special topics in cryptographymohammad/courses/crypto/sp18/slides/class โฆย ยท diffie hellman key...
TRANSCRIPT
![Page 1: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/1.jpg)
Special Topics in Cryptography
Mohammad Mahmoody
![Page 2: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/2.jpg)
Last time
โข Public-key encryption and key-agreement
โข Diffie Hellman (key agreement protocol)
โข RSA public key encryption
โข Digital signatures
Today
![Page 3: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/3.jpg)
Public Key Encryption
โข Secure communication even without shared secret keys!
![Page 4: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/4.jpg)
Recalling Public Key Encryption
โข Key generation: Gen 1๐ โ ๐๐, ๐๐
โข Encryption: Enc ๐๐,๐ โ ๐
โข Decryption: Dec ๐๐, ๐ = ๐โฒ
โข Completeness: decrypting correction ๐ = ๐โฒ
โข Security: same as CPA security for private-key, but the adversary does not need any encryption oracle: it has the encryption key itself!
![Page 5: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/5.jpg)
Recalling Key Agreement
โข Interactive protocol between randomized Alice and Bob
โข The sequence of messages ๐ = (๐ก1, ๐ก2, โฆ ๐ก๐) is called โtranscriptโ
โข At the end, Alice and Bob output key ๐๐ด, ๐๐ต
โข Completeness: getting same keys ๐๐ด = ๐๐ = ๐๐๐ฆ
โข Security: suppose |๐๐๐ฆ| = ๐, then(๐, ๐๐๐ฆ) is computationally indistinguishable from ๐, ๐๐Namely, even if ๐ is known, ๐๐๐ฆ is indistinguishable from uniform ๐๐
![Page 6: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/6.jpg)
Diffie Hellman Key Agreement
โข Public parameters: large prime ๐ a (multiplicative) generator ๐ for ๐๐
1. Alice picks ๐ฅ โ {1,โฆ ๐ โ 1} and Bob picks ๐ฆ โ 1,โฆ๐ โ 1 at random
2. Alice sends ๐ = ๐๐ฅ to Bob and Bob sends ๐ = ๐๐ฆ to Alice.
3. Alice takes ๐๐ฅ = ๐๐ฅ๐ฆ = ๐ and Bob takes ๐๐ฆ = ๐๐ฅ๐ฆ = ๐ as the key.
โข To implement in efficiently, we use โfast exponentiationโ algorithm that computes ๐๐ฆ mod ๐ in time polynomial in lengths of ๐, ๐ฆ, ๐
![Page 7: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/7.jpg)
RSA Public-Key Encryption
![Page 8: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/8.jpg)
Main Idea of RSA: Trapdoor Permutations
โข Intuition: Permutation ๐ โถ 0,โฆ๐ โ 1 โ 0,โฆ๐ โ 11. Easy to compute ๐ publically2. Easy to โinvertโ ๐ only if have the trapdoor.
โข Key generation find: ๐๐ = ๐ and ๐๐ = ๐ for permutations ๐, ๐ such that :1. for all ๐ฅ โ 0,โฆ๐ โ 1 : ๐ ๐ ๐ฅ = ๐ฅ namely ๐(โ ) = ๐โ1(โ )2. Given ๐(๐ฅ) it is โhardโ to invert it to find ๐ฅ. Formally, for all poly-time ๐ด
Pr๐ฅโ 0,โฆ๐โ1
๐ด ๐ ๐ฅ = ๐ฅ โค negl(๐) where ๐ โ log(๐) is sec parameter
โข What is useful intuitively?โข Why cannot we use it naively?
![Page 9: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/9.jpg)
Number Theory 101- (continued)
โข gcd ๐,๐ = greatest common divisor of ๐,๐
โข ๐ ๐ = ๐ 1 โค ๐ โค ๐, gcd ๐, ๐ = 1 |
โข ๐(๐) for prime ๐ ?
โข ๐ ๐๐ for primes ๐, ๐ ?
โข Eulerโs theorem: if gcd ๐, ๐ = 1 โ ๐๐(๐) = 1 (mod ๐)
![Page 10: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/10.jpg)
RSA Trapdoor Permutation
โข Eulerโs theorem: if gcd ๐, ๐ = 1 โ ๐๐(๐) = 1 (mod ๐)
โข ๐๐(๐) โ ๐๐ ๐ โ ๐๐ ๐ โฆ = 1 ๐1+๐โ ๐(๐) = ๐ (mod ๐)
โข If ๐ โ ๐ = 1 + ๐ โ ๐(๐) which is the same as ๐ โ ๐ = 1 mod ๐ ๐ then ๐๐ ๐ = ๐ (mod ๐ ๐ )
which means ๐ ๐ฅ = ๐ฅ๐ is inverse of ๐ ๐ฆ = ๐ฆ๐ for gcd ๐ฅ, ๐ = 1
โข Interestingly ๐ ๐ ๐ฅ = ๐ฅ even for gcd ๐ฅ, ๐ โ 1
![Page 11: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/11.jpg)
How to use RSA Trapdoor Permutation for public-key encryption?โข Intuition: Permutation ๐ โถ 0, โฆ๐ โ 1 โ 0,โฆ๐ โ 1
1. Easy to compute ๐ publically
2. Easy to โinvertโ ๐ only if have the trapdoor.
โข What is useful intuitively?
โข Why cannot we use it naively?
![Page 12: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/12.jpg)
One โcorrectโ way to use RSA trapdoor permutation for public key encryption
โข Actual Randomized (CPA secure) Encryption of a big ๐: Pick ๐, ๐ โ {0, โฆ , ๐ โ 1} at random and output [๐ ๐ , ๐ , ๐, ๐ โ ๐]
![Page 13: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/13.jpg)
More efficient way, using an โidealโ hash function
โข Let โ: 0,1 ๐ โ 0,1 ๐ be an โideaโ hash functionโข Key gen: generate a pair ๐๐ = ๐(โ ), ๐๐ = ๐โ1 (โ )
โข Encryption of ๐ โ 0,1 ๐: pick ๐ โ 0,1 ๐, output ๐ = ๐ ๐ , โ ๐ โ๐
โข Decryption of ๐ = (๐ฆ, ๐ง) : output ๐ = ๐โ1 ๐ฆ โ ๐ง
โข Even possible to do it efficiently in a CCA secure way using ideal hashing
![Page 14: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/14.jpg)
We need prime numbers for RSA and DH !
โข We need large prime numbers!
โข How many prime numbers are there?
โข How can we fine one?
![Page 15: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/15.jpg)
Public Key Authentication:Digital Signatures
โข Secure authentication without shared secret keys!
![Page 16: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/16.jpg)
Making MACs public key (just like how we moved to public key encryption)
![Page 17: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/17.jpg)
Defining Digital Signatures
โข Alice has a signing key ๐ ๐ and a verification key ๐ฃ๐
โข Using ๐ ๐ Alice can sign ๐ with ๐ = Sign๐ ๐(๐)
โข If Bob verifies Verif๐ฃ๐ ๐, ๐ = 1 he can be sure Alice signed ๐
โข Security:
![Page 18: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/18.jpg)
One possible idea based on TDPs (e.g. RSA)
โข Signing key: โprivate keyโ (or the trapdoor)
โข Verification key: โpublic keyโ (or the description of the permutation)
โข To sign ๐ publish ๐ ๐ = ๐ก
โข To verify (๐, ๐ก) accept if and only if: ๐ ๐ก = ๐
โข Is it secure signature?
![Page 19: Special Topics in Cryptographymohammad/courses/crypto/sp18/slides/Class โฆย ยท Diffie Hellman Key Agreement โขPublic parameters: large prime a (multiplicative) generator ๐for](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc41d5d2c8940573d693330/html5/thumbnails/19.jpg)
โHash and signโ using ideal hash function