CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Transcription

1 CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018

2 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract algebra lets us define groups and how group values behave under some operation Number-theoretic "hard problems" provide the foundational assumptions for modern cryptography Factoring RSA Discrete Logarithm Computational/Decisional Diffie-Hellman

3 Symmetric-Key Cryptography Symmetric-key constructions provide a lot of useful security guarantees Secrecy, integrity, etc. These constructions are efficient and common in practice There is one logistical issue that we have not solved What's the major shortcoming of shared-key encryption?

4 Key Distribution All symmetric-key constructions assume both parties are able to share a key at some point This could happen a number of ways: In-person meeting Using a secure channel If there is already a way to exchange messages (keys) securely, why do we need cryptography?

5 Challenges with key management Key distribution How do I share a key securely? Key management How do I store keys for all potential contacts? Open systems How do I interact with contacts I have never met before?

6 Key Distribution Centers A key distribution center (KDC) provides key storage and distribution within a closed organization All members of the organization share a key with the KDC To establish a communication key with another organization member, users contact the KDC, who distributes session keys to the participants

7 KDC pros and cons Solves 2 of 3 symmetric key issues Still not applicable to open systems Introduces two issues Presents a high-value target for attackers Is a single point of failure for system availability How useful is this idea?

8 Needham-Schroeder The Needham-Schroeder protocol is used to produce and share session keys with a KDC Forms the basis for Kerberos, which is used in Microsoft AD and other authentication systems All users maintain a long-term key with the KDC For each communication, the KDC generates a session key and sends it to the recipient through the sender encapsulated in a "ticket"

9 N-S Protocol

10 Key Exchange Protocols For open systems, we still need a way to communicate keying information without a private pre-existing channel In 1976, Diffie and Hellman devised a scheme to agree on a random key based on a computationally hard problem A truly revolutionary discovery in modern cryptography! Key exchange protocols are the broad category of protocols designed to achieve this goal

11 Key Exchanges Goal: Alice and Bob wish to establish a shared secret to begin a cryptographically-secure conversation Setting: all communication may be recorded by an eavesdropping adversary Security: we want the agreed upon key to be indistinguishable from a random choice of key

12 KE Experiment

13 The Diffie-Hellman Key Exchange Based on the decisional DH problem Allows parties to agree on a random group element This group element must be converted into a bitstring before use as a key The protocol is secure against passive adversaries only! An active adversary may perform a man-in-the-middle attack

14 D-H Key Exchange

15 What do we have now? D-H key exchange is NOT an encryption scheme Very different definitions and security goals D-H key exchange is still hampered by the need for authentication This would solve the MITM attack mentioned previously D-H is still used today! As a component of TLS

16 The Public-Key Revolution Diffie and Hellman additionally proposed a concept for public-key encryption, allowing for encryption keys to be exchanged publicly The first instance of a public key scheme did not appear until 1977 with the development of RSA These discoveries set off a chain of research that changed cryptography and set the stage for modern network security

17 Public-Key Ideas Instead of sharing a key for encryption and decryption, use a public key for encryption and a private key for decryption Simplifies key distribution Instead of sharing verification keys, use a private signing key and a public verification key Provides non-repudiation in addition to message integrity (Mostly) solves all of the problems from the symmetrickey setting

18 Problems Solved Key distribution: send out the public key in the clear Still assumes an authenticated channel! Key management: store/retrieve public keys in a central bulletin board No security threat if compromised Open environment: exchange public keys and start talking! Assuming some shared or mutual authenticating information Con: orders of magnitude slower than symmetric-key encryption If you can use symmetric-key, do!

19 Public Key Encryption Gen(1 n ): takes a security parameter as input and outputs a pair (pk, sk) Enc pk(m): takes as input a public key and a message and outputs a ciphertext c Dec sk(c): takes as input a secret key and a ciphertext and outputs the underlying message Correctness is only required except with negligible probability

20 Security Guarantees As in the symmetric-key setting, we have many definitions of security EAV, CPA, and mult-cpa all have analogous formulations in the public-key setting What's the major improvement in power that an adversary with a public-key has?

21 <latexit sha1_base64="y2quypbde3o8oifuijfjliatu6w=">aaae+hicdvrlb9naehabqce8c0cui7qifniqzgwehhhwihegsg2pvkfrejoov7hxznfdelz/f26ik78g/g2zblollewlk3nsfdpftw7zrbrb7f5zwm40l11euxk1de36jzu3bq/e2tvzoqxuiczj9f7idszs4y6vnsg9xcnpwwq/h5m3lv75elwrmdq20xwhkr8rgunblbmgq8u/t77mqgwkyglrf+ghgxl5ytusg5tbwpckffv1gr6s2mqdpwsfiy6lklevkwpuswof0mik71dv/4hlkw6ycypcsdugrog2f0c1s8ttgigphcsup8dmujcqbsbyejw7hafxi8gkmxfwaeuh3u469bkcxaipyze5jue50k9/zm6d4fdqkjloizq0vgibvbcu3y4fvgwzckd1jvoaexakgfmudxyew0omy3xstdnhum7azovozj0wez/io2nz8dtpy+0grnhl5po/bwrotqsss8wwzjmsboogfaaazw+1rvqkumxmcaqohj7mji8wisaugbmhdgebbu443b14i4iwx9yavcosde2+kcbmpio5ehcf6gqkeunuhcwivecmoxnplccpqhvr1e6gqvfoxhfway+arngu+v3t/3jna16iqq4kx4kcs9c6kpsogtpnzgakevmqt2dk4psqhlwtvt7/n/pgjj+a2b84xr5aegkusr8qexu8rhts/gsjpxcob691n7v1gyugpzpwvnnpd1exvojrjgr3fetcjdn3u7kdlfxbkrkn9mjgzswej3gftmvtnioyfomvpcdpqn5vlnftqr3zfsvpjzmmiww60cz5mhp+k7zf2ojpojskveomntskistp0z1ogemnwiztmrjqkrccidmtxxjpczepzh0lakbknffinpywhzqdqavzzy/qorhb2/tj/trbe/l6tsqr3j3vvtf2fo+j99j77/w9hu80xjsworpz81vze/nh8+dj6vlsroaut3cav/4c/hubxq==</latexit> <latexit sha1_base64="y2quypbde3o8oifuijfjliatu6w=">aaae+hicdvrlb9naehabqce8c0cui7qifniqzgwehhhwihegsg2pvkfrejoov7hxznfdelz/f26ik78g/g2zblollewlk3nsfdpftw7zrbrb7f5zwm40l11euxk1de36jzu3bq/e2tvzoqxuiczj9f7idszs4y6vnsg9xcnpwwq/h5m3lv75elwrmdq20xwhkr8rgunblbmgq8u/t77mqgwkyglrf+ghgxl5ytusg5tbwpckffv1gr6s2mqdpwsfiy6lklevkwpuswof0mik71dv/4hlkw6ycypcsdugrog2f0c1s8ttgigphcsup8dmujcqbsbyejw7hafxi8gkmxfwaeuh3u469bkcxaipyze5jue50k9/zm6d4fdqkjloizq0vgibvbcu3y4fvgwzckd1jvoaexakgfmudxyew0omy3xstdnhum7azovozj0wez/io2nz8dtpy+0grnhl5po/bwrotqsss8wwzjmsboogfaaazw+1rvqkumxmcaqohj7mji8wisaugbmhdgebbu443b14i4iwx9yavcosde2+kcbmpio5ehcf6gqkeunuhcwivecmoxnplccpqhvr1e6gqvfoxhfway+arngu+v3t/3jna16iqq4kx4kcs9c6kpsogtpnzgakevmqt2dk4psqhlwtvt7/n/pgjj+a2b84xr5aegkusr8qexu8rhts/gsjpxcob691n7v1gyugpzpwvnnpd1exvojrjgr3fetcjdn3u7kdlfxbkrkn9mjgzswej3gftmvtnioyfomvpcdpqn5vlnftqr3zfsvpjzmmiww60cz5mhp+k7zf2ojpojskveomntskistp0z1ogemnwiztmrjqkrccidmtxxjpczepzh0lakbknffinpywhzqdqavzzy/qorhb2/tj/trbe/l6tsqr3j3vvtf2fo+j99j77/w9hu80xjsworpz81vze/nh8+dj6vlsroaut3cav/4c/hubxq==</latexit> <latexit sha1_base64="y2quypbde3o8oifuijfjliatu6w=">aaae+hicdvrlb9naehabqce8c0cui7qifniqzgwehhhwihegsg2pvkfrejoov7hxznfdelz/f26ik78g/g2zblollewlk3nsfdpftw7zrbrb7f5zwm40l11euxk1de36jzu3bq/e2tvzoqxuiczj9f7idszs4y6vnsg9xcnpwwq/h5m3lv75elwrmdq20xwhkr8rgunblbmgq8u/t77mqgwkyglrf+ghgxl5ytusg5tbwpckffv1gr6s2mqdpwsfiy6lklevkwpuswof0mik71dv/4hlkw6ycypcsdugrog2f0c1s8ttgigphcsup8dmujcqbsbyejw7hafxi8gkmxfwaeuh3u469bkcxaipyze5jue50k9/zm6d4fdqkjloizq0vgibvbcu3y4fvgwzckd1jvoaexakgfmudxyew0omy3xstdnhum7azovozj0wez/io2nz8dtpy+0grnhl5po/bwrotqsss8wwzjmsboogfaaazw+1rvqkumxmcaqohj7mji8wisaugbmhdgebbu443b14i4iwx9yavcosde2+kcbmpio5ehcf6gqkeunuhcwivecmoxnplccpqhvr1e6gqvfoxhfway+arngu+v3t/3jna16iqq4kx4kcs9c6kpsogtpnzgakevmqt2dk4psqhlwtvt7/n/pgjj+a2b84xr5aegkusr8qexu8rhts/gsjpxcob691n7v1gyugpzpwvnnpd1exvojrjgr3fetcjdn3u7kdlfxbkrkn9mjgzswej3gftmvtnioyfomvpcdpqn5vlnftqr3zfsvpjzmmiww60cz5mhp+k7zf2ojpojskveomntskistp0z1ogemnwiztmrjqkrccidmtxxjpczepzh0lakbknffinpywhzqdqavzzy/qorhb2/tj/trbe/l6tsqr3j3vvtf2fo+j99j77/w9hu80xjsworpz81vze/nh8+dj6vlsroaut3cav/4c/hubxq==</latexit> <latexit sha1_base64="y2quypbde3o8oifuijfjliatu6w=">aaae+hicdvrlb9naehabqce8c0cui7qifniqzgwehhhwihegsg2pvkfrejoov7hxznfdelz/f26ik78g/g2zblollewlk3nsfdpftw7zrbrb7f5zwm40l11euxk1de36jzu3bq/e2tvzoqxuiczj9f7idszs4y6vnsg9xcnpwwq/h5m3lv75elwrmdq20xwhkr8rgunblbmgq8u/t77mqgwkyglrf+ghgxl5ytusg5tbwpckffv1gr6s2mqdpwsfiy6lklevkwpuswof0mik71dv/4hlkw6ycypcsdugrog2f0c1s8ttgigphcsup8dmujcqbsbyejw7hafxi8gkmxfwaeuh3u469bkcxaipyze5jue50k9/zm6d4fdqkjloizq0vgibvbcu3y4fvgwzckd1jvoaexakgfmudxyew0omy3xstdnhum7azovozj0wez/io2nz8dtpy+0grnhl5po/bwrotqsss8wwzjmsboogfaaazw+1rvqkumxmcaqohj7mji8wisaugbmhdgebbu443b14i4iwx9yavcosde2+kcbmpio5ehcf6gqkeunuhcwivecmoxnplccpqhvr1e6gqvfoxhfway+arngu+v3t/3jna16iqq4kx4kcs9c6kpsogtpnzgakevmqt2dk4psqhlwtvt7/n/pgjj+a2b84xr5aegkusr8qexu8rhts/gsjpxcob691n7v1gyugpzpwvnnpd1exvojrjgr3fetcjdn3u7kdlfxbkrkn9mjgzswej3gftmvtnioyfomvpcdpqn5vlnftqr3zfsvpjzmmiww60cz5mhp+k7zf2ojpojskveomntskistp0z1ogemnwiztmrjqkrccidmtxxjpczepzh0lakbknffinpywhzqdqavzzy/qorhb2/tj/trbe/l6tsqr3j3vvtf2fo+j99j77/w9hu80xjsworpz81vze/nh8+dj6vlsroaut3cav/4c/hubxq==</latexit> EAV-security Experiment P ubk eav A, (n): 1. Generate pk, sk using Gen(1 n ) 2. The adversary A is given pk and outputs m 0,m 1 where m 0 = m 1 3. Generate a uniform bit b 2 {0, 1}. Give c Enc pk (m b )toa 4. A outputs bit b 0 5. Output 1 if b = b 0 and output 0 otherwise Public-key encryption scheme =(Gen, Enc, Dec) has indistinguishable encryptions in the presence of an eavesdropper (EAV-secure) if for every PPT adversary A there is a negligible function negl such that: Pr[P ubk eav A, (n) = 1] apple negl(n)

22 Public Key Access An adversary with public-key access does not need an encryption oracle EAV-security is immediately equivalent to CPA-security in this setting Perfect secrecy is now impossible CPA-security with multiple encryptions is equivalent to CPA-security The proof of which will follow

23 Hybrid Arguments A central idea in reduction proofs is that the outer adversary can simulate the view of the inner adversary's game in a way that is indistinguishable from the actual game This can be difficult with complex protocols A hybrid argument changes one aspect of the adversary's view at a time, and incrementally argues that each subexperiment is indistinguishable from the previous By chaining the argument together that each individual change is indistinguishable, we can argue that the adversary's entire view of the modified game is indistinguishable from a real execution

24 Proof of mult-cpa security Claim: if a scheme is CPA secure, then it is also secure under multiple encryptions Need to show: an adversary that gets one query to the LR-oracle can simulate the view of an adversary who makes many queries Intuitively, we will build up from an adversary who makes exactly two queries to the LR-oracle

25 Two-query proof Build the reduction A encrypts the 0-message in the first query and forwards the second query to its oracle Consider the distribution over ciphertexts returned Bound on the probability of success given two ciphertexts

26 Proof Reduction Encrypt 0 to the i th message and 1 after Send the i th message to the oracle

27 Proof Component probability calculations

28 Proof Summations and cancellations Note the multiplicative factor in the probability bound. This implies the probability is negligible but higher as more queries are made

29 CCA-Security In the public-key setting, CCA-security is formulated in the same way as in the symmetric-key setting New attacks are possible in practice due to the fact that a receiver may receive messages from anyone Not just a pre-agreed sender In addition to previous "oracle" attacks where the adversary observes the receiver's behavior, the adversary may now send messages directly to the receiver

30 CCA experiment Experiment P ubk cca A, (n): 1. Generate pk, sk using Gen(1 n ) 2. The adversary A is given pk and oracle access to Dec sk ( ), and outputs a pair of messages m 0,m 1 of equal length. 3. A uniform bit b 2 {0, 1} is chosen, and the challenge cipher text c Enc pk (m b ) is given to A 4. A continues to have oracle access but may not query Dec k ( ) withthe challenge ciphertext. A eventually outputs bit b 0 5. Output 1 if b = b 0 and output 0 otherwise A public-key encryption scheme is CCA-secure if for all PPT adversaries A there is a negligible function negl such that: Pr[P ubk cca A, (n) = 1] apple negl(n) where the probability is taken over all randomness used in the experiment <latexit sha1_base64="eaqadzav4bhfhpu1dlrvhpcrn+c=">aaafwhicdvtbbttgekutqu7vw9w+5mvqs4idyiboh6yoeccoe7rah6oadhlavitlakgutnyl92jhjfgv/a3+twypwzccle/dueycoxn2s1ok60aj/3bu3e/1v9p98pxgm2+/+/6hh3s/vrxag44xxett3mfmohqkl5xwet/xblmvsxyxzc9c/n01giu0onelgicvk5tibweoxno9+/++/lijeruqb/hyz399adhn7brjk+zkzmrz2g7tswgp1gh8+ydnsbcqqeurnmxho0ifwwr+qnx9q1zph2dnmxgrvaexbq6sd1s7sjwvedgsqgjmaffglxiehujcowqhxmdudlrhxfib52gtoa3xk+ttxs7bg5tptdumh8s872rvldcomtcgc6iogbvoia6mo2e1telgxsvpjehuhsupv4howrmj2lsqceigg1qosjvrmemxmhiplapli0fweclkoiisuzdowofhkusqsswdm0bfwgtfmgucwu2brd3cmc0mstn1csu2e1wrj5thbuasxemdjjlvogilunrblcfazcbmfssk3ahxfhfswhp8pxsslkfeymwaycuvj2/r/d25isywrr44eg4u3kae4herta3njbcypomu1wxtjontqh0mbt+a4wjqcboogwtb8hir0g1prgpp7oz0ycl3bkmr2gsqmbipz9eyewgrwwoevhikgsgspcge6r9yr3jxig7ogkzngrpm1jjmlkqetioxufw/6cnk+zrxmgkbvoi0p100sductpc0a0jx5cc3b950gal/tdezy4qubheaojyndwgapbvleio6umgl3uimshmhcnd3cjcyptwfhy+6dz43kpwxh62+8xrvzzedae5dozfm2stkvltjw4wtjcg6sdsqznxo1+ostmxorkya7i1p4zcor6a9jw1c592safhl7alkkdowzo/ggvnlsuvv8t8mjvakftr+slhuzrb4ejhgjgxyrxkcccanikxbu8s0o6vvnar0eo1oiflosiyrk+2h1jciuuquuz8bb0+oe7lfnoy/elki8uh0kpo5oois6fn0ivozgkcxee/t9o56v/ae9v/2y77uxy1t7+2san6ktr7+p58anohjkq==</latexit> <latexit sha1_base64="eaqadzav4bhfhpu1dlrvhpcrn+c=">aaafwhicdvtbbttgekutqu7vw9w+5mvqs4idyiboh6yoeccoe7rah6oadhlavitlakgutnyl92jhjfgv/a3+twypwzccle/dueycoxn2s1ok60aj/3bu3e/1v9p98pxgm2+/+/6hh3s/vrxag44xxett3mfmohqkl5xwet/xblmvsxyxzc9c/n01giu0onelgicvk5tibweoxno9+/++/lijeruqb/hyz399adhn7brjk+zkzmrz2g7tswgp1gh8+ydnsbcqqeurnmxho0ifwwr+qnx9q1zph2dnmxgrvaexbq6sd1s7sjwvedgsqgjmaffglxiehujcowqhxmdudlrhxfib52gtoa3xk+ttxs7bg5tptdumh8s872rvldcomtcgc6iogbvoia6mo2e1telgxsvpjehuhsupv4howrmj2lsqceigg1qosjvrmemxmhiplapli0fweclkoiisuzdowofhkusqsswdm0bfwgtfmgucwu2brd3cmc0mstn1csu2e1wrj5thbuasxemdjjlvogilunrblcfazcbmfssk3ahxfhfswhp8pxsslkfeymwaycuvj2/r/d25isywrr44eg4u3kae4herta3njbcypomu1wxtjontqh0mbt+a4wjqcboogwtb8hir0g1prgpp7oz0ycl3bkmr2gsqmbipz9eyewgrwwoevhikgsgspcge6r9yr3jxig7ogkzngrpm1jjmlkqetioxufw/6cnk+zrxmgkbvoi0p100sductpc0a0jx5cc3b950gal/tdezy4qubheaojyndwgapbvleio6umgl3uimshmhcnd3cjcyptwfhy+6dz43kpwxh62+8xrvzzedae5dozfm2stkvltjw4wtjcg6sdsqznxo1+ostmxorkya7i1p4zcor6a9jw1c592safhl7alkkdowzo/ggvnlsuvv8t8mjvakftr+slhuzrb4ejhgjgxyrxkcccanikxbu8s0o6vvnar0eo1oiflosiyrk+2h1jciuuquuz8bb0+oe7lfnoy/elki8uh0kpo5oois6fn0ivozgkcxee/t9o56v/ae9v/2y77uxy1t7+2san6ktr7+p58anohjkq==</latexit> <latexit sha1_base64="eaqadzav4bhfhpu1dlrvhpcrn+c=">aaafwhicdvtbbttgekutqu7vw9w+5mvqs4idyiboh6yoeccoe7rah6oadhlavitlakgutnyl92jhjfgv/a3+twypwzccle/dueycoxn2s1ok60aj/3bu3e/1v9p98pxgm2+/+/6hh3s/vrxag44xxett3mfmohqkl5xwet/xblmvsxyxzc9c/n01giu0onelgicvk5tibweoxno9+/++/lijeruqb/hyz399adhn7brjk+zkzmrz2g7tswgp1gh8+ydnsbcqqeurnmxho0ifwwr+qnx9q1zph2dnmxgrvaexbq6sd1s7sjwvedgsqgjmaffglxiehujcowqhxmdudlrhxfib52gtoa3xk+ttxs7bg5tptdumh8s872rvldcomtcgc6iogbvoia6mo2e1telgxsvpjehuhsupv4howrmj2lsqceigg1qosjvrmemxmhiplapli0fweclkoiisuzdowofhkusqsswdm0bfwgtfmgucwu2brd3cmc0mstn1csu2e1wrj5thbuasxemdjjlvogilunrblcfazcbmfssk3ahxfhfswhp8pxsslkfeymwaycuvj2/r/d25isywrr44eg4u3kae4herta3njbcypomu1wxtjontqh0mbt+a4wjqcboogwtb8hir0g1prgpp7oz0ycl3bkmr2gsqmbipz9eyewgrwwoevhikgsgspcge6r9yr3jxig7ogkzngrpm1jjmlkqetioxufw/6cnk+zrxmgkbvoi0p100sductpc0a0jx5cc3b950gal/tdezy4qubheaojyndwgapbvleio6umgl3uimshmhcnd3cjcyptwfhy+6dz43kpwxh62+8xrvzzedae5dozfm2stkvltjw4wtjcg6sdsqznxo1+ostmxorkya7i1p4zcor6a9jw1c592safhl7alkkdowzo/ggvnlsuvv8t8mjvakftr+slhuzrb4ejhgjgxyrxkcccanikxbu8s0o6vvnar0eo1oiflosiyrk+2h1jciuuquuz8bb0+oe7lfnoy/elki8uh0kpo5oois6fn0ivozgkcxee/t9o56v/ae9v/2y77uxy1t7+2san6ktr7+p58anohjkq==</latexit> <latexit sha1_base64="eaqadzav4bhfhpu1dlrvhpcrn+c=">aaafwhicdvtbbttgekutqu7vw9w+5mvqs4idyiboh6yoeccoe7rah6oadhlavitlakgutnyl92jhjfgv/a3+twypwzccle/dueycoxn2s1ok60aj/3bu3e/1v9p98pxgm2+/+/6hh3s/vrxag44xxett3mfmohqkl5xwet/xblmvsxyxzc9c/n01giu0onelgicvk5tibweoxno9+/++/lijeruqb/hyz399adhn7brjk+zkzmrz2g7tswgp1gh8+ydnsbcqqeurnmxho0ifwwr+qnx9q1zph2dnmxgrvaexbq6sd1s7sjwvedgsqgjmaffglxiehujcowqhxmdudlrhxfib52gtoa3xk+ttxs7bg5tptdumh8s872rvldcomtcgc6iogbvoia6mo2e1telgxsvpjehuhsupv4howrmj2lsqceigg1qosjvrmemxmhiplapli0fweclkoiisuzdowofhkusqsswdm0bfwgtfmgucwu2brd3cmc0mstn1csu2e1wrj5thbuasxemdjjlvogilunrblcfazcbmfssk3ahxfhfswhp8pxsslkfeymwaycuvj2/r/d25isywrr44eg4u3kae4herta3njbcypomu1wxtjontqh0mbt+a4wjqcboogwtb8hir0g1prgpp7oz0ycl3bkmr2gsqmbipz9eyewgrwwoevhikgsgspcge6r9yr3jxig7ogkzngrpm1jjmlkqetioxufw/6cnk+zrxmgkbvoi0p100sductpc0a0jx5cc3b950gal/tdezy4qubheaojyndwgapbvleio6umgl3uimshmhcnd3cjcyptwfhy+6dz43kpwxh62+8xrvzzedae5dozfm2stkvltjw4wtjcg6sdsqznxo1+ostmxorkya7i1p4zcor6a9jw1c592safhl7alkkdowzo/ggvnlsuvv8t8mjvakftr+slhuzrb4ejhgjgxyrxkcccanikxbu8s0o6vvnar0eo1oiflosiyrk+2h1jciuuquuz8bb0+oe7lfnoy/elki8uh0kpo5oois6fn0ivozgkcxee/t9o56v/ae9v/2y77uxy1t7+2san6ktr7+p58anohjkq==</latexit>

31 Recap Symmetric-key schemes all suffer from key distribution challenges To overcome these obstacles, public-key constructions allow one public key to be widely distributed Definitions of security are similar but not equivalent in the public-key setting

32 Next Time... Katz & Lindell Chapter 11 Remember, you need to read it BEFORE you come to class! Homework problems available on the course webpage 32