E(M)) = (Me mod n)d mod n = Med mod n (as in D-H proof) Can we choose e, d and n with this property: M Med mod n equivalently: 1 Med-1 mod n CS 588 Spring 2005 9
Finding e, d and n • We are looking for e, d and n such that: Med-1 1 mod n • Euler’s Theorem: for a and n relatively prime: a (n) 1 mod n • Next: – What is (n) – Proof of Euler’s Theorem – How it works for arbitrary M – Given (n) how do we find e and d CS 588 Spring 2005 10
Euler’s Totient Function (n) = number of positive integers less than n that are relatively prime to n • If n is prime, (n) = n – 1 – Proof by contradiction • What if n = pq where p and q are prime? CS 588 Spring 2005 11
Totient Products For primes, p and q: n = pq (n) = numbers < n not relatively prime to pq = pq – 1 ; numbers less than pq – (q – 1) ; size of p, 2 p, …, (q – 1)p – (p – 1) ; size of q, 2 q, …, (p – 1)q = pq – 1 – (q – 1) – (p – 1) = pq – (p + q) + 1 = (p – 1) (q – 1) = (p) (q) CS 588 Spring 2005 12
Fermat’s Little Theorem If n is prime and a is not divisible by n an-1 1 mod n CS 588 Spring 2005 13
Fermat’s Little Theorem Proof If n is prime and a is not divisible by n: {a mod n, 2 a mod n, … , (n-1)a mod n} = {1, 2, …, (n – 1) } Product of all elements in sets: a 2 a … (n – 1) a (n – 1)! mod n (n – 1)!an-1 (n – 1)! mod n an-1 1 mod n QED. CS 588 Spring 2005 14
Euler’s Theorem For a and n relatively prime: a (n) 1 mod n Partial Proof: If n is prime, (n) = n – 1 and an - 1 1 mod n by Fermat’s Little Theorem What if n is not prime? CS 588 Spring 2005 15
Euler’s Theorem, cont. For a and n relatively prime: a (n) 1 mod n (n) = number of numbers < n not relatively prime to n We can write those numbers as: R = { x 1, x 2, … , x (n)} CS 588 Spring 2005 16
Proving Euler’s Theorem R = { x 1, x 2, … , x (n)} multiply by a mod n: S = { ax 1 mod n, ax 2 mod n, …, ax (n) mod n} S is a permutation of R: • a is relatively prime to n • a is relatively prime to all xi • axi is relatively prime to n – Hence all elements of S are in R. – There are no duplicates in S. If axi mod n = axj mod n then i = j. since a is relatively prime to n CS 588 Spring 2005 17
Proving Euler’s Theorem x 1 x 2 … x (n) = ax 1 mod n ax 2 mod n … ax (n) mod n (ax 1 ax 2 … ax (n)) mod n a (n) x 1 x 2 … x (n) mod n 1 a (n) mod n QED. CS 588 Spring 2005 18
Recap • We are looking for e, d and n such that: n = pq Med-1 1 mod n ed – 1 = (n) = (p-1)(q-1) • Euler’s Theorem: 1 a (n) mod n for a and n relatively prime What if M is not relatively prime to n? • If n is prime, (n) = n – 1. • For p and q prime, (pq) = (p) (q) CS 588 Spring 2005 19
M and n • Suppose M and n not relatively prime: gcd (M, n) 1 • Since n = pq and p and q are prime: gcd (M, p) 1 OR gcd (M, q) 1 Case 1: M = cp gcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq). So, M (q) 1 mod q (by Euler’s theorem, since M and q are relatively prime) CS 588 Spring 2005 20
M and n, cont Case 1: M = cp gcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq). So, M (q) 1 mod q (by Euler’s theorem, since M and q are relatively prime) M (q) 1 mod q (M (q)) (p) 1 mod q M (q) (p) 1 mod q M (n) 1 mod q CS 588 Spring 2005 21
M and n M (n) 1 mod q M (n) = 1 + kq for some k M = cp recall gcd (M, p) 1 M M (n) = (1 + kq)cp M (n) + 1 = cp + kqcp = M + kcn M (n) + 1 M mod n CS 588 Spring 2005 22
Where’s ED? ed – 1 = (n) = (p-1)(q-1) • So, we need to choose e and d: • ed = (n) + 1 = n – (p + q) Pick random d, relatively prime to (n) gcd (d, (n)) = 1 • Since d is relatively prime to (n) it has a multiplicative inverse e: de 1 mod (n) CS 588 Spring 2005 23
Identity de 1 mod (n) So, d * e = (k * (n)) + 1 for some k. Hence, Med-1 mod n = Mk * (n) mod n CS 588 Spring 2005 24
D (E (M)) = M Med-1 mod n = Mk * (n) mod n Euler says 1 M (n) mod n. So 1 Mk * (n) mod n 1 Med-1 mod n M Med mod n QED. CS 588 Spring 2005 25
Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3. Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M CS 588 Spring 2005 26
Movie Break Adam Glaser and Portman Wills CS 588 Fall 2001 PS 4 CS 588 Spring 2005
Questionable Statements in RSA Paper: Finalists 1) "The reader is urged to find a way to "break" the system. Once the method has withstood all attacks for a sufficient length of time it may be used with a reasonable amount of confidence. " The authors appear to advocating the same method of validation that they called "fruitless" earlier in the paper (referring to the NBS certification). 1. The problem is mentioned on page 4 and 6 of the paper: The trusted distribution of the public portion of the key. If one were to modify the public keys in transport or to attack a central repository, then it would be impossible to be sure of the authenticity of the keys. (The suggestion of having a telephone book is not even possibly applicable due to the need to securely deliver it to all users from trusted central source). This can 2) RSA seems to gloss over the whole PKI be seen as present problem with the loss of keys issue. They suggest either a single authority by Microsoft (resulting in forced revocation) and to hold all the keys or publishing a book to the limited trust one can put in Verisign due to all the users. limited checks done. 2. The assumption in conclusion that a protocol I'd also like to point out that RSA like to is secure due to lack of success in attacks for "excessively" to quotation marks for no some period of time. The recent attacks upon apparent "purpose. " SHA/MD 5 show that even 10 years could be insufficient time to prove security. CS 588 Spring 2005 28
Only Two Submissions • This is pathetic! • There will be a Short Quiz in class Tuesday – Closed book, closed notes – Covers material in RSA paper and new paper handed out today – Andrew and Aleks are exempt CS 588 Spring 2005 29
Two “Questionable” Statements in RSA Paper 1. “The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system. ” (p. 6) CS 588 Spring 2005 30
Two “Questionable” Statements in RSA Paper 2. “(The NBS scheme (DES) is probably somewhat faster if special-purposed hardware encryption devices are used; our scheme may be faster on a general -purpose computer since multiprecision arithmetic operations are simpler to implement than complicated bit manipulations. )” (p. 4) CS 588 Spring 2005 31
Who really invented RSA? • General Communications Headquarters, Cheltenham (formed from Bletchley Park after WWII) • 1969 – James Ellis asked to work on key distribution problem • Secure telephone conversations by adding “noise” to line • Late 1969 – idea for PK, but function CS 588 Spring 2005 32
RSA & Diffie-Hellman • Asks Clifford Cocks, Cambridge mathematics graduate, for help • He discovers RSA (four years early) • Then (with Malcolm Williamson) discovered Diffie-Hellman • Kept secret until 1997! • NSA claims they had it even earlier CS 588 Spring 2005 33
Charge • Reread the parts of RSA paper you didn’t understand the first time • Work on your project! • Short Quiz on RSA material and Encrypted Searches paper in class Tuesday – Closed-book, closed-notes, open-T-shirt • Next time: RSA Properties 2, 3 and 4 CS 588 Spring 2005 34
- Geometri euclid dan non euclid
- Nonsecret
- Chapter 10: other public-key cryptosystems
- Principles of public key cryptography
- Why cryptosystems fail
- Cryptosystem
- Vigenere definition
- Classical cryptosystems
- Why cryptosystems fail
- Euclid algorithm
- Euclid's algorithm
- Euclid's pythagorean theorem proof
- Pythagoras and euclid were outstanding hellenistic
- Looking for pythagoras
- Thuật toán euclid mở rộng
- Key term of socrates
- Euroclear euclid
- Colin snodgrass
- Cmmdc euclid
- 01:640:244 lecture notes - lecture 15: plat, idah, farad
- Wybitny astronom i fizyk z pizy
- Fermat's little theorem
- Pierre de fermat family
- Pierre de fermat matematiğe katkıları
- Fermat teoremi
- Liste nombre premier
- Fermats little theorem
- Fermat's theorem
- Congruence modulo cours
- Teorema terakhir fermat
- Piccolo teorema di fermat
- Asas fermat
- Piccolo teorema di fermat
- Piccolo teorema di fermat
- Fermat's last theorem