# MITOCW watch?v=zlohv4xq_ti

Save this PDF as:

Size: px
Start display at page:

## Transcription

3 So far, pretty straightforward. Now, how can we get digital signatures? So in the early days, researchers-- and it's actually great computer scientists-- they proposed a digital signature can be implemented as the inverse of public key encryption. What does that mean? So I'll use RSA as the example. So RSA encryption is m to the e mod n. The encryption is c to the d mod n. So the first attempt is we will just use this as our sign function and use this as our verify function. So now the symbol is a little bit confusing. So now I'm signing a message [INAUDIBLE] c. Let me actually change it. This is RSA encryption. I'm going to transform it into signature scheme where sign signs a message, and verify, raise the signature sigma to the power of e, and checks whether or not I get back my message. So this actually makes a lot of sense. Why? Because think of m as a ciphertext. Then if I decrypt it, and then re-encrypt it, I should get back my ciphertext. So correctness-- we have correctness. And why is it unforgeable? Because an attacker does not have the secret key, so he should not be able to decrypt this m here. He cannot run this algorithm. That's the reasoning behind it. So far so good? But, unfortunately, it is broken. And so I'll give you, say, seven minutes to think about it. Can you come up with an attack, a forgery? You can see a bunch of messages and then output a forgery for a message you haven't seen before. So is the algorithm clear? [INAUDIBLE]. Can you speak louder? Is it just the product of any messages? Exactly. So if an adversary had seen a bunch of messages-- because RSA has this sometimes good, sometimes nice, sometimes bad property, that is multiplicative, homomorphic, or to use a less fancy word-- malleable. So if they, an adversary, sees this message, it can set m star to be m1 times m2 and sigma star to sigma 1 times sigma 2. You can check. This is a valid signature, message signature pair. You take this entire thing raised to d. They are raised to d individually and then multiply

4 You take this entire thing raised to d. They are raised to d individually and then multiply together, and that's exactly this message here. Attack one. OK. There's actually another attack. That's even simpler and tells you this scheme is even more broken. So all I want to do is to come up with a sigma when it's raised to e, that's equal to m. So I'm going to select the sigma, compute, m sigma raised to e, because e is my public key, mod m. I can do that. And then output sigma m-- oh sorry, m sigma. I select the signature first, and I raise it to the power of e. I get a very strange message, but it doesn't matter. That's my forgery. OK, so now you can see this scheme is basically totally broken. But they actually come from our, well, several renown scientists. But why is that a case? Because actually that definition didn't exist when they were trying to when they were working on this problem. And so that definition looks obvious today, but it's actually not obvious at all. And I think this algorithm came in the 70s, '78. And in '82, Goldwasser and Micali, two professors from MIT, proposed the definition for signature encryption and basically everything in cryptography. And they won another Turing Award for that. OK, so let's try to fix it. Any ideas? We do not want to change the framework. Let's still use RSA and combine it with some other primitive you have seen to try to fix it. What do we want to do? We want to break this multiplicative property. And we want to break this, this step, whatever it's called. Go ahead. Can we change the n, maybe? Change this n? Yeah. Right now, just to remind you, it's a product of two primes, OK, pq. It's a product of two primes. It's how RSA works. What's your idea? Go ahead. Before it raised to the power, we can get the hash function of it. Exactly. Let's just make a small change. So sign will be hash of m, raised to d. And verify will be-- just check whether hash of m equals signature is to e. This indeed fixes these attacks. Why? Because now you need-- well, if you do this-- hash of m and 1 times hash of m2 is not

5 going to be hash of m star because hash is supposed to be [INAUDIBLE] random. That's not going to work. And here, what the attacker needs to do is to find hash of m, such that it's sigma raised to e. It can still do this, but it does not know what this message is because of the one-wayness of hash function. If we use a good hash function there, then it indeed fixes both the attacks. But we have seen the lecture that this hash function also needs to be collision resistant. Remember that? A question? Isn't the message public? Yeah, the message-- oh, OK. Good point. Oh, no, but, OK, you are talking about this attack, right? So the attacker needs to find the public message, but all he can do is select the sigma, and raise it to e. That's going to be its hash of m. And then he cannot figure out where this m is. But what about the other way? I mean, if he has two messages, he can still get m star, and then get hash of m star. OK, so he then he gets, has of m1. He gets hash of m2. But you need to find the m star, such that its hash is the multiplication of these two. And, yeah, he does not know how to find that message. So if the hash is not multiplicative, one-way, and collision resistant, then it seems that we have fixed all the attacks we know. However, how do we know there are no other attacks? So actually, indeed, this is a good idea. We have several national standards that just use this but slightly differently. I can-- this is just for your information. So there's a standard called [? NC,?] whatever-- X93.1. It uses RSA, this word padding, so it takes the hash of the message and pad with this hex stream, and prepended and append another hex stream. Why do they do that? They don't know either, but they just think it's probably more secure than only using a hash. There's another standard that has a different steam and a difference stream here, and it doesn't matter. So that's indeed a weakness of these types of approaches. So their security is what we call ad hoc. We do not know how to break them. But we do not know how to prove they are secure either. Yet, that's what people do in practice. So, unfortunately, that's all I can tell you today, so how not to construct the digital signature. I

6 cannot tell you how to construct the secure digital signature because that's out of the scope of this class. And it's a major topic in cryptography. Any questions so far? Go ahead. The hash function here is the one way, yeah? Yes, it's one-way, collision resistance, and-- So what is the use of using the RSA? Couldn't we just use the only hash function then? OK, good question. So, OK, let's be clear what you're saying. OK, never mind. Can you answer your own question? So my question was, well, why do we have to use the RSA? Why, when we have the hatch function? You want me-- so [INAUDIBLE] couldn't create the forgery. [INAUDIBLE]. How does it create a forgery? Just answer your own question. Let everyone else know. Maybe they have the same question. So answer your own question. So my answer is so adversary can't just choose random message and hash it and [INAUDIBLE]. Yeah. What's the problem? Problem is that a hash function is a public function that everybody can compute. So the attacker just chooses a message, compute as hash, so using a hash is not a signature. But good point. I'm actually coming to that. So far we have seen three major primitives-- private key encryption, public key encryption, and digital signature. So if we categorize them a little bit-- so these two are asymmetric key. They are public key and secret key. This one is symmetric key. And these two are for secrecy. They are trying to hide the message. And this one is for integrity. Meaning, the message is what the sender sends. So you can see we are missing one primitive here. What if the two parties, they do share a secret key, and one party wants to verify the other party? The other message indeed does come from the other party. So indeed we do have a primitive for that. It's called message authentication code. So its definition is basically exactly the same as digital signature. I'm just going to change it here. Except that it has only one key. So the sign function is replaced by a MAC. And there's

7 no notion of secret key and public key. We have only one key. And how do we verify? OK, so verify function basically just becomes the other guy also recomputes the MAC of the message and checks whether that's the signature. So verifier just to recompute and compare correctness-- we also want correctness. We also want unforgeability And it's defined in exactly the same way. Now, actually, I would have asked this question here-- is hash a valid MAC? The answer is still no because MAC is a public function that everyone can compute, and it's trivial come up with a forgery. So thank you for asking that question. But the hash is actually very close. How can we get a message authentication code? So several ideas. Can we just hash the key concatenated with the message? Then some other random attacker who doesn't have the key does not know how to compute this thing. That's a reasonable idea. But, well, if we can do it this way, how about we do the message concatenated with the key. Or if you want, you can do key concatenated with message and then concatenated with the key. So it turns out this doesn't work for some very advanced reasons. And this one may or may not. For SHA1, it doesn't work, unfortunately. And for SHA3-- that's the replacement for SHA1 and SHA2-- it actually works. So the simplest MAC we can imagine is just to choose SHA3 as the hash function, and input is the key and then the message. Not the other way. It's also, just FYI, purpose. By the way, there's another reasonable thought. That is, how about we encrypt the hash? Now, everyone can compute the hash, but they don't know how to encrypt. If I use, say, a secret key encryption, this turns out to be wrong as well. That's digital signature in MAC. But one caveat here, our unforgeability is defined this way. A little bit strange, but it makes sense. But it indeed has some weakness in some applications. So imagine, say, I send you a message-- today's recitation is canceled. And it has my signature on it. So you can verify it indeed comes from me. But once I send that message, every of you has that message. So next week, one of you can send that message again, saying, today's recitation is canceled. Then you have no idea whether it's indeed me sending the message again or someone doing

10 Yeah. Exactly. We're going to create a sigma 5, which is the hash of sigma 1, concatenated with sigma 2. So we do the same thing here. And so you all know what it is, right? I don't need to write it. And keep going until we got a root hash. And now we're going to store this thing locally on the side. So what's the local storage complexity? o of 1-- we're only storing one hash locally. Now, what's the time complexity? OK, so how do I verify? Yeah. Log in-- how do I verify? I need to, so, first verify if this hash matches, and then read this hash, and verify whether this link matches, and verify whether this one matches, and then I'm done. If I want to update, I also need to update this hash, then it causes this hash to change and then that hash to change. But it's always some path in that tree. It doesn't affect anything globally. Question. But you're not storing like sigma 5? Say again. You're not storing sigma 5. I am not. I have to go ahead and read it. From where? From Google Drive or Dropbox. So are we sure that that is secure? OK, yeah, so that's the next thing we're going to do. Is this secure? Or in other words, can the adversary change one of the files, and somehow maintain the same root hash? That's your question then. Of course, we assume the hash is collision resistant. Or I should say if the hash is collision resistant, then this hash tree is collision resistant. Any intuition? Or anyone wants to prove it? Go ahead. So like if the root eventually one of the leaves will be different because it changes. Yep.

11 Now, you want the root to be the same than the other hash has to be different, but there's no collisions. I mean, it's hard to find the other hash. Correct, so I'll just repeat what you said, but I'll start with the leaf because that's easier for me to think about. So say I change this one, this block. Now, I claim this hash here will change. If it doesn't, then I have found the collision. Because this x4 prime has the same hash as the original x4. So if this sigma 4 changes, then sigma 6 will change. Otherwise, I have found the collision. Because this sigma 3 concatenate with the new sigma 4 is my collision. So same argument-- either this one changes, or I have found the collision. I repeat the argument all the way to the root. Any question about that? What if like the adversary changes like two hash options--for example, x1 and x2-- but sigma 1 and sigma 2 changes, but sigma 5 stays the same? OK, so then we have found the collision that is sigma 1 concatenated with sigma 2. That's a collision with the new sigma 1 concatenated with the new sigma 2. Make sense? If the concatenation stayed the same, like sigma 1 and sigma 2 concatenation. So if the concatenation stayed the same, that means both of them are the same. They had to make sure they are changed? So I'm not sure I understand your question. So concatenation is basically just a bunch of bits then followed by another bunch of bits. If this entire thing is the same, that means this part is the same and this part is the same. And if your sigma 1, new sigma 1 is the same as your old sigma 1, that means I have found a collision here. Because we changed it, but your sigma doesn't change. So lastly, I'm going to do a quick review of the knapsack problem because I think in the lecture, we may run out of time and I didn't mention everything. So if you recall, the knapsack cryptosystem, it says you have a knapsack problem. I'll call u1 to un. And then we're going to transform it. OK, this is a super increasing sequence. I'm going to transform into a general one by multiplying n and then mod m. So this is an easy problem, and that is a hard problem. So how do I encrypt? I'm going to take a subset sum, which is mi, Wi, where mi is the i-th bit in the

12 message. So how do I decrypt? I'll take this, transform this s back to the super increasing domain by multiplying inverse of n. So that's going to be inverse of n multiplied by this mi Wi. That's how I encrypt it. And then each Wi is n times ui. So far so good. So that gives me mi times ui sigma. Of course, every step is modulo m. So the first thing I'm going to claim is that m has to be larger than sigma ui. If that's the case, then the t-- my t is just this subset sum. So if I solve this knapsack problem, I get the same answer as solving the original, the general knapsack problem. If my m is not that large, if the m is too small, then I have a problem. Because then my t will be the subset sum minus sum multiple of m. Then it's a different problem. I do not get the same message back. OK, then we have a problem. So because we defined density to be n over the log of max ui. Does everyone remember this part? So each ui is in the range of 1 to m, or maybe 0 to m. If I have a bunch of them, then this is not super rigorous. If I have a bunch of them, chances are that some of them are very close to m. Because it's unlikely that all of them are small. So this thing is roughly n over log of m. So then we have a dilemma. If we set m to be a small number, then my density is fine, but that means all of my ui's needs to be small because m needs to be greater than the sum of them. If all the ui's are small, then I have a very limited choices of them, then actually an attacker can just guess what ui I chose by a brute force algorithm or something like that. And if I choose m to be large, or if I choose all the ui's to be large, to choose them from large range, then my m is going to be very large. And this density is low. And that's vulnerable to the low density attacks. And so how low a density is considered low? So several people proposed that based on heuristics, that if this density is less than 0.45, then it's considered low density, and it can be attacked. And this threshold had been improved. So but while most of the knapsack cryptosystems are broken, there are few that have so far stood the test of time. So they are still interesting because knapsack problems, knapsack cryptosystems will be much faster than RSA or any number theory based, because we are just adding numbers here. An RSA have this operation where m is a 1,000 bit number, and e is also 1,000 bit number.

13 And take this exponentiation is actually very slow. So knapsack cryptosystem are still interesting. However, the original motivation turned out to be unsuccessful. The original motivation is to base cryptography on the NP complete problem. That's not going to work because NP problems are hard, only in the worst case. And we need cryptography to be hard in the average case. Because if they are only hard in the worst case, that means there are several instances of this problem that are hard. So either you pick a secret key that doesn't correspond to a hard problem, or you pick a secret key that's corresponds to a hard problem. But everyone else picks the same secret key because everyone wants to be secure. That's the reason why it's unlikely to get cryptography from NP hard problems. That's all for today's recitation. And thanks everyone for the entire semester. Thank you for participation.

### Cryptography: More Primitives

Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital

### MITOCW watch?v=w_-sx4vr53m

MITOCW watch?v=w_-sx4vr53m The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resources for free. To

### MITOCW watch?v=zm5mw5nkzjg

MITOCW watch?v=zm5mw5nkzjg The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### MITOCW watch?v=yarwp7tntl4

MITOCW watch?v=yarwp7tntl4 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality, educational resources for free.

### MITOCW watch?v=0jljzrnhwoi

MITOCW watch?v=0jljzrnhwoi The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### MITOCW watch?v=flgjisf3l78

MITOCW watch?v=flgjisf3l78 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resources for free. To

### The following content is provided under a Creative Commons license. Your support

MITOCW Lecture 9 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resources for free. To make a donation

### MITOCW watch?v=se4p7ivcune

MITOCW watch?v=se4p7ivcune The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### MITOCW watch?v=9h6muyzjms0

MITOCW watch?v=9h6muyzjms0 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### The following content is provided under a Creative Commons license. Your support

MITOCW Lecture 10 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resources for free. To make a

### Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee

Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee Lecture 09 Cryptanalysis and its variants, linear attack Welcome

### MITOCW watch?v=qota76ga_fy

MITOCW watch?v=qota76ga_fy The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### The following content is provided under a Creative Commons license. Your support

MITOCW Recitation 4 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To make

### The following content is provided under a Creative Commons license. Your support

MITOCW Lecture 23 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality, educational resources for free. To make a

### Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5 [talking head] This lecture we study theory design and implementation. Programmers have two roles to play here. In one role, they

### MITOCW ocw f99-lec07_300k

MITOCW ocw-18.06-f99-lec07_300k OK, here's linear algebra lecture seven. I've been talking about vector spaces and specially the null space of a matrix and the column space of a matrix. What's in those

### MITOCW watch?v=tkwnms5irbu

MITOCW watch?v=tkwnms5irbu The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### The following content is provided under a Creative Commons license. Your support

MITOCW Recitation 1 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resources for free. To make

### Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................

### PROFESSOR: Last time, we took a look at an explicit control evaluator for Lisp, and that bridged the gap between

MITOCW Lecture 10A [MUSIC PLAYING] PROFESSOR: Last time, we took a look at an explicit control evaluator for Lisp, and that bridged the gap between all these high-level languages like Lisp and the query

### MITOCW watch?v=v3omvlzi0we

MITOCW watch?v=v3omvlzi0we The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### MITOCW ocw f99-lec12_300k

MITOCW ocw-18.06-f99-lec12_300k This is lecture twelve. OK. We've reached twelve lectures. And this one is more than the others about applications of linear algebra. And I'll confess. When I'm giving you

### Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS

### The following content is provided under a Creative Commons license. Your support

MITOCW Lecture 8 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To make a donation

### 1 Achieving IND-CPA security

ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces

### Activity Guide - Public Key Cryptography

Unit 2 Lesson 19 Name(s) Period Date Activity Guide - Public Key Cryptography Introduction This activity is similar to the cups and beans encryption we did in a previous lesson. However, instead of using

### 6.033 Computer System Engineering

MIT OpenCourseWare http://ocw.mit.edu 6.033 Computer System Engineering Spring 2009 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms. Nickolai Zeldovich

### Note: Please use the actual date you accessed this material in your citation.

MIT OpenCourseWare http://ocw.mit.edu 18.06 Linear Algebra, Spring 2005 Please use the following citation format: Gilbert Strang, 18.06 Linear Algebra, Spring 2005. (Massachusetts Institute of Technology:

### 1 Defining Message authentication

ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary

### CS 161 Computer Security

Paxson Spring 2013 CS 161 Computer Security 3/14 Asymmetric cryptography Previously we saw symmetric-key cryptography, where Alice and Bob share a secret key K. However, symmetric-key cryptography can

### Post Experiment Interview Questions

Post Experiment Interview Questions Questions about the Maximum Problem 1. What is this problem statement asking? 2. What is meant by positive integers? 3. What does it mean by the user entering valid

### Applied Cryptography and Network Security

Applied Cryptography and Network Security William Garrison bill@cs.pitt.edu 6311 Sennott Square Lecture #8: RSA Didn t we learn about RSA last time? During the last lecture, we saw what RSA does and learned

### MITOCW MIT6_172_F10_lec18_300k-mp4

MITOCW MIT6_172_F10_lec18_300k-mp4 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for

### MITOCW watch?v=ytpjdnlu9ug

MITOCW watch?v=ytpjdnlu9ug The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality, educational resources for free.

### What did we talk about last time? Public key cryptography A little number theory

Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive

### CSE 127: Computer Security Cryptography. Kirill Levchenko

CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified

### In our first lecture on sets and set theory, we introduced a bunch of new symbols and terminology.

Guide to and Hi everybody! In our first lecture on sets and set theory, we introduced a bunch of new symbols and terminology. This guide focuses on two of those symbols: and. These symbols represent concepts

### Hi everyone. Starting this week I'm going to make a couple tweaks to how section is run. The first thing is that I'm going to go over all the slides

Hi everyone. Starting this week I'm going to make a couple tweaks to how section is run. The first thing is that I'm going to go over all the slides for both problems first, and let you guys code them

### Skill 1: Multiplying Polynomials

CS103 Spring 2018 Mathematical Prerequisites Although CS103 is primarily a math class, this course does not require any higher math as a prerequisite. The most advanced level of mathematics you'll need

### The following content is provided under a Creative Commons license. Your support

MITOCW Lecture 2 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To make a donation

### The following content is provided under a Creative Commons license. Your support

MITOCW Recitation 2 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resources for free. To make

### MITOCW mit-6-00-f08-lec16_300k

MITOCW mit-6-00-f08-lec16_300k OPERATOR: The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources

### P1_L3 Operating Systems Security Page 1

P1_L3 Operating Systems Security Page 1 that is done by the operating system. systems. The operating system plays a really critical role in protecting resources in a computer system. Resources such as

### Outline Key Management CS 239 Computer Security February 9, 2004

Outline Key Management CS 239 Computer Security February 9, 2004 Properties of keys Key management Key servers Certificates Page 1 Page 2 Introduction Properties of Keys It doesn t matter how strong your

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 February 5, 2013 CPSC 467b, Lecture 7 1/45 Stream cipher from block cipher Review of OFB and CFB chaining modes Extending chaining

### Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

ryptography Goals Protect private communication in the public world and are shouting messages over a crowded room no one can understand what they are saying 1 Other Uses of ryptography Authentication should

### The following content is provided under a Creative Commons license. Your support

MITOCW Lecture 11 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To make a

### Intro. Scheme Basics. scm> 5 5. scm>

Intro Let s take some time to talk about LISP. It stands for LISt Processing a way of coding using only lists! It sounds pretty radical, and it is. There are lots of cool things to know about LISP; if

### PROFESSOR: So far in this course we've been talking a lot about data abstraction. And remember the idea is that

MITOCW Lecture 4B [MUSIC-- "JESU, JOY OF MAN'S DESIRING" BY JOHANN SEBASTIAN BACH] PROFESSOR: So far in this course we've been talking a lot about data abstraction. And remember the idea is that we build

### CS Computer Networks 1: Authentication

CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores

### MITOCW watch?v=ninwepprkdq

MITOCW watch?v=ninwepprkdq The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### MITOCW watch?v=4dj1oguwtem

MITOCW watch?v=4dj1oguwtem PROFESSOR: So it's time to examine uncountable sets. And that's what we're going to do in this segment. So Cantor's question was, are all sets the same size? And he gives a definitive

### PROFESSOR: Well, yesterday we learned a bit about symbolic manipulation, and we wrote a rather stylized

MITOCW Lecture 4A PROFESSOR: Well, yesterday we learned a bit about symbolic manipulation, and we wrote a rather stylized program to implement a pile of calculus rule from the calculus book. Here on the

### Public Key Cryptography and RSA

Public Key Cryptography and RSA Major topics Principles of public key cryptosystems The RSA algorithm The Security of RSA Motivations A public key system is asymmetric, there does not have to be an exchange

### Random Oracles - OAEP

Random Oracles - OAEP Anatoliy Gliberman, Dmitry Zontov, Patrick Nordahl September 23, 2004 Reading Overview There are two papers presented this week. The first paper, Random Oracles are Practical: A Paradigm

### Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols

### CS Protocols. Prof. Clarkson Spring 2016

CS 5430 Protocols Prof. Clarkson Spring 2016 Review: Secure channel When we last left off, we were building a secure channel The channel does not reveal anything about messages except for their timing

### Formal Methods of Software Design, Eric Hehner, segment 1 page 1 out of 5

Formal Methods of Software Design, Eric Hehner, segment 1 page 1 out of 5 [talking head] Formal Methods of Software Engineering means the use of mathematics as an aid to writing programs. Before we can

### The following content is provided under a Creative Commons license. Your support

MITOCW Recitation 5 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality, educational resources for free. To make

### MITOCW watch?v=r6-lqbquci0

MITOCW watch?v=r6-lqbquci0 The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### (Refer Slide Time: 02.06)

Data Structures and Algorithms Dr. Naveen Garg Department of Computer Science and Engineering Indian Institute of Technology, Delhi Lecture 27 Depth First Search (DFS) Today we are going to be talking

### MITOCW watch?v=rvrkt-jxvko

MITOCW watch?v=rvrkt-jxvko The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To

### Intro. Speed V Growth

Intro Good code is two things. It's elegant, and it's fast. In other words, we got a need for speed. We want to find out what's fast, what's slow, and what we can optimize. First, we'll take a tour of

### MITOCW watch?v=kz7jjltq9r4

MITOCW watch?v=kz7jjltq9r4 PROFESSOR: We're going to look at the most fundamental of all mathematical data types, namely sets, and let's begin with the definitions. So informally, a set is a collection

### Notes for Lecture 14

COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e

### Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Introduction to Cryptography and Security Mechanisms Abdul Hameed http://informationtechnology.pk Before we start 3 Quiz 1 From a security perspective, rather than an efficiency perspective, which of the

### The Stack, Free Store, and Global Namespace

Pointers This tutorial is my attempt at clarifying pointers for anyone still confused about them. Pointers are notoriously hard to grasp, so I thought I'd take a shot at explaining them. The more information

### Lecture 10, Zero Knowledge Proofs, Secure Computation

CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last

### Combinatorics Prof. Dr. L. Sunil Chandran Department of Computer Science and Automation Indian Institute of Science, Bangalore

Combinatorics Prof. Dr. L. Sunil Chandran Department of Computer Science and Automation Indian Institute of Science, Bangalore Lecture - 5 Elementary concepts and basic counting principles So, welcome

### MITOCW ocw lec24

MITOCW ocw-6.046-lec24 -- week of 6.046. Woohoo! The topic of this final week, among our advanced topics, is cache oblivious algorithms. This is a particularly fun area, one dear to my heart because I've

### Most of the class will focus on if/else statements and the logical statements ("conditionals") that are used to build them. Then I'll go over a few

With notes! 1 Most of the class will focus on if/else statements and the logical statements ("conditionals") that are used to build them. Then I'll go over a few useful functions (some built into standard

### Note: Please use the actual date you accessed this material in your citation.

MIT OpenCourseWare http://ocw.mit.edu 6.046J Introduction to Algorithms, Fall 2005 Please use the following citation format: Erik Demaine and Charles Leiserson, 6.046J Introduction to Algorithms, Fall

### Public Key Algorithms

Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular

### MITOCW watch?v=hverxup4cfg

MITOCW watch?v=hverxup4cfg PROFESSOR: We've briefly looked at graph isomorphism in the context of digraphs. And it comes up in even more fundamental way really for simple graphs where the definition is

### Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1

### CS Protocol Design. Prof. Clarkson Spring 2017

CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,

### 1.264 Lecture 28. Cryptography: Asymmetric keys

1.264 Lecture 28 Cryptography: Asymmetric keys Next class: Anderson chapters 20. Exercise due before class (Reading doesn t cover same topics as lecture) 1 Asymmetric or public key encryption Receiver

### MITOCW ocw apr k

MITOCW ocw-6.033-32123-06apr2005-220k Good afternoon. So we're going to continue our discussion about atomicity and how to achieve atomicity. And today the focus is going to be on implementing this idea

### This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published

### Information Security

SE 4472b Information Security Week 2-2 Some Formal Security Notions Aleksander Essex Fall 2015 Formalizing Security As we saw, classical ciphers leak information: Caeser/Vigenere leaks letter frequency

### P2_L6 Symmetric Encryption Page 1

P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,

### CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography

### RSA. Public Key CryptoSystem

RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting

### Notes for Lecture 21. From One-Time Signatures to Fully Secure Signatures

U.C. Berkeley CS276: Cryptography Handout N21 Luca Trevisan April 7, 2009 Notes for Lecture 21 Scribed by Anand Bhaskar, posted May 1, 2009 Summary Today we show how to construct an inefficient (but efficiently

### Encryption. INST 346, Section 0201 April 3, 2018

Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:

### MITOCW watch?v=sdw8_0rdzuw

MITOCW watch?v=sdw8_0rdzuw PROFESSOR: Directed acyclic graphs are a special class of graphs that really have and warrant a theory of their own. Of course, "directed acyclic graphs" is lot of syllables,

### Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography

### Cryptography III Want to make a billion dollars? Just factor this one number!

Cryptography III Want to make a billion dollars? Just factor this one number! 3082010a0282010100a3d56cf0bf8418d66f400be31c3f22036ca9f5cf01ef614de2eb9a1cd74a0c344b5a20d5f80df9a23c89 10c354821aa693432a61bd265ca70f309d56535a679d68d7ab89f9d32c47c1182e8a14203c050afd5f1831e5550e8700e008f2

### PROFESSOR: Well, now that we've given you some power to make independent local state and to model objects,

MITOCW Lecture 5B PROFESSOR: Well, now that we've given you some power to make independent local state and to model objects, I thought we'd do a bit of programming of a very complicated kind, just to illustrate

### CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes

### P2_L8 - Hashes Page 1

P2_L8 - Hashes Page 1 Reference: Computer Security by Stallings and Brown, Chapter 21 In this lesson, we will first introduce the birthday paradox and apply it to decide the length of hash, in order to

### Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 January 30, 2012 CPSC 467b, Lecture 7 1/44 Public-key cryptography RSA Factoring Assumption Computing with Big Numbers Fast Exponentiation

### Who am I? I m a python developer who has been working on OpenStack since I currently work for Aptira, who do OpenStack, SDN, and orchestration

Who am I? I m a python developer who has been working on OpenStack since 2011. I currently work for Aptira, who do OpenStack, SDN, and orchestration consulting. I m here today to help you learn from my

### Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that

### More on Cryptography CS 136 Computer Security Peter Reiher April 7, 2016

More on Cryptography CS 136 Computer Security Peter Reiher April 7, 2016 Page 1 Outline Desirable characteristics of ciphers Stream and block ciphers Cryptographic modes Uses of cryptography Symmetric

### CS 161 Computer Security

Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values

### 5 R1 The one green in the same place so either of these could be green.

Page: 1 of 20 1 R1 Now. Maybe what we should do is write out the cases that work. We wrote out one of them really very clearly here. [R1 takes out some papers.] Right? You did the one here um where you